AZURE HEROES
  • Home-Updates
  • Blog
    • Azure Blog
    • Azure Heroes Events >
      • Azure Heroes Sessions #1
      • Azure Heroes Sessions #2
      • Azure Heroes Sessions #3
      • Azure Heroes Sessions #4
      • Azure Heroes Sessions #5
      • Azure Heroes Sessions #6
      • Azure Heroes Sessions #7
  • Who We Are!
  • eBooks
  • Azure All In One!
    • Azure Disk & Storage
    • Azure Network
    • Azure VPN
    • Azure VMs
  • Free Azure Support!
  • Contact Us
  • Events
    • Beginners Event
    • Developers Event
    • Special Event
    • Azure Workshop #4
    • Azure Workshop #5
    • Azure Workshop #6
    • Azure Workshop #7
    • Azure Workshop #8
    • Upcoming Events
  • Registration Form
  • Privacy Policy
  • Home-Updates
  • Blog
    • Azure Blog
    • Azure Heroes Events >
      • Azure Heroes Sessions #1
      • Azure Heroes Sessions #2
      • Azure Heroes Sessions #3
      • Azure Heroes Sessions #4
      • Azure Heroes Sessions #5
      • Azure Heroes Sessions #6
      • Azure Heroes Sessions #7
  • Who We Are!
  • eBooks
  • Azure All In One!
    • Azure Disk & Storage
    • Azure Network
    • Azure VPN
    • Azure VMs
  • Free Azure Support!
  • Contact Us
  • Events
    • Beginners Event
    • Developers Event
    • Special Event
    • Azure Workshop #4
    • Azure Workshop #5
    • Azure Workshop #6
    • Azure Workshop #7
    • Azure Workshop #8
    • Upcoming Events
  • Registration Form
  • Privacy Policy

Store Terraform state in Azure Storage

4/23/2022

0 Comments

 
In this post, I want to show you how to configure terraform to use an Azure storage account to store and protect your tfstate file.
To manage the infrastructure and configuration, Terraform writes the status of resources to a tfstate file. By default, this file is called “
terraform. tfstate” and is stored locally in JSON format but can also store it remotely. It is created by Terraform the first time the terraform plan command is run and will use it each time it is run to compare its state with that of the target infrastructure and return the preview of the changes to be made

Picture
Terraform state is used to reconcile deployed resources with Terraform configurations. State allows Terraform to know what Azure resources to add, update, or delete.
This backend supports state locking and consistency checking with Azure Blob Storage native capabilities.
By default, Terraform state is stored locally, which isn't ideal for the following reasons:

  • Local state doesn't work well in a team or collaborative environment.
  • Terraform state can include sensitive information.
  • Storing state locally increases the chance of inadvertent deletion
Note: By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting use_microsoft_graph to true. The default for this will change in Terraform 1.2, so that MSAL authentication is used by default
so, to create or manage azure resources from Azure DevOps pipeline, it's recommended to store the state file in Azure blob storage.
But why?
if you didn't store the state file (or if it get deleted) every time when you run the terraform Plan or Apply it will consider that you run it for the first time, so if in the first run create resource group in the second run it will give you runtime error "the resource is already exist!", hence you must store the state file in the storage.
Also, it's recommended to create the storge outside terraform configuration, by using Azure CLI powershell, so if you run terraform destroy the storage will not be deleted :)

so, let's create the storage

Point to Consider:
  • Public access should be allowed to Azure storage account for storing Terraform state

#!/bin/bash
RESOURCE_GROUP_NAME=tfstate
STORAGE_ACCOUNT_NAME=tfstate$RANDOM
CONTAINER_NAME=tfstate
# Create resource group

az group create --name $RESOURCE_GROUP_NAME --location eastus

# Create storage account

az storage account create
--resource-group $RESOURCE_GROUP_NAME --name $STORAGE_ACCOUNT_NAME --sku Standard_LRS --encryption-services blob
# Create blob container


az storage container create
--name $CONTAINER_NAME --account-name $STORAGE_ACCOUNT_NAME

Configure terraform backend stateTo configure the backend state, you need the following Azure storage information:
  • storage_account_name: The name of the Azure Storage account.
  • container_name: The name of the blob container.
  • key: The name of the state store file to be created, e.g prod.terraform.tfstate
  • access_key (Optional): The storage access key
In case you decided to use access_key, microsoft recommended to store its value in Key vault or use environment variable by using a command similar to the following
ACCOUNT_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query '[0].value' -o tsv)
export ARM_ACCESS_KEY=
$ACCOUNT_KEY

Terraform Backend Configuration:
  • When authenticating using Managed Service Identity (MSI)
terraform {
  backend "azurerm" {
    resource_group_name    = "StorageAccount-ResourceGroup"
    storage_account_name  = "abcd1234"
    container_name                 = "tfstate"
    key                                           = "prod.terraform.tfstate"
    use_msi                                = true
    subscription_id                  = "00000000-0000-0000-0000-000000000000"
    tenant_id                               = "00000000-0000-0000-0000-000000000000"
  }
}
  • When authenticating using Azure AD Authentication: (recommened)
terraform {
  backend "azurerm" {
    storage_account_name = "abcd1234"
    container_name       = "tfstate"
    key                  = "prod.terraform.tfstate"
    use_azuread_auth     = true
    subscription_id      = "00000000-0000-0000-0000-000000000000"
    tenant_id            = "00000000-0000-0000-0000-000000000000"
  }
}

  • When authenticating using the Access Key associated with the Storage Account:
terraform {
  backend "azurerm" {
    storage_account_name = "abcd1234"
    container_name       = "tfstate"
    key                  = "prod.terraform.tfstate"
    access_key = "abcdefghijklmnopqrstuvwxyz0123456789..."
  }
}

  • When authenticating using a SAS Token associated with the Storage Account:
terraform {
  backend "azurerm" {
    storage_account_name = "abcd1234"
    container_name       = "tfstate"
    key                  = "prod.terraform.tfstate"
    sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..."
  }
}
Point to Consider:
  • subscription_id & tenant_id are optional
  • When using AzureAD for Authentication to Storage you also need to ensure the Storage Blob Data Owner role is assigned
Full Code:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.46.0"
    }
  }
    backend "azurerm" {
        resource_group_name  = "azureheros-rg"
        storage_account_name = "azurehero-stg"
        container_name       = "tfstate"
        key                  = "terraform.tfstate"
    }

}

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "state-demo-secure" {
  name     = "state-demo"
  location = "eastus"
}
Run the following command to initialize the configuration:
terraform init
Run the following command to run the configuration:
terraform apply

Listed below a useful command you can use to manage the state file

e.g you can print the state file components
Picture
What does it contain?
After running terraform apply, the terraform.tfstate file will look something like this:

Picture
Terraform State locking
Azure Storage blobs are automatically locked before any operation that writes state. This pattern prevents concurrent state operations, which can cause corruption

Picture
Security

Data stored in an Azure blob is encrypted before being persisted. When needed, Terraform retrieves the state from the backend and stores it in local memory. Using this pattern, state is never written to your local disk
0 Comments



Leave a Reply.

    Author

    Mohammad Al Rousan is a Microsoft MVP (Azure), Microsoft Certified Solution Expert (MCSE) in Cloud Platform & Azure DevOps & Infrastructure, An active community blogger and speaker. Al Rousan has over 8 years of professional experience in IT Infrastructure and very passionate about Microsoft technologies and products.

    Picture
    Picture
    Top 10 Microsoft Azure Blogs

    Archives

    November 2022
    October 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    May 2021
    February 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    June 2020
    April 2020
    January 2020
    July 2019
    June 2019
    May 2019
    February 2019
    January 2019

    Categories

    All
    AKS
    Azure
    Beginner
    CDN
    DevOps
    End Of Support
    Fundamentals
    Guide
    Hybrid
    License
    Migration
    Network
    Security
    SQL
    Storage
    Virtual Machines
    WAF

    RSS Feed

    Follow
    Free counters!
Powered by Create your own unique website with customizable templates.