github.com/koding/terraform@v0.6.4-0.20170608090606-5d7e0339779d/website/source/docs/providers/azurerm/index.html.markdown (about) 1 --- 2 layout: "azurerm" 3 page_title: "Provider: Azure Resource Manager" 4 sidebar_current: "docs-azurerm-index" 5 description: |- 6 The Azure Resource Manager provider is used to interact with the many resources supported by Azure, via the ARM API. This supersedes the Azure provider, which interacts with Azure using the Service Management API. The provider needs to be configured with a credentials file, or credentials needed to generate OAuth tokens for the ARM API. 7 --- 8 9 # Microsoft Azure Provider 10 11 The Microsoft Azure provider is used to interact with the many 12 resources supported by Azure, via the ARM API. This supercedes the [legacy Azure 13 provider][asm], which interacts with Azure using the Service Management API. The 14 provider needs to be configured with the credentials needed to generate OAuth 15 tokens for the ARM API. 16 17 [asm]: /docs/providers/azure/index.html 18 19 Use the navigation to the left to read about the available resources. 20 21 ## Example Usage 22 23 ```hcl 24 # Configure the Microsoft Azure Provider 25 provider "azurerm" { 26 subscription_id = "..." 27 client_id = "..." 28 client_secret = "..." 29 tenant_id = "..." 30 } 31 32 # Create a resource group 33 resource "azurerm_resource_group" "production" { 34 name = "production" 35 location = "West US" 36 } 37 38 # Create a virtual network in the web_servers resource group 39 resource "azurerm_virtual_network" "network" { 40 name = "productionNetwork" 41 address_space = ["10.0.0.0/16"] 42 location = "West US" 43 resource_group_name = "${azurerm_resource_group.production.name}" 44 45 subnet { 46 name = "subnet1" 47 address_prefix = "10.0.1.0/24" 48 } 49 50 subnet { 51 name = "subnet2" 52 address_prefix = "10.0.2.0/24" 53 } 54 55 subnet { 56 name = "subnet3" 57 address_prefix = "10.0.3.0/24" 58 } 59 } 60 ``` 61 62 ## Argument Reference 63 64 The following arguments are supported: 65 66 * `subscription_id` - (Optional) The subscription ID to use. It can also 67 be sourced from the `ARM_SUBSCRIPTION_ID` environment variable. 68 69 * `client_id` - (Optional) The client ID to use. It can also be sourced from 70 the `ARM_CLIENT_ID` environment variable. 71 72 * `client_secret` - (Optional) The client secret to use. It can also be sourced from 73 the `ARM_CLIENT_SECRET` environment variable. 74 75 * `tenant_id` - (Optional) The tenant ID to use. It can also be sourced from the 76 `ARM_TENANT_ID` environment variable. 77 78 * `environment` - (Optional) The cloud environment to use. It can also be sourced 79 from the `ARM_ENVIRONMENT` environment variable. Supported values are: 80 * `public` (default) 81 * `usgovernment` 82 * `german` 83 * `china` 84 85 * `skip_provider_registration` - (Optional) Prevents the provider from registering 86 the ARM provider namespaces, this can be used if you don't wish to give the Active 87 Directory Application permission to register resource providers. It can also be 88 sourced from the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable, defaults 89 to `false`. 90 91 ## Creating Credentials 92 93 Azure requires that an application is added to Azure Active Directory to generate the `client_id`, `client_secret`, and `tenant_id` needed by Terraform (`subscription_id` can be recovered from your Azure account details). 94 95 It's possible to complete this task in either the [Azure CLI](#creating-credentials-using-the-azure-cli) or in the [Azure Portal](#creating-credentials-in-the-azure-portal) - in both we'll create a Service Principal which has `Contributor` rights to the subscription. [It's also possible to assign other rights](https://azure.microsoft.com/en-gb/documentation/articles/role-based-access-built-in-roles/) depending on your configuration. 96 97 ### Creating Credentials using the Azure CLI 98 99 ~> **Note**: if you're using the **China**, **German** or **Government** Azure Clouds - you'll need to first configure the Azure CLI to work with that Cloud. You can do this by running: 100 101 ``` 102 $ az cloud set --name AzureChinaCloud|AzureGermanCloud|AzureUSGovernment 103 ``` 104 105 --- 106 107 Firstly, login to the Azure CLI using: 108 109 ```shell 110 $ az login 111 ``` 112 113 114 Once logged in - it's possible to list the Subscriptions associated with the account via: 115 116 ```shell 117 $ az account list 118 ``` 119 120 The output (similar to below) will display one or more Subscriptions - with the `ID` field being the `subscription_id` field referenced above. 121 122 ```json 123 [ 124 { 125 "cloudName": "AzureCloud", 126 "id": "00000000-0000-0000-0000-000000000000", 127 "isDefault": true, 128 "name": "PAYG Subscription", 129 "state": "Enabled", 130 "tenantId": "00000000-0000-0000-0000-000000000000", 131 "user": { 132 "name": "user@example.com", 133 "type": "user" 134 } 135 } 136 ] 137 ``` 138 139 Should you have more than one Subscription, you can specify the Subscription to use via the following command: 140 141 ```shell 142 $ az account set --subscription="SUBSCRIPTION_ID" 143 ``` 144 145 We can now create the Service Principal, which will have permissions to manage resources in the specified Subscription using the following command: 146 147 ```shell 148 $ az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/SUBSCRIPTION_ID" 149 ``` 150 151 This command will output 5 values: 152 153 ```json 154 { 155 "appId": "00000000-0000-0000-0000-000000000000", 156 "displayName": "azure-cli-2017-06-05-10-41-15", 157 "name": "http://azure-cli-2017-06-05-10-41-15", 158 "password": "0000-0000-0000-0000-000000000000", 159 "tenant": "00000000-0000-0000-0000-000000000000" 160 } 161 ``` 162 163 These values map to the Terraform variables like so: 164 165 - `appId` is the `client_id` defined above. 166 - `password` is the `client_secret` defined above. 167 - `tenant` is the `tenant_id` defined above. 168 169 --- 170 171 Finally - it's possible to test these values work as expected by first logging in: 172 173 ```shell 174 $ az login --service-principal -u CLIENT_ID -p CLIENT_SECRET --tenant TENANT_ID 175 ``` 176 177 Once logged in as the Service Principal - we should be able to list the VM Sizes by specifying an Azure region, for example here we use the `West US` region: 178 179 ```shell 180 $ az vm list-sizes --location westus 181 ``` 182 183 ~> **Note**: If you're using the **China**, **German** or **Government** Azure Clouds - you will need to switch `westus` out for another region. You can find which regions are available by running: 184 185 ``` 186 $ az account list-locations 187 ``` 188 189 ### Creating Credentials in the Azure Portal 190 191 There's a couple of phases to create Credentials via [the Azure Portal](https://portal.azure.com): 192 193 1. Creating an Application in Azure Active Directory (which acts as a Service Principal) 194 2. Granting the Application access to manage resources in your Azure Subscription 195 196 ### 1. Creating an Application in Azure Active Directory 197 198 Firstly navigate to [the **Azure Active Directory** overview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) within the Azure Portal - [then select the **App Registration** blade](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps/RegisteredApps/Overview) and finally click **Endpoints** at the top of the **App Registration** blade. This will display a list of URIs, the URI for **OAUTH 2.0 AUTHORIZATION ENDPOINT** contains a GUID - which is your Tenant ID / the `tenant_id` field mentioned above. 199 200 Next, navigate back to [the **App Registration** blade](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps/RegisteredApps/Overview) - from here we'll create the Application in Azure Active Directory. To do this click **Add** at the top to add a new Application within Azure Active Directory. On this page, set the following values then press **Create**: 201 202 - **Name** - this is a friendly identifier and can be anything (e.g. "Terraform") 203 - **Application Type** - this should be set to "Web app / API" 204 - **Sign-on URL** - this can be anything, providing it's a valid URI (e.g. https://terra.form) 205 206 Once that's done - select the Application you just created in [the **App Registration** blade](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps/RegisteredApps/Overview). At the top of this page, the "Application ID" GUID is the `client_id` you'll need. 207 208 Finally, we can create the `client_secret` by selecting **Keys** and then generating a new key by entering a description, selecting how long the `client_secret` should be valid for - and finally pressing **Save**. This value will only be visible whilst on the page, so be sure to copy it now (otherwise you'll need to regenerate a new key). 209 210 ### 2. Granting the Application access to manage resources in your Azure Subscription 211 212 Once the Application exists in Azure Active Directory - we can grant it permissions to modify resources in the Subscription. To do this, [navigate to the **Subscriptions** blade within the Azure Portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade), then select the Subscription you wish to use, then click **Access Control (IAM)**, and finally **Add**. 213 214 Firstly specify a Role which grants the appropriate permissions needed for the Service Principal (for example, `Contributor` will grant Read/Write on all resources in the Subscription). There's more information about [the built in roles](https://azure.microsoft.com/en-gb/documentation/articles/role-based-access-built-in-roles/) available here. 215 216 Secondly, search for and select the name of the Application created in Azure Active Directory to assign it this role - then press **Save**. 217 218 ## Creating Credentials through the Legacy CLI's 219 220 It's also possible to create credentials via [the legacy cross-platform CLI](https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal-cli/) and the [legacy PowerShell Commandlets](https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/) - however we would highly recommend using the Azure CLI above. 221 222 ## Testing 223 224 Credentials must be provided via the `ARM_SUBSCRIPTION_ID`, `ARM_CLIENT_ID`, 225 `ARM_CLIENT_SECRET` and `ARM_TENANT_ID` environment variables in order to run 226 acceptance tests.