github.com/koding/terraform@v0.6.4-0.20170608090606-5d7e0339779d/website/source/docs/providers/azurerm/index.html.markdown (about)

     1  ---
     2  layout: "azurerm"
     3  page_title: "Provider: Azure Resource Manager"
     4  sidebar_current: "docs-azurerm-index"
     5  description: |-
     6    The Azure Resource Manager provider is used to interact with the many resources supported by Azure, via the ARM API. This supersedes the Azure provider, which interacts with Azure using the Service Management API. The provider needs to be configured with a credentials file, or credentials needed to generate OAuth tokens for the ARM API.
     7  ---
     8  
     9  # Microsoft Azure Provider
    10  
    11  The Microsoft Azure provider is used to interact with the many
    12  resources supported by Azure, via the ARM API. This supercedes the [legacy Azure
    13  provider][asm], which interacts with Azure using the Service Management API. The
    14  provider needs to be configured with the credentials needed to generate OAuth
    15  tokens for the ARM API.
    16  
    17  [asm]: /docs/providers/azure/index.html
    18  
    19  Use the navigation to the left to read about the available resources.
    20  
    21  ## Example Usage
    22  
    23  ```hcl
    24  # Configure the Microsoft Azure Provider
    25  provider "azurerm" {
    26    subscription_id = "..."
    27    client_id       = "..."
    28    client_secret   = "..."
    29    tenant_id       = "..."
    30  }
    31  
    32  # Create a resource group
    33  resource "azurerm_resource_group" "production" {
    34    name     = "production"
    35    location = "West US"
    36  }
    37  
    38  # Create a virtual network in the web_servers resource group
    39  resource "azurerm_virtual_network" "network" {
    40    name                = "productionNetwork"
    41    address_space       = ["10.0.0.0/16"]
    42    location            = "West US"
    43    resource_group_name = "${azurerm_resource_group.production.name}"
    44  
    45    subnet {
    46      name           = "subnet1"
    47      address_prefix = "10.0.1.0/24"
    48    }
    49  
    50    subnet {
    51      name           = "subnet2"
    52      address_prefix = "10.0.2.0/24"
    53    }
    54  
    55    subnet {
    56      name           = "subnet3"
    57      address_prefix = "10.0.3.0/24"
    58    }
    59  }
    60  ```
    61  
    62  ## Argument Reference
    63  
    64  The following arguments are supported:
    65  
    66  * `subscription_id` - (Optional) The subscription ID to use. It can also
    67    be sourced from the `ARM_SUBSCRIPTION_ID` environment variable.
    68  
    69  * `client_id` - (Optional) The client ID to use. It can also be sourced from
    70    the `ARM_CLIENT_ID` environment variable.
    71  
    72  * `client_secret` - (Optional) The client secret to use. It can also be sourced from
    73    the `ARM_CLIENT_SECRET` environment variable.
    74  
    75  * `tenant_id` - (Optional) The tenant ID to use. It can also be sourced from the
    76    `ARM_TENANT_ID` environment variable.
    77  
    78  * `environment` - (Optional) The cloud environment to use. It can also be sourced
    79    from the `ARM_ENVIRONMENT` environment variable. Supported values are:
    80    * `public` (default)
    81    * `usgovernment`
    82    * `german`
    83    * `china`
    84  
    85  * `skip_provider_registration` - (Optional) Prevents the provider from registering
    86    the ARM provider namespaces, this can be used if you don't wish to give the Active
    87    Directory Application permission to register resource providers. It can also be
    88    sourced from the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable, defaults
    89    to `false`.
    90  
    91  ## Creating Credentials
    92  
    93  Azure requires that an application is added to Azure Active Directory to generate the `client_id`, `client_secret`, and `tenant_id` needed by Terraform (`subscription_id` can be recovered from your Azure account details).
    94  
    95  It's possible to complete this task in either the [Azure CLI](#creating-credentials-using-the-azure-cli) or in the [Azure Portal](#creating-credentials-in-the-azure-portal) - in both we'll create a Service Principal which has `Contributor` rights to the subscription. [It's also possible to assign other rights](https://azure.microsoft.com/en-gb/documentation/articles/role-based-access-built-in-roles/) depending on your configuration.
    96  
    97  ### Creating Credentials using the Azure CLI
    98  
    99  ~> **Note**: if you're using the **China**, **German** or **Government** Azure Clouds - you'll need to first configure the Azure CLI to work with that Cloud.  You can do this by running:
   100  
   101  ```
   102  $ az cloud set --name AzureChinaCloud|AzureGermanCloud|AzureUSGovernment
   103  ```
   104  
   105  ---
   106  
   107  Firstly, login to the Azure CLI using:
   108  
   109  ```shell
   110  $ az login
   111  ```
   112  
   113  
   114  Once logged in - it's possible to list the Subscriptions associated with the account via:
   115  
   116  ```shell
   117  $ az account list
   118  ```
   119  
   120  The output (similar to below) will display one or more Subscriptions - with the `ID` field being the `subscription_id` field referenced above.
   121  
   122  ```json
   123  [
   124    {
   125      "cloudName": "AzureCloud",
   126      "id": "00000000-0000-0000-0000-000000000000",
   127      "isDefault": true,
   128      "name": "PAYG Subscription",
   129      "state": "Enabled",
   130      "tenantId": "00000000-0000-0000-0000-000000000000",
   131      "user": {
   132        "name": "user@example.com",
   133        "type": "user"
   134      }
   135    }
   136  ]
   137  ```
   138  
   139  Should you have more than one Subscription, you can specify the Subscription to use via the following command:
   140  
   141  ```shell
   142  $ az account set --subscription="SUBSCRIPTION_ID"
   143  ```
   144  
   145  We can now create the Service Principal, which will have permissions to manage resources in the specified Subscription using the following command:
   146  
   147  ```shell
   148  $ az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/SUBSCRIPTION_ID"
   149  ```
   150  
   151  This command will output 5 values:
   152  
   153  ```json
   154  {
   155    "appId": "00000000-0000-0000-0000-000000000000",
   156    "displayName": "azure-cli-2017-06-05-10-41-15",
   157    "name": "http://azure-cli-2017-06-05-10-41-15",
   158    "password": "0000-0000-0000-0000-000000000000",
   159    "tenant": "00000000-0000-0000-0000-000000000000"
   160  }
   161  ```
   162  
   163  These values map to the Terraform variables like so:
   164  
   165   - `appId` is the `client_id` defined above.
   166   - `password` is the `client_secret` defined above.
   167   - `tenant` is the `tenant_id` defined above.
   168  
   169  ---
   170  
   171  Finally - it's possible to test these values work as expected by first logging in:
   172  
   173  ```shell
   174  $ az login --service-principal -u CLIENT_ID -p CLIENT_SECRET --tenant TENANT_ID
   175  ```
   176  
   177  Once logged in as the Service Principal - we should be able to list the VM Sizes by specifying an Azure region, for example here we use the `West US` region:
   178  
   179  ```shell
   180  $ az vm list-sizes --location westus
   181  ```
   182  
   183  ~> **Note**: If you're using the **China**, **German** or **Government** Azure Clouds - you will need to switch `westus` out for another region. You can find which regions are available by running:
   184  
   185  ```
   186  $ az account list-locations
   187  ```
   188  
   189  ### Creating Credentials in the Azure Portal
   190  
   191  There's a couple of phases to create Credentials via [the Azure Portal](https://portal.azure.com):
   192  
   193   1. Creating an Application in Azure Active Directory (which acts as a Service Principal)
   194   2. Granting the Application access to manage resources in your Azure Subscription
   195  
   196  ### 1. Creating an Application in Azure Active Directory
   197  
   198  Firstly navigate to [the **Azure Active Directory** overview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) within the Azure Portal - [then select the **App Registration** blade](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps/RegisteredApps/Overview) and finally click **Endpoints** at the top of the **App Registration** blade. This will display a list of URIs, the URI for **OAUTH 2.0 AUTHORIZATION ENDPOINT** contains a GUID - which is your Tenant ID / the `tenant_id` field mentioned above.
   199  
   200  Next, navigate back to [the **App Registration** blade](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps/RegisteredApps/Overview) - from here we'll create the Application in Azure Active Directory. To do this click **Add** at the top to add a new Application within Azure Active Directory. On this page, set the following values then press **Create**:
   201  
   202  - **Name** - this is a friendly identifier and can be anything (e.g. "Terraform")
   203  - **Application Type** - this should be set to "Web app / API"
   204  - **Sign-on URL** - this can be anything, providing it's a valid URI (e.g. https://terra.form)
   205  
   206  Once that's done - select the Application you just created in [the **App Registration** blade](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps/RegisteredApps/Overview). At the top of this page, the "Application ID" GUID is the `client_id` you'll need.
   207  
   208  Finally, we can create the `client_secret` by selecting **Keys** and then generating a new key by entering a description, selecting how long the `client_secret` should be valid for - and finally pressing **Save**. This value will only be visible whilst on the page, so be sure to copy it now (otherwise you'll need to regenerate a new key).
   209  
   210  ### 2. Granting the Application access to manage resources in your Azure Subscription
   211  
   212  Once the Application exists in Azure Active Directory - we can grant it permissions to modify resources in the Subscription. To do this, [navigate to the **Subscriptions** blade within the Azure Portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade), then select the Subscription you wish to use, then click **Access Control (IAM)**, and finally **Add**.
   213  
   214  Firstly specify a Role which grants the appropriate permissions needed for the Service Principal (for example, `Contributor` will grant Read/Write on all resources in the Subscription). There's more information about [the built in roles](https://azure.microsoft.com/en-gb/documentation/articles/role-based-access-built-in-roles/) available here.
   215  
   216  Secondly, search for and select the name of the Application created in Azure Active Directory to assign it this role - then press **Save**.
   217  
   218  ## Creating Credentials through the Legacy CLI's
   219  
   220  It's also possible to create credentials via [the legacy cross-platform CLI](https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal-cli/) and the [legacy PowerShell Commandlets](https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/) - however we would highly recommend using the Azure CLI above.
   221  
   222  ## Testing
   223  
   224  Credentials must be provided via the `ARM_SUBSCRIPTION_ID`, `ARM_CLIENT_ID`,
   225  `ARM_CLIENT_SECRET` and `ARM_TENANT_ID` environment variables in order to run
   226  acceptance tests.