github.com/opentofu/opentofu@v1.7.1/internal/backend/remote-state/azure/README.md (about) 1 # Azure State Backend 2 3 This README serves as a guide for developing the Azure State Backend. 4 5 ## Running Integration Tests 6 7 The package contains multiple integration tests which need to be run with a live Azure account. This guide assumes you are using a fresh and empty Azure account/subscription. This way you'll be able to wipe it clean at the end without needing to worry about lingering resources. 8 9 You'll also need the azure CLI installed and configured with `az login`. 10 11 First, you'll need to configure the CLI to use the right subscription, in case your account has multiple subscriptions: 12 13 ```bash 14 ~> az account set --subscription <subscription_id> 15 ``` 16 17 You'll also need to create a service account, via 18 ```bash 19 ~> az ad sp create-for-rbac --role="Owner" --scopes="/subscriptions/<subscription_id>" 20 { 21 "appId": "{APP_ID}", 22 "displayName": "{DISPLAY_NAME}", 23 "password": "{PASSWORD}", 24 "tenant": "{TENANT}" 25 } 26 ``` 27 We'll also need a certificate for the service account, as there are tests which check certificate authentication. 28 ```bash 29 # Generating key+cert pair. 30 ~> openssl req -subj '/CN=myclientcertificate/O=MyCompany, Inc./ST=CA/C=US' \ 31 -new -newkey rsa:4096 -sha256 -days 3 -nodes -x509 -keyout client.key -out client.crt 32 # Creating a pfx bundle with the format required by the state backend. 33 ~> openssl pkcs12 -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -export -macalg sha1 -password "pass:" -out client.pfx -inkey client.key -in client.crt 34 ``` 35 36 You will now have to **use the UI** to add this certificate. Go to `App Registrations` in the Azure Portal, pick the app with the previously generated `{DISPLAY_NAME}`, there you go into `Certificates & secrets`, Certificates tab, and `Upload certificate` with the `client.crt` file. 37 38 You'll now want to compile the tests. We'll be running them later on a VM (so that tests checking IMDS authentication work). Go to the `internal/backend/remote-state/azure` directory and run: 39 ```bash 40 ~> GOOS=linux GOARCH=amd64 go test -c . 41 ``` 42 43 Create a resource group for your Azure VM: 44 ```bash 45 ~> az group create --name myResourceGroup --location eastus 46 ``` 47 48 Now, let's create the Azure VM. 49 ```bash 50 ~> az vm create --resource-group myResourceGroup --name myVM --image Ubuntu2204 --generate-ssh-keys --admin-username azureuser --admin-password <long password with lower and upper letters, numbers and symbols> 51 { 52 "fqdns": "", 53 "id": "...", 54 "location": "eastus", 55 "macAddress": "...", 56 "powerState": "VM running", 57 "privateIpAddress": "...", 58 "publicIpAddress": "{PUBLIC_IP_ADDRESS}", 59 "resourceGroup": "myResourceGroup", 60 "zones": "" 61 } 62 ``` 63 Assign an identity to the VM: 64 ```bash 65 ~> az vm identity assign --resource-group myResourceGroup --name myVM 66 { 67 "systemAssignedIdentity": "{IDENTITY}", 68 "userAssignedIdentities": {} 69 } 70 ``` 71 72 and a role to that identity: 73 ```bash 74 ~> az role assignment create --assignee "{IDENTITY}" --role Owner --scope "/subscriptions/<subscription_id>" 75 ``` 76 77 You'll now want to copy the compiled tests and certificate to the vm: 78 ```bash 79 # This might hang for a bit, while the VM is booting up. 80 ~> scp azure.test client.pfx azureuser@{PUBLIC_IP_ADDRESS}:~/ 81 ~> ssh azureuser@{PUBLIC_IP_ADDRESS} 82 ``` 83 84 Now, on the Azure VM bash session we'll have to set up the environment variables for the tests: 85 ```bash 86 export TF_AZURE_TEST=1 87 export TF_RUNNING_IN_AZURE=1 88 export ARM_SUBSCRIPTION_ID=<subscription_id> 89 export ARM_LOCATION=eastus 90 export ARM_ENVIRONMENT=public 91 export ARM_TENANT_ID={TENANT} 92 export ARM_CLIENT_ID={APP_ID} 93 export ARM_CLIENT_SECRET={PASSWORD} 94 export ARM_CLIENT_CERTIFICATE_PATH=/home/azureuser/client.pfx 95 ``` 96 97 Finally, we can run the tests! 98 ```bash 99 ~> ./azure.test -test.v -test.timeout 99999s 100 ``` 101 The tests should run for around 30 minutes. Enjoy your coffee! 102 103 ### Cleanup 104 105 Now it's time to get rid of everything we've created. 106 107 List all resource groups in your subscription: 108 ```bash 109 ~> az group list --subscription <subscription_id> --query "[].name" 110 [ 111 "myResourceGroup", 112 "acctestRG-backend-23112414590786-k3nx", 113 "..." 114 ] 115 ``` 116 117 For each of these, run: 118 ```bash 119 ~> az group delete --subscription <subscription_id> --name <resource_group_name> --yes --no-wait --force-deletion-types "Microsoft.Compute/virtualMachines" 120 ``` 121 122 You'll also want to delete the service account: 123 ```bash 124 ~> az ad sp delete --id {APP_ID} 125 ``` 126 127 List ServicePrincipal role assignments in the subscription: 128 ```bash 129 ~> az role assignment list --subscription <subscription_id> --query "[?principalType=='ServicePrincipal']" 130 [ 131 { 132 "canDelegate": null, 133 "condition": null, 134 "conditionVersion": null, 135 "description": null, 136 "id": "{ASSIGNMENT_ID}", 137 "name": "...", 138 "principalId": "...", 139 "principalType": "ServicePrincipal", 140 "resourceGroup": "", 141 "roleDefinitionId": "/subscriptions/<subscription_id>/providers/Microsoft.Authorization/roleDefinitions/...", 142 "scope": "/subscriptions/<subscription_id>", 143 "type": "Microsoft.Authorization/roleAssignments" 144 }, 145 ... 146 ] 147 ``` 148 149 and for each of those, delete it: 150 ```bash 151 ~> az role assignment delete --subscription <subscription_id> --id {ASSIGNMENT_ID} 152 ``` 153 154 At this point, double-check that all resource groups are gone: 155 ```bash 156 ~> az group list --subscription <subscription_id> --query "[].name" 157 [] 158 ```