Coming Soon
MG and Sub Image to be added here
Please create an Azure Storage Account and a container named tfstate to store Terraform State Files (You may change the name of the container in providers.tf). Please note the Service Principle should have access to the Storage Account. Note the Access Key for the Storage Account from Azure Portal.
Key Name | Value |
---|---|
ARM-ACCESS-KEY | Azure Storage Account Access Key |
Note :: The details of the Storage Account must be filled in provider.tf file backend configuration.
You will need an Enterprise Agreement billing account in order to create subscription. You will need the following details. Please check this official article for more details.
Key Name | Value |
---|---|
EA-BILLING-AC-NAME | Enterprise Agreement Billing Account Name |
EA-NAME | Enterprise Agreement Name |
Azure DevOps Pipeline requires Service Connection to run tasks. The Service Principle should have access to Key Vault Secrets (Get and List Permission) to retrieve Key Vault Secret Values required during running the task. Please refer to this official article for creating the Service Connection from a Service Principle. Note the following values for a Service Principle from Azure Portal.
Key Name | Value |
---|---|
ARM-CLIENT-ID | Application ID of the Service Principle |
ARM-CLIENT-SECRET | Client Secret of the Service Principle |
ARM-SUBSCRIPTION-ID | Subscription ID of the Key Vault |
ARM-TENANT-ID | Azure Tenant ID |
An Azure Key Vault is required to store Secrets which are used by the pipeline to authenticate against Azure and Azure DevOps to perform it's desired operation. Please note the Service Principle mentioned above must have GET and LIST for the Key Vault Secrets. Please create the secrets in Azure Key Vault. You may refer to the Service Connection and Azure DevOps PAT and URL section for values.
Secrets to be created in Azure Key Vault
ARM-CLIENT-ID
ARM-CLIENT-SECRET
ARM-SUBSCRIPTION-ID
ARM-TENANT-ID
ARM-ACCESS-KEY
EA_BILLING_AC_NAME
EA_NAME
The code needs an Azure DevOps Pipeline Variable Group linked to an existing Azure Key Vault containing the Secrets. Please refer to this official article for more details.
The code is simplified to granular level for ease of maintenance and understanding. You may change values as per your convenience.
Name | Function |
---|---|
./pipelines/deploy.yaml | Azure DevOps YAML file for Pipeline |
modules | Terraform code for Creating Subscription, Creating Management Groups, Policy Assignment, RBAC Assignments etc |
data.tf | Terraform Code for reading existing resources |
local.tf | Terraform Code for Management Groups, Subscription, Subscription Association and Policy Assignment local values |
variables.tf | Terraform Code for Management Groups, Subscription, Subscription Association and Policy Assignment Variables |
main.tf | Terraform Code for creating Subscription, Management Groups, Subscription Association and Policy Assignment |
provider.tf | Terraform Code for provider configuration |
terraform.auto.tfvars | Terraform Code for providing variable values in run time |
Once done with all the above steps update the both the pipeline files inside .pipelines folder in the repository.
variables:
- name: AZURE_SERVICE_CONNECTION
value: '< SERVICE CONNECTION NAME >'
- group: '< VARIABLE GROUP NAME LINKED TO KEY VAULT >'
You need to update provider.tf file with values for the Azure Storage Account which will host the Terraform State file.
backend "azurerm" {
resource_group_name = "< Storage Account Resource Group Name >"
storage_account_name = "< Storage Account Name >"
container_name = "tfstate"
key = "< TFSTATE file name >"
}
The code is defined for
- Create / Read Management Groups
- Create Subscriptions
- Associate Subscription to Management Group
- Deploy Built In Policy
- Assign Roles for Built In Policy
Please follow this instruction to create the deploy pipeline
- Go to Pipelines in Azure DevOps
- Click on New Pipeline from right top corner
- Select Azure Repos Git
- Select your repository containing this code
- Select Existing Azure Pipelines YAML file
- Select the branch and select path as /.pipelines/deploy.yaml
- Click on Continue
- Click on Save from Run drop down menu on top right corner
- You may rename the pipeline by choosing Rename/move from top right corner Kebab menu
Please follow the instruction to run deploy pipelines
- Go to Pipelines in Azure DevOps.
- Click on All option and click on the deploy pipeline created above
- Click on Run Pipeline from top right corner
- Select Apply Option as No and click on Run button
- Follow the Pipeline Status
Note : - It is recommended to keep Apply Option as No for first time. Once satisfied with the Terraform Plan output you neeed to rerun the Pipeline keeping Apply Option as Yes.