Setup an Azure subscription with Terraform and GitHub actions
3 minute read
Overview
This page will detail the process of setting up an Azure subscription so you can build resources using Terraform and GitHub actions. It goes through each step in order and provides links to prepared code you can use for your own environment.
An Azure subscription
Sign up for a free Azure subscription or use an existing one. It does not matter so long as you can create and configure the remainder of this guide.
Create the Terraform backend state storage and service principal
I have written an Azure PowerShell scripted setup that creates a resource group, storage account, blob container, key vault, and a service principal with contributor rights to the given subscription with the credentials written to the key vault.
grinntec/azure-public/bootstrap-terraform-azure
Create a GitHub repository
Create a new repository naming it build-{sub-name}
- Add a description
Build resources in {sub-name} - Mark is private
- Add a readme file
- No .gitignore file
- No license
Put Terraform code into the repository
The Terraform working directories can be as below which shows two seperate code folders. Each code folder would require its own workflow action file. You can use this example Terraform code as an example to populate the new GitHub repository, it will create a resource group and storage account.
grinntec/azure-public/example-terraform-code
.
{GitHub account}
|_{GitHub repository}
|__/codefolder1
| |main.tf
| |providers.tf
| |variables.tf
| |terraform.tfvars
|__/codefolder2
| |main.tf
| |providers.tf
| |variables.tf
| |terraform.tfvars
Setup GitHub actions secrets
In the GitHub portal browse to the repository that hosts your Terraform code and that will run your GitHub action. Go to the settings menu and locate Secrets then click the Actions option. This will open a screen that allows you to enter new repository secrets. Once the secret is set you cannot retrieve it, the only option is to update or remove it. The name of the secret is important as this is what Terraform will be looking for, this includes cases. Do not include the "" marks.
Create the following secrets and use the values output from the SP creation earlier as the values.
ARM_CLIENT_IDis theappIdARM_CLIENT_SECRETis thepasswordARM_SUBSCRIPTION_IDis the ID of the Azure subscriptionARM_TENANT_IDis thetenant_id
Setup GitHub actions workflow
Create a workflow directory as per below. Name the {ACTION-FILE1}.yaml file so it describes the resource or project folder that it will execute against. So if you used the example Terraform code in the step earlier you could name the workflow file example-terraform-code.yaml.
An example GitHub actions workflow file can be retrieved from
grinntec/github-actions-public/gh-actions-example1/
The GitHub actions workflow directory must exist as follows
.
{GitHub account}
|_{GitHub repository}
|__/.github
|___/workflows
| |{ACTION-FILE1}.yaml
Test building
Now you can test if you can build resources in the subscription by running the new GitHub action. In your GitHub repository, to to the Actions tab. Under workflows you should see the workflow file you created. Click it and from the Run workflow button select Apply and Run workflow. The workflow will now execute against the working directory you defined.