Skip to main content

Azure OIDC

Follow these steps to authenticate against Azure

1. Create a new Service Principal

A Service Principal is an application within Azure Active Directory used to create your cloud resources.

Install the Azure CLI
brew update && brew install azure-cli
Authenticate using the Azure CLI
az login

Subscription ID

The id from the az command output above is your subscription ID.

tip

Record the subscription ID to be used in next steps

Set the Subscription ID

Replace $SUBSCRIPTION_ID with your subscription ID.

az account set --subscription "$SUBSCRIPTION_ID"
Create a Service Principal

Replace $SUBSCRIPTION_ID with your subscription ID.

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/$SUBSCRIPTION_ID"

Copy the JSON object for your service principal

{
"clientId": "<GUID>",
"clientSecret": "<GUID>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>",
(...)
}
  • Contributor is an Azure built-in role. This role grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
  • This role is merely a suggestion. Choose whichever role makes the most sense for your organization.

2. Configure Azure credential environment variables

Credentials are securely stored in GitHub Secrets and exposed as obfuscated environment variables in the Terrateam GitHub Action.

Azure credential environment variables are typically named:

  • AZURE_CLIENT_ID
  • AZURE_TENANT_ID
  • AZURE_SUBSCRIPTION_ID
Details
  1. Navigate to the main page of your Terraform repository on GitHub
  2. Click ⚙️ Settings
  3. In the left sidebar, click Secrets Actions
  4. Click New repository secret
  • Name: AZURE_CLIENT_ID
  • Value: <Your azure client id>
  1. Click New repository secret
  • Name: AZURE_TENANT_ID
  • Value: <Your azure tenant id>
  1. Click New repository secret
  • Name: AZURE_SUBSCRIPTION_ID
  • Value: <Your azure subscription id>

3. Modify the Terrateam GitHub Workflow File

The GitHub workflow file is required to execute the Terrateam GitHub Action.

This file must exist in your Terraform repository default branch in .github/workflows/terrateam.yml

Workflow File
##########################################################################
# DO NOT MODIFY
#
# THIS FILE SHOULD LIVE IN .github/workflows/terrateam.yml
#
# Looking for the Terrateam configuration file? .terrateam/config.yml.
#
# See https://docs.terrateam.io/configuration/overview for details
##########################################################################
name: 'Terrateam Workflow'
on:
workflow_dispatch:
inputs:
# The work-token is automatically passed in by the Terrateam backend
work-token:
description: 'Work Token'
required: true
api-base-url:
description: 'API Base URL'
jobs:
terrateam:
permissions: # Required to pass credentials to the Terrateam action
id-token: write
contents: read
runs-on: ubuntu-latest
name: Terrateam Action
steps:
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Run Terrateam Action
id: terrateam
uses: terrateamio/action@v1 # Do not replace with a custom image. Doing so may cause Terrateam to not operate as intended.
with:
work-token: '${{ github.event.inputs.work-token }}'
api-base-url: '${{ github.event.inputs.api-base-url }}'
env:
SECRETS_CONTEXT: ${{ toJson(secrets) }}

4. Azure Provider Configuration

The official azure/login GitHub Action creates short-lived credentials using GitHub's OIDC provider and configures them for use in the Terrateam action.

Example

The following is an example configuration that can be used with your newly created AZURE_CREDENTIALS GitHub secret.

# Configure the Azure provider
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0.2"
}
}

required_version = ">= 1.1.0"
}

provider "azurerm" {
features {}
}