Starting with Terraform, Windows and Azure Part 3

In the last two posts we got our local toolset going. Now it is time to make sure you can actually connect to your Azure tenant with Terraform. This assumes you have access to an Azure Tennant already. If you don’t then it is really easy to get started with you own Azure Tennant and Microsoft will even throw some credits your way. You can find more information here.

My preferred method of setting up Terraform involves PowerShell, the AzureRM module and a script. The objective is to create a Service Principal and obtain the ClientID and Client Secret. These can be incorporated into you Terraform Scripts or put into environmental variables to keep your terraform templates and modules a bit safer.

macky

 

Now that we got that out of the way, I’ve devised a script to setup the service principal and obtain the credentials.

I Tend to write scripts with mostly functions in them, some I stole, some are my own feel free to use the material provided in any way you see fit. 😉

First some variables:

# Variables that can be defined, or left blank
[String]$azure_client_name=""     	# Application name
[Securestring]$azure_client_secret  # Application password
[String]$azure_group_name=""
[String]$azure_storage_name=""
[String]$azure_subscription_id="" 	# Derived from the account after login
[String]$azure_tenant_id=""       	# Derived from the account after login
[String]$location="West Europe"
[String]$azure_object_id=""

I thought is was a good idea to get the requirements, just to be certain. The following function checks if you have Azure PowerShell installed. If not, you can get is here.

function Requirements() {
	$found=0
	$azureversion = (Get-Module -ListAvailable -Name Azure -Refresh)
	If ($azureversion.Version.Major -gt 0) {
		$found=$found + 1
		Write-Output "Found Azure PowerShell version: $($azureversion.Version.Major).$($azureversion.Version.Minor)"
	}
	Else {
		Write-Output "Azure PowerShell is missing. Please download and install Azure PowerShell from"
		Write-Output "http://aka.ms/webpi-azps"		
	}
	return $found
}

Then we need to get the subscription:

function AskSubscription() {
	$azuresubscription = Add-AzureRmAccount
	$script:azure_subscription_id = $azuresubscription.Context.Subscription.SubscriptionId
	$script:azure_tenant_id = $azuresubscription.Context.Subscription.TenantId		
}

Some code to generate a Random complex password; Note, you’ll get the option to put in your own password if you prefer.

Function RandomComplexPassword () {
	param ( [int]$Length = 8 )
 	#Usage: RandomComplexPassword 12
 	$Assembly = Add-Type -AssemblyName System.Web
 	$RandomComplexPassword = [System.Web.Security.Membership]::GeneratePassword($Length,2)
 	return $RandomComplexPassword
}

We also need to provide a name for our service principal.

function AskName() {
	Write-Output ""
	Write-Output "Choose a name for your client."
	Write-Output "This is mandatory - do not leave blank."
	Write-Output "ALPHANUMERIC ONLY. Ex: mytfdeployment."
	Write-Output -n "> "
	$script:meta_name = Read-Host
}

Now the time comes to use the random complex password and convert it to a secure string for creating the service principle name.

function AskSecret() {
	Write-Output ""
	Write-Output "Enter a secret for your application. We recommend generating one with"
	Write-Output "openssl rand -base64 24. If you leave this blank we will attempt to"
	Write-Output "generate one for you using .Net Security Framework. THIS WILL BE SHOWN IN PLAINTEXT AND MIGHT NOT WORK, so please make your own."
	Write-Output "Ex: myterraformsecret8734"
	Write-Output -n "> "
	$script:azure_client_secret = Read-Host
	if ($script:azure_client_secret -eq "") {
		$script:azure_client_secret = RandomComplexPassword(43)
	}	
	Write-Output "Client_secret: $script:azure_client_secret"
	$script:password = ConvertTo-SecureString $script:azure_client_secret -AsPlainText -Force
}

Time to create the Service Principle.

function CreateServicePrinciple() {
	Write-Output "==> Creating service principal"
	$app = New-AzureRmADApplication -DisplayName $meta_name -HomePage "https://$script:meta_name" -IdentifierUris "https://$script:meta_name" -Password $script:password
 	New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId	
	#sleep 30 seconds to allow resource creation to converge
	Write-Output "Allow for 30 seconds to create the service principal"
	Start-Sleep -s 30
 	New-AzureRmRoleAssignment -RoleDefinitionName Owner -ServicePrincipalName $app.ApplicationId.Guid
	$script:azure_client_id = $app.ApplicationId
	$script:azure_object_id = $app.ObjectId
	if ($error.Count > 0)
	{
		Write-Output "Error creating service principal: $azure_client_id"
		exit
	}
}

Let’s generate some output, so you can copy that and store it somewhere safe! And I mean SAFE! It’s access to your Azure subscription!

function ShowConfigs() {
	Write-Output ""
	Write-Output "Use the following configuration for your Terraform scripts:"
	Write-Output ""
	Write-Output "{"
	Write-Output "      'client_id': $azure_client_id,"
	Write-Output "      'client_secret': $azure_client_secret,"
	Write-Output "      'subscription_id': $azure_subscription_id,"
	Write-Output "      'tenant_id': $azure_tenant_id"
	Write-Output "}"
	Write-Output ""
	Write-Output "Use the following Environmetal variable direct in PowerShell Terminal"
	Write-Output ""
	Write-Output "`$env:ARM_CLIENT_ID=`"$azure_client_id`""
	Write-Output "`$env:ARM_CLIENT_SECRET=`"$azure_client_secret`""
	Write-Output "`$env:ARM_TENANT_ID=`"$azure_tenant_id`""
	Write-Output "`$env:ARM_SUBSCRIPTION_ID=`"$azure_subscription_id`""
	Write-Output ""
}

And now to assemble it all in a script and add the code to actually run all the functions 😀

# Variables that can be defined, or left blank
[String]$azure_client_name=""     	# Application name
[Securestring]$azure_client_secret  # Application password
[String]$azure_group_name=""
[String]$azure_storage_name=""
[String]$azure_subscription_id="" 	# Derived from the account after login
[String]$azure_tenant_id=""       	# Derived from the account after login
[String]$location="West Europe"
[String]$azure_object_id=""


function Requirements() {
	$found=0
	$azureversion = (Get-Module -ListAvailable -Name Azure -Refresh)
	If ($azureversion.Version.Major -gt 0) {
		$found=$found + 1
		Write-Output "Found Azure PowerShell version: $($azureversion.Version.Major).$($azureversion.Version.Minor)"
	}
	Else {
		Write-Output "Azure PowerShell is missing. Please download and install Azure PowerShell from"
		Write-Output "http://aka.ms/webpi-azps"		
	}
	return $found
}

function AskSubscription() {
	$azuresubscription = Add-AzureRmAccount
	$script:azure_subscription_id = $azuresubscription.Context.Subscription.SubscriptionId
	$script:azure_tenant_id = $azuresubscription.Context.Subscription.TenantId		
}

Function RandomComplexPassword () {
	param ( [int]$Length = 8 )
 	#Usage: RandomComplexPassword 12
 	$Assembly = Add-Type -AssemblyName System.Web
 	$RandomComplexPassword = [System.Web.Security.Membership]::GeneratePassword($Length,2)
 	return $RandomComplexPassword
}

function AskName() {
	Write-Output ""
	Write-Output "Choose a name for your client."
	Write-Output "This is mandatory - do not leave blank."
	Write-Output "ALPHANUMERIC ONLY. Ex: mytfdeployment."
	Write-Output -n "> "
	$script:meta_name = Read-Host
}

function AskSecret() {
	Write-Output ""
	Write-Output "Enter a secret for your application. We recommend generating one with"
	Write-Output "openssl rand -base64 24. If you leave this blank we will attempt to"
	Write-Output "generate one for you using .Net Security Framework. THIS WILL BE SHOWN IN PLAINTEXT."
	Write-Output "Ex: myterraformsecret8734"
	Write-Output -n "> "
	$script:azure_client_secret = Read-Host
	if ($script:azure_client_secret -eq "") {
		$script:azure_client_secret = RandomComplexPassword(43)
	}	
	Write-Output "Client_secret: $script:azure_client_secret"
	$script:password = ConvertTo-SecureString $script:azure_client_secret -AsPlainText -Force
}

function CreateServicePrinciple() {
	Write-Output "==> Creating service principal"
	$app = New-AzureRmADApplication -DisplayName $meta_name -HomePage "https://$script:meta_name" -IdentifierUris "https://$script:meta_name" -Password $script:password
 	New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId	
	#sleep 30 seconds to allow resource creation to converge
	Write-Output "Allow for 30 seconds to create the service principal"
	Start-Sleep -s 30
 	New-AzureRmRoleAssignment -RoleDefinitionName Owner -ServicePrincipalName $app.ApplicationId.Guid
	$script:azure_client_id = $app.ApplicationId
	$script:azure_object_id = $app.ObjectId
	if ($error.Count > 0)
	{
		Write-Output "Error creating service principal: $azure_client_id"
		exit
	}
}

function ShowConfigs() {
	Write-Output ""
	Write-Output "Use the following configuration for your Terraform scripts:"
	Write-Output ""
	Write-Output "{"
	Write-Output "      'client_id': $azure_client_id,"
	Write-Output "      'client_secret': $azure_client_secret,"
	Write-Output "      'subscription_id': $azure_subscription_id,"
	Write-Output "      'tenant_id': $azure_tenant_id"
	Write-Output "}"
	Write-Output ""
	Write-Output "Use the following Environmetal variable direct in PowerShell Terminal"
	Write-Output ""
	Write-Output "`$env:ARM_CLIENT_ID=`"$azure_client_id`""
	Write-Output "`$env:ARM_CLIENT_SECRET=`"$azure_client_secret`""
	Write-Output "`$env:ARM_TENANT_ID=`"$azure_tenant_id`""
	Write-Output "`$env:ARM_SUBSCRIPTION_ID=`"$azure_subscription_id`""
	Write-Output ""
}

$reqs = Requirements	
	if($reqs -gt 0)
	{
		AskSubscription
		AskName
		AskSecret
		CreateServicePrinciple
		ShowConfigs
	}

 

Just copy paste the script above and check the content…(it’s a good habit to check all the code you rip of the web!) and save it as azure-setup.ps1.

You will get an output giving all the info needed to be able to deploy your first resources to Azure.

TLDR;

There are more than one way to setup Terraform and obtain your credentials for Azure. Methods Involving the CLI or the Azure Portal are valid and more information can be found here. The above script fixes everything in about a minute.

Starting with Terraform, Windows and Azure Part 2

Installation

In the previous post I explained how to setup the Windows environmental variable PATH so you can run the terraform executable from any path. In this post I will explain how I set up my favorite text file editor. In the last year or so I came to fall in love with Microsoft Visual Studio Code. It runs on Windows, macOS and Linux, is very versatile and got al kind of neat features. At least try it and decide for yourself.

You can download the installation media here.

When you are done installing you will be greeted with a welcome screen that looks something like this:

image

Settings

Now first lets add some nice settings. To access the settings you can press the following key combination:

Ctrl+, (Control and Comma)

This will open up the User Settings json file:

image

On the left side are the Default Settings. You can mess with those, but it’s better to put your custom settings in the user settings.

The following is an example of my settings:

{
"material-icon-theme.showWelcomeMessage": false,
"workbench.iconTheme": "material-icon-theme",
// 64-bit PowerShell if available, otherwise 32-bit
"terminal.integrated.shell.windows": "C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe",
"window.zoomLevel": 0,
"git.confirmSync": false,
"workbench.panel.location": "bottom",
"editor.minimap.enabled": true
}

I can recommend Minimap.enabled. This Enables a map in the right side of the editor that shows a small version of the file you are editing. This is usefull navigating large text files.

Extensions

Pressing the Ctrl+Shift+X will open up the Extension Tab on the left side of the window:

image

When you first start out it should be empty. I can recommend the following Extensions:

  • 1337 Theme
  • Advanced Terraform
  • Azure Resource Manager Tools
  • Azure Resource Manager Snippets
  • Material Icon Theme
  • PowerShell
  • Simple Terraform Snippets
  • Terraform
  • Terraform Autocomplete

You can type in these values at the ‘Search in Extensions Marketplace‘ field. Visual Studio Code will also recommend Extensions based on the files you are working with. But the ones above I find great for editing Terraform files.

Console

You van start the console by typing Ctrl+~. In windows this should default to PowerShell. This can also be set to Bash for instance. We’ll keep it on PowerShell for now. Visuals Studio Code also supports the running of selected code by pressing F8. The entire code can be executed by pressing F5. Keep in mind the code execution works when running PowerShell cmdlets. More keyboard shortcuts are found here.

Explorer

Ctrl+Shift+E opens the explorer tab. In this tab you can either open files or entire folders. In the case of the later the contents of the entire folder will be displayed. This is useful when editing multiple files simultaneously. In fact, Visual Studio Code even adds an ‘Open with Code’ feature to the context menu (right-click). This will work for folders and Files.

TLDR;

Download Visual Studio Code, it’s great for Terraform and great for scripting in general.

Starting with Terraform, Windows and Azure Part 1

This is a series of blog posts going in to the setup of Terraform and building your first Azure deployment. First we are going to the local installation. Terraform is able to run on a variety of operating systems:

  • MacOS
  • FreeBSD
  • Linux
  • OpenBSD
  • Solaris
  • Windows

Since this blog Is mostly about Microsoft, Windows and Azure related stuff I’m going to cover the Windows version. Fist of all, download the Terraform executable for your Windows installation (32 of 64 bit) right here.

Extract the zip package to a location on your computer, for instance:

c:\Terraform

I would also recommend to add this location to the ‘PATH’ environmental variable in Windows so you can actually run this from any location so you don’t have to type extensive paths every time you are doing deployments.

To make it easy I’ve devised a PowerShell script:

# Terraform Executable location, modify for a different location
$TerraformPath='c:\Terraform'
# Get the PATH environmental Variable
$Path=(Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).Path
# Create New PATH environmental Variable
$NewPath=$Path+";"+$TerraformPath
# Set the New PATH environmental Variable
Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH –Value $NewPath
# Verify the Path
(Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).Path

This should allow you to run terraform from any path on your machine. You can try this opening a PowerShell session and running Terraform:

image

So the local terraform is all set up. That wasn’t too hard. In the next post I will visit the tools I use to write Terraform templates (and a lot of other scripts/things).