Getting Started With #Terraform On #AzureStack #Azure #AzureStackDevKit @HashiCorp @Azure

10 min read


Terrafom from HashiCorp is an Infrastructure as Code (IaC) tool that helps you to provision resources in Azure with a very simple language. The real benefits of using Terraform are the following:

  • It is Multi Cloud provider (Azure, AWS, Google Cloud, Ali Cloud, etc).
  • It is Multi-Platforms (Windows, Linux, macOS, FreeBSD, OpenBSD, Solaris).
  • It is open source with a large active community.
  • It allows to preview the changes that it will apply before its application (with the plan command).
  • It runs in command line, so it can be integrated in an automated DevOps pipeline.
  • The command line tool has some very useful options (which we will see as we go along).
  • And many others

In addition to the Azure Provider for Terraform, HashiCorp also announced the release of a dedicated provider for Azure Stack, so organizations can now provision and manage infrastructure using Terraform as part of their hybrid cloud environment.

In this article, I will show you how to use Terraform on Azure Stack to create a resource group containing Windows Server Virtual Machine, Virtual Network, Subnet, Network Security Group, Network Interface, and Public IP address.


In order to use Terraform on Azure Stack, you need to have the following:

  • Latest version of Terraform. At the time of this writing, you can download the current release (0.11.11) from the following link. In this example, I will use the Windows version, but of course you can download for other platforms as well.
  • Creating a Service Principal in Azure Active Directory. At the time of this writing, this is the only way for the provider to authenticate to Azure Stack.
  • Configuring Azure Stack Provider.

Terraform for Windows

After you downloaded Terraform on you machine, you need to extract it. Open a command prompt window, then browse to the extracted location and type Terraform.

You will see the available commands for execution listed below. The most common, useful commands are shown first, followed by less common or more advanced commands. Since we are just getting started with Terraform, we will stick with the common commands (terraform init, terraform plan, terraform apply, and terraform destroy).

Creating a Service Principal

We need to authorize Terraform to manage resources on Azure Stack, we need to create an Azure AD service principal that have authorizations to manage (create, update, delete) Azure Stack resources. There are two tasks that you must complete:

  • The first one is to create an Application in the Azure Active Directory.
  • The second one is granting the Application access to manage resources in your Azure Stack Subscriptions.

A Service Principal is an application within Azure Active Directory whose authentication tokens can be used as the client_id, client_secret, and tenant_id fields needed by Terraform (more on that later). For more information on how to create service principal in the Azure Portal, please check the following documentation from Microsoft. It’s also possible to create this service principal by using the Azure PowerShell, or by using the Azure CLI.

Launch the Azure Portal and navigate to the Azure Active Directory overview, then select the App Registration blade to create the Application in Azure Active Directory. Click + New application registration and set the following values:

  • Name – enter a friendly identifier, this can be anything (e.g. “AzureStackTerraform“)
  • Application Type – this should be set to “Web app / API
  • Sign-on URL – this can be anything, providing it’s a valid URI (e.g. https://azurestack.terraform)

Next, login to the Azure Stack Tenant portal, then select the Subscription you wish to use. Click Access Control (IAM), then click +Add, select Contributor as Role and add the Azure AD application that you created in the previous step, and finally click Save.

Configuring Azure Stack Provider

In this step, we need to collect the required arguments so we can configure the Azure Stack Provider that we will use in subsequent steps to configure the environment variables.

The following arguments are supported for the Azure Stack Provider:

  • arm_endpoint: This is the Azure Resource Manager API Endpoint for your Azure Stack instance, such as https://management.local.azurestack.external for Azure Stack Development Kit (ASDK), or
  • subscription_id: This is the subscription ID for the Tenant in Azure Stack that you want to use.
  • client_id: This is ID of the application that you created in Azure Active Directory.
  • client_secret: This is the secret key that you need to generate after creating the application in Azure AD.
  • tenant_id: This is the ID of the Azure Active Directory tenant in Azure.

For the client_id, navigate to the App Registration blade in the Azure and search for the application that you created in the previous step and copy the Application ID.

For the client_secret, click on Settings within the same application blade and select Keys. Enter a description name, expiry duration and then click Save. Copy the secret key value because you won’t be able to retrieve it after you leave this blade.

For the tenant_id, navigate to the App Registration blade and click on Endpoints at the top of the App Registration blade. A list of URIs will be displayed and you need to locate the URI for OAUTH 2.0 AUTHORIZATION ENDPOINT which contains a GUID. Note down your Tenant ID.

Create resources on Azure Stack with Terraform

When Terraform is installed and your Azure Service Principal is created in Azure AD, you can start provisioning Azure Stack resources. But before doing so, we need to look at the environment variables that are needed. To follow this example, you need to have three files as follows:

  • Variables in Terraform have a very important role, they will allow you to optimize your code without having to duplicate it and thus improve its maintainability and visibility by having a common code for all environments and just variables for differences in names, properties, etc. This file contains all the variables which instantiate the variables or provides any default values.
  • terraform.tfvars: This file contains the actual values referencing all the variables in file. You also need to add the Azure Stack Provider variables at the very beginning of the file, with the necessary parameters to establish the connection to Azure Stack. Those are the values that we copied from the previous step (arm_endpoint, subscription_id, client_id, client_secret, tenant_id).
  • This file contains the actual declaration of the resources we want to deploy in Azure Stack. In this example, creating a resource group containing Windows Server Virtual Machine, Virtual Network, Subnet, Network Security Group, Network Interface, and Public IP address.

Let’s now break down each file individually before we proceed and deploy the configuration.

In my example, the file contains the following variables. As mentioned earlier, this file contains all the variable names that are defined in the terraform.tfvars file.

The terraform.tfvars file contains the actual values for all variables. As mentioned earlier, you also need to add the Azure Stack Provider variables at the very beginning of the file, with the necessary parameters to establish the connection to Azure Stack. You need to replace the values based on your environment.

The last file is the which contains the complete resources that will be deployed. In this example, I am deploying a new resource group containing Windows Server Virtual Machine, Virtual Network, Subnet, Network Security Group, Network Interface, and Public IP address.

Note: At the time of this writing, managed disk functionality with Terraform on Azure Stack is still work in progress. In this example below, I am deploying Windows Server Virtual Machine with Unmanaged Disks.

Deploy resources on Azure Stack with Terraform

Now that we have all variables and resources declared , I copied them into a single folder on my managed machine along with Terraform.exe executable for Windows.

Open a command prompt window and navigate to the directory where the configuration files are stored.

First, we will start by initializing the environment by running the following command: terraform init

The terraform init command is used to initialize a working directory containing Terraform configuration files. This is the first command that should be run after writing a new Terraform configuration. It is also safe to run this command multiple times.

Once the initialization is completed, we will move and validate the deployment by running the following command: terraform plan

The terraform plan command is used to create an execution plan. Terraform performs a refresh, unless explicitly disabled, and then determines what actions are necessary to achieve the desired state specified in the configuration files.

Last but not least, we will deploy the configuration and watch it’s magic by running the following command: terraform apply

The terraform apply command is used to apply the changes required to reach the desired state of the configuration that we defined.

After nearly 10 minutes, you will see that all resources are created successfully on Azure Stack Tenant space as desired.

Finally, you can connect to the VM and verify it’s accessible.

If you want to delete the deployment, you can run terraform destroy command to destroy the Terraform managed infrastructure.


In this article, I showed you the power of Terraform on deploying many resources on Azure Stack with ease in declarative approach. Please note the same will apply to other cloud providers (Azure, AWS, Google Cloud, Ali Cloud, etc). This is so powerful as you learn one simple language and use it everywhere.

One of great strengths of Terraform is maintaining the state of the environment it applies in a tfstate file. This file in Json format allows Terraform to apply only the differential for each execution. It is on this file that Terraform is based when executing plan/apply/destroy commands.

For more information about Terraform, I highly recommend to check their documentation here. Other samples of Terraform code for Azure Stack are available on GitHub here.

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

About Charbel Nemnom 440 Articles
Charbel Nemnom is a Cloud Solutions Architect and Microsoft Most Valuable Professional (MVP), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize performance of mission-critical enterprise systems. Excellent communicator adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design and virtualization.

Be the first to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.