{"id":5771,"date":"2020-02-22T00:59:24","date_gmt":"2020-02-22T05:59:24","guid":{"rendered":"\/db-blog\/?p=5771"},"modified":"2020-03-11T19:18:13","modified_gmt":"2020-03-11T23:18:13","slug":"azure-terraform-provision-a-virtual-machine-instance-using-infrastructure-as-code","status":"publish","type":"post","link":"https:\/\/droidbasement.com\/db-blog\/azure-terraform-provision-a-virtual-machine-instance-using-infrastructure-as-code\/","title":{"rendered":"Azure\/Terraform \u2013 Provision a Virtual Machine instance using Infrastructure as Code"},"content":{"rendered":"\n

In this article we will use Terraform<\/a> (Infrastructure as Code) to swiftly bring up a Microsoft Azure Virtual Machine instance in East US on a static IP, add a DNS Zone for the site in mention and install docker\/docker-compose on it.<\/p>\n\n\n\n

We will use ‘myweb’ as an example in this article, using the same base path of ‘dev’ that was previously created<\/a> and the container-admin<\/a> Service Principal.<\/p>\n\n\n\n

Please use ‘Create your Azure free account today’<\/a> prior to commencing with this article.<\/p>\n\n\n\n

<\/p>\n\n\n\n

–>
Go in to the dev directory\/link located within your home directory:<\/p>\n\n\n\n

$ cd ~\/dev<\/pre>\n\n\n\n
Upgrade the Azure CLI on your host:<\/p>\n\n\n\n
$ sudo apt update && sudo apt -y upgrade azure-cli<\/pre>\n\n\n\n
Grab Terraform:<\/p>\n\n\n\n
$ wget https:\/\/releases.hashicorp.com\/terraform\/0.12.20\/terraform_0.12.20_linux_amd64.zip<\/pre>\n\n\n\n
Install Unzip if you do not have it installed:<\/p>\n\n\n\n
$ sudo apt -y install unzip<\/pre>\n\n\n\n
Unzip it to ~\/.local\/bin and set permissions accordingly on it:<\/p>\n\n\n\n
$ unzip terraform_0.12.20_linux_amd64.zip -d ~\/.local\/bin && chmod 754 ~\/.local\/bin\/terraform<\/pre>\n\n\n\n
Add this function in to your user’s startup to parse the previously created credentials file and pass pertinent login information as a servicePrincipal to  Terraform, in a sub-shell:<\/p>\n\n\n\n
$ cat << 'EOF' >> ~\/.bashrc\n>\n> function terraform-az-sp() {\n>         (export $(grep -v '^\\[' $HOME\/.azure\/credentials | sed 's\/application_id\/arm_client_id\/; s\/client_secret\/arm_client_secret\/; s\/directory_id\/arm_tenant_id\/; s\/subscription_id\/arm_subscription_id\/; s\/^[^=]*\/\\U&\\E\/' <\/em>| xargs) && terraform $*)\n> }\n> EOF<\/pre>\n\n\n\n
Remove the subscription_id in our previously created az-login-sp function (user\u2019s startup):<\/p>\n\n\n\n
$ sed -i \"s:\\$HOME\/.azure\/credentials | xargs):\\$HOME\/.azure\/credentials | sed '\/subscription_id\/d' | xargs):\" ~\/.bashrc<\/pre>\n\n\n\n
Source it in:<\/p>\n\n\n\n
$ . ~\/.bashrc<\/pre>\n\n\n\n
Add the <SUBSCRIPTION ID> (UI Console -> Azure Active Directory ->  Search for (top left): Subscriptions -> Click your subscription -> Overview) in to the Azure credentials file  (replace <SUBSCRIPTION ID>):<\/p>\n\n\n\n
$ echo \"subscription_id=<SUBSCRIPTION ID>\" >> ~\/.azure\/credentials <\/pre>\n\n\n\n
In the Subscription, add roles to container-admin:
Access control (IAM) -> Role assignments -> <\/p>\n\n\n\n
Add (Add role assignment) -> Role: DNS Zone Contributor -> Assign access to: Azure AD user, group, or service principal -> Select: container-admin -> Save<\/p>\n\n\n\n
Add (Add role assignment) -> Role: Network Contributor -> Assign access to: Azure AD user, group, or service principal -> Select: container-admin -> Save<\/p>\n\n\n\n
Add (Add role assignment) -> Role: Virtual Machine Contributor -> Assign access to: Azure AD user, group, or service principal -> Select: container-admin -> Save<\/p>\n\n\n\n
<\/p>\n\n\n\n
Create a work folder and change in to it:<\/p>\n\n\n\n
$ mkdir -p terraform\/azure\/myweb\/scripts terraform\/azure\/myweb\/rbac && cd terraform\/azure\/myweb<\/pre>\n\n\n\n
Create a custom Role Based Access for Resource Groups so container-admin can Read, Write and Delete Resource Groups in the subscription (replace <SUBSCRIPTION ID>):<\/p>\n\n\n\n
$ cat << 'EOF' > rbac\/rg-custom.jsn\n> {\n>    \"Name\": \"Resource Group Allowance\",\n>    \"IsCustom\": true,\n>    \"Description\": \"Can read, write and delete Resource Groups.\",\n>    \"Actions\": [\n>       \"Microsoft.Resources\/subscriptions\/resourceGroups\/read\",\n>       \"Microsoft.Resources\/subscriptions\/resourceGroups\/write\",\n>       \"Microsoft.Resources\/subscriptions\/resourceGroups\/delete\"\n>    ],\n>    \"NotActions\": [],\n>    \"AssignableScopes\": [\n>       \"\/subscriptions\/<SUBSCRIPTION ID>\"\n>    ]\n> }\n> EOF<\/pre>\n\n\n\n
Authenticate to Azure using the CLI with the same Administrative credentials you use in the UI (a browser window will popup requesting credentials):<\/p>\n\n\n\n
$ az login<\/pre>\n\n\n\n
Create the Role Definition:<\/p>\n\n\n\n
$ az role definition create --role-definition rbac\/rg-custom.jsn<\/pre>\n\n\n\n
Add the role to container-admin:<\/p>\n\n\n\n
$ az role assignment create --role \"Resource Group Allowance\" --assignee $(grep application_id ~\/.azure\/credentials | cut -f2 -d=) --subscription $(grep subscription_id ~\/.azure\/credentials | cut -f2 -d=)<\/pre>\n\n\n\n
Generate an SSH Key Pair (no password) and restrict permissions on it:<\/p>\n\n\n\n
$ ssh-keygen -q -t rsa -b 2048 -N '' -f ~\/.ssh\/myweb && chmod 400 ~\/.ssh\/myweb<\/pre>\n\n\n\n
Ensure the terraform version is greater then or equal to 0.12:<\/p>\n\n\n\n
$ cat << 'EOF' > versions.tf\n> terraform {\n>   required_version = \">= 0.12\"\n> }\n> EOF<\/pre>\n\n\n\n
Set the version for the AzureRM Provider to greater then or equal to 1.44:<\/p>\n\n\n\n
$ cat << 'EOF' > provider.tf\n> provider \"azurerm\" {\n>   version = \">= 1.44\"\n> }\n> EOF<\/pre>\n\n\n\n
Set the default region and prefix variable:<\/p>\n\n\n\n
$ cat << 'EOF' > vars.tf\n> variable \"region\" {\n>   default = \"EastUS\"\n> }\n>\n> variable \"prefix\" {\n>   default = \"myweb\"\n> }\n> EOF<\/pre>\n\n\n\n
The following is performed with this script\/code:<\/p>\n\n\n\n