Skip to main content

Provision Resources

To provision and manage resources for Azure and/or other cloud services, you'll need to set up an IaC project.

Prerequisites

Before you can start provisioning resources, your team needs to be onboarded to Azure. You'll also need to have a Service ID in place for this project, which should be obtained from CCoE.

Create GitHub repository

You'll need to have a GitHub repository for your Terraform configuration and workflows. You can either create a new repository or use an existing repository and update it to support multiple Terraform configurations.

To create a new repository, use the /platform-github repo create-from-template-command in #github-at-gjensidige, and provide the following template: terraform-root-module-template.

Steps

sequenceDiagram participant tato as terraform-azure-team-onboarding participant tgrc as terraform-github-repo-credentials participant tde as terraform-demo-example participant azrm as Azure RM participant azad as Azure AD rect rgb(218, 206, 243) activate tato tato->>azrm: Create Resource Group (RG) tato->>azad: Create AAD groups for RBAC tato->>azrm: Add role assignments for RG deactivate tato end rect rgb(218, 206, 243) activate tgrc tgrc->>azad: Create Service Principal for repo and add group memberships tgrc->>tde: Add secrets 🔑 deactivate tgrc end rect rgb(218, 206, 243) activate tde tde->>azrm: Create resources in RG 🚀 deactivate tde end

terraform-azure-team-onboarding and terraform-github-repo-credentials are repositories owned by team Platform, and is set up for PR-based self-service for product teams.

terraform-demo-example is used as an example for a repository containing Terraform code which is owned and managed by a product team.

1. Create Project

If you want to provision resources in Azure, you'll need a resource group to contain your resources.

Use terraform-azure-team-onboarding to create a project, which includes creation of Azure AD groups and an empty resource group with tags and role assignments set for your team.

Example:

environments/test/team_demo.tf
resource_groups = {
  "psql" = {
    service_code = "psql"
    tags = {
      ServiceID = "BSN0001234"
      Budget    = "200"
    }
  }
}

2. Create service principal

Client credentials used for provisioning resources in Azure are managed in terraform-github-repo-credentials.

Find your team's file and add your repository and any Azure AD group(s) the Service Principal (SP) should be a member of.

Example:

repos-terraform/environments/test/team_demo.tf
repos = {
  "terraform-demo-example" = {
    aad_access_groups = ["RBAC_AAD_GTM-DEMO-PSQL-EN-TEST-RG_OWNR"]
  }
}

This example creates a Service Principal and adds it to the Azure AD group which gives Owner access to the resource group created in the previous step. Secrets will also be added to your repository, so that you can use this SP from your GitHub Actions workflows.

3. Create resources

After your repository has been set up with Environments and Required secrets, you can go ahead and start writing Terraform code to create resources. 🚀

Start by setting proper values for placeholders <VALUE> in files from the template.

A data source should be used to get a reference to the Resource Group that was created in step 1. You can then create resources in that Resource Group from your repository using the Service Principal created in step 2.

Use Reusable modules where possible.