Open in app

Sign in

Write

Sign in

Terraform State with Microsoft Azure

rahul sahay
5 min readApr 5, 2020

--

Hi Friends,

In this section, we will continue from the last post and discuss what is state management in terraform. During the process we will gain knowledge about how to save, share and lock states. We will also understand what is the significance of using terraform state.

Having said that, let’s get started.

Terraform State:-

Terraform state basically allows you to know what is deployed on the target machine, what configuration it had. States also hold sensitive information say passwords, connection strings, other required admin attributes. Therefore, in a nutshell, terraform needs to maintain state between various deployments.

Normally, terraform state gets generated with its very first deployment itself. This file will keep updating with different builds. But, normally its not a good practice to keep the terraform states in local machine for various reasons like:

  • Local state doesn’t work well in a team or collaborative environment.
  • Terraform state can include sensitive information.
  • Storing state locally increases the chance of inadvertent deletion.

That’s why terraform recommends to save states remotely rather locally. Terraform states also provide feature like resource locking which is normally used while deploying via pipelines on the same infrastructure. Next, we need to persist terraform state to remote location say on Azure Storage.

Configure Storage Account

We need to create azure storage account before we apply state changes to remote location. This script can help you achieve the same.

#!/bin/bash

RESOURCE_GROUP_NAME=tstate
STORAGE_ACCOUNT_NAME=tstate$RANDOM
CONTAINER_NAME=tstate
KEYVAULT_NAME=tRahulKeyVault

# Create resource group
echo "Creating $RESOURCE_GROUP_NAME resource group..."
az group create --name $RESOURCE_GROUP_NAME --location eastus

# Create storage account
echo "Creating $STORAGE_ACCOUNT_NAME storage account..."
az storage account create --resource-group $RESOURCE_GROUP_NAME --name $STORAGE_ACCOUNT_NAME --sku Standard_LRS --encryption-services blob

# Get storage account key
echo "Fetching storage account key..."
ACCOUNT_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query [0].value -o tsv)

# Create blob container
echo "Creating blob container..."
az storage container create --name $CONTAINER_NAME --account-name $STORAGE_ACCOUNT_NAME --account-key $ACCOUNT_KEY

# Create an Azure KeyVault
echo "Creating $KEYVAULT_NAME key vault..."
az keyvault create -g $RESOURCE_GROUP_NAME -l eastus --name $KEYVAULT_NAME

# Store the Terraform State Storage Key into KeyVault
echo "Store storage access key into key vault secret..."
az keyvault secret set --name tfstate-storage-key --value $ACCOUNT_KEY --vault-name $KEYVAULT_NAME


echo "storage_account_name: $STORAGE_ACCOUNT_NAME"
echo "container_name: $CONTAINER_NAME"
echo "access_key: $ACCOUNT_KEY"

You need to run below script to setup the infrastructure in Azure CLI. You need to click on the shell icon in azure portal. This will show below setup message, if you are doing this for the first time.

Click on Create storage button and then select bash as option. Then, paste the script and it will start like shown below. Make sure you use unique name for the Key-Vault.

Upon successful creation, it will appear like

At this point, you can verify azure portal and check the resource group. You will see that all the files created correctly. Ignore the other storage as I ran the script twice, hence it got created.

Configure State Backend

The Terraform state backend is configured once we run terraform init command. The following data is required to configure the state backend.

  • storage_account_name: The name of the Azure Storage account.
  • container_name: The name of the blob container.
  • key: The name of the state store file to be created.
  • access_key: The storage access key.

Each of these values can be used in terraform script or command line.

terraform {
  backend "azurerm" {
    resource_group_name   = "tstate"
    storage_account_name  = "tstate4656"
    container_name        = "tstate"
    key                   = "terraform.tfstate"
  }
}

resource "azurerm_resource_group" "state-demo-secure" {
  name     = "state-demo"
  location = "eastus"
}

Now, we can run terraform init command. This will appear like shown below on successful execution.

Next, we need to apply the same using terraform apply command.

Enter yes and continue. Upon successful execution, it will come like

At this stage, we can verify that following resources are created in newly created Resource Group like shown below.

At this stage, when I check my blob container, I can see required state store file created.

I can also view/edit blob like shown below.

Also, when I click on the state which got created, it will appear like

Currently, its in Unlocked state as its not leased yet. Let’s do this manually. Click on Acquire lease button. Upon clicking the same, it came like

This is one way of applying state changes. However, in this case, we haven’t used vaults. Hence, from security perspective, its still vulnerable. We will see the same example using Vault in next demo. Till then stay tuned and Happy Coding.

You can refer the code at https://github.com/rahulsahay19/terraform-basics.

In order to learn Azure from scratch, you can check my new book

Amazon Link:- https://amzn.to/2WWvZq1

Thanks,
Rahul Sahay
Happy Coding

Originally published at https://myview.rahulnivi.net on April 5, 2020.

Azure
Terraform
Cloud Computing
Infrastructure
Infrastructure As Code

--

--

rahul sahay
rahul sahay

Written by rahul sahay

917 Followers
9 Following

🌟 Unleashing the Power of Languages! 🚀 Expert polyglot developer, author, and Course creator on a mission to transform coding into an art. 🎨 Join me in

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams