The AzureRM provider configuration supports two methods to authorize the Terraform and OpenTofu provider in the run pipeline: OIDC and Client secrets. The OIDC method allows you to use temporary tokens generated before each run phase (plan & apply), while the Client secrets - static principal credentials.

OIDC

Azure steps

First, you need to create a new Azure AD application and give it the role assignments required by workspaces in the environment(s). Alternatively, you can use an existing application. Once you have the application created, complete the following steps:

  • Open the application in the Azure AD and select the "Certificates & Secrets" menu item.
  • Select the "Federated credentials" tab and click the "Add credential" button.
  • In the creation form, select the "Other issuer" option of the "Federated credential scenario" dropdown.
  • Enter the "Issuer". It should match the exact value https://scalr.io.
  • Enter the "Subject" which must match the following format: account:<account-name>:environment:<env-name>, e.g. account:my-corp:environment:team-a-production. Unfortunately, the subject doesn't support wildcards *, so for each environment in Scalr, you need to create its own federated credential.
  • Enter the "Name" of the credential, e.g. scalr-io-team-a-production.
  • Enter the "Audience", e.g. team-a-production.
  • Save the Federated credential.

Scalr steps

To complete the creation of the OIDC AzureRM provider configuration, you need to enter:

  • App client ID - the Application (client) ID of the Azure AD application.
  • Tenant ID - the Directory (tenant) ID of the Azure AD application.
  • Subscription ID - The id of the subscription (can be found here
  • Audience - has to match the audience from the Azure steps, e.g. team-a-production.
  • Save and share it with the environments for which you have created federated credentials.

IMPORTANT: before sharing the existing provider configuration with a new environment, you have to create a federated credential first, and its subject must match the following pattern: account:<account-name>:environment:<env-name>, e.g. account:my-corp:environment:team-b-production.

For the sake of simplicity, Scalr doesn't pass the workspace id as a part of the subject, because otherwise, you would need to create a federated credential for each workspace before linking it. Also, keep in mind that Azure allows the creation of only 20 federated credentials per single application.

Scalr provider example

resource "scalr_environment" "a_prod" {
  name = "team-a-production"
}

resource "scalr_provider_configuration" "azurerm_oidc" {
  name       = "azurerm-oidc-example"
  environments = [scalr_environment.a_prod.id]

  azurerm {
    auth_type       = "oidc"
    client_id       = "111aaabb-cccc-2222-dddd-1234adcd0000"
    subscription_id = "222bbbcc-dddd-3333-eeee-2345bcde0123"
    tenant_id       = "333cdbde-ef01-4567-ef98-3455cdef9876"
    audience        = "team-a-production"
  }
}

Client Secrets

Azure steps

For Azure, a service principal is required which can be created by following the steps in the provider documentation.

  1. Azurerm Creating a Service Principal
  2. In the "Add Credentials" dialogue select Azure
  3. Enter the Client ID (appId), Secret Key (password), and Tenant ID
    (tenant) from the output of create-for-rbac. Click Save

Example output from create-for-rbac

{
  "appId": "c5f583b2-xxxx-xxxx-xxxx-baa93d369f1b",
  "displayName": "azure-cli-2020-04-21-07-39-09",
  "name": "http://azure-cli-2020-04-21-07-39-09",
  "password": "2458ffd6-xxxx-xxxx-xxxx-3b9f3964ab67",
  "tenant": "8ad9e98e-xxxx-xxxx-xxxx-7969b23753d4"
}

Scalr steps

To complete the creation of the Client Secrets AzureRM provider configuration, you need to enter:

  • App client ID - the appId from the snippet above.
  • App secret key - the password from the example above.
  • Tenant ID - the tenant from the example above.
  • Subscription ID - The id of the subscription (can be found here

Provider example

resource "scalr_environment" "a_prod" {
  name = "team-a-production"
}

resource "scalr_provider_configuration" "azurerm" {
  name          = "azurerm"
  account_id    = "acc-xxxxxxxxx"
  environments  = [scalr_environment.a_prod.id]
  
  azurerm {
    client_id       = "my-client-id"
    client_secret   = "my-client-secret"
    subscription_id = "my-subscription-id"
    tenant_id       = "my-tenant-id"
  }
}

The above is an example, follow the full provider documentation here.

📘

The provider configuration will auto populate the majority of the information in the Azure provider block, but you will continue to have to add the features {} block even if it is empty. Scalr does not add this to ensure any existing configuration does not break.

Review the full provider configuration documents on how to link the provider configuration to an environment and workspace here

Azure CLI Errors

If you are receiving the following error code, it means that you are likely not exporting the provider configuration as a shell variable:

could not configure AzureCli Authorizer: obtaining tenant ID: running Azure CLI: exit status 1: ERROR: Please run 'az
 login' to setup account.

To fix this, click the "Export provider configurations as shell variables into the run pipeline" checkbox in the provider configuration that is associated with the environment and workspace:

550