In this blog entry, I will combine a few topics as they are related:

• Multi-Account / Multi-Subscription support — Deploy parts of the environment to different subscriptions
• Using different credentials for parts of the infrastructure — Allows to follow a least privilege approach when deploying parts of the environment

This blog expands upon a previous entry discussing dependency management.

Multi-Account / Multi-Subscription support

When managing an enterprise scale cloud environment, it is important to divide it into functional pieces that will allow segregation of duties and minimizing blast radius. As such, core components such as platform management, networking, identity, audit, etc should be managed in separate subscriptions.

To deploy resources to different Azure subscriptions, it is possible to pass environment variables to Terraform and let it authenticate accordingly. In the code snippet below, there are 3 areas of interest:

• The dependency to the credential retrieval (discussed later in the article)
• The environment variables for the credentials (ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET)
• The subscription to pin the deployment. Set the value for ARM_SUBSCRIPTION_ID

The extra_arguments section requires special attention. Basically, this configuration says to inject the 4 environment variables when the following Terragrunt commands are called (init, apply,destroy, etc).

#azure #terragrunt #azure-key-vault #terraform