Terragrunt — using Credentials Dynamically and Azure Multi-subscription Support

Terragrunt — using Credentials Dynamically and Azure Multi-subscription Support

In this blog entry, I will combine a few topics as they are related: Multi-Account / Multi-Subscription support — Deploy parts of the environment to different subscriptions

In this blog entry, I will combine a few topics as they are related:

  • Multi-Account / Multi-Subscription support — Deploy parts of the environment to different subscriptions
  • Using different credentials for parts of the infrastructure — Allows to follow a least privilege approach when deploying parts of the environment

This blog expands upon a previous entry discussing dependency management.

Multi-Account / Multi-Subscription support

When managing an enterprise scale cloud environment, it is important to divide it into functional pieces that will allow segregation of duties and minimizing blast radius. As such, core components such as platform management, networking, identity, audit, etc should be managed in separate subscriptions.

To deploy resources to different Azure subscriptions, it is possible to pass environment variables to Terraform and let it authenticate accordingly. In the code snippet below, there are 3 areas of interest:

  • The dependency to the credential retrieval (discussed later in the article)
  • The environment variables for the credentials (ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET)
  • The subscription to pin the deployment. Set the value for ARM_SUBSCRIPTION_ID

The extra_arguments section requires special attention. Basically, this configuration says to inject the 4 environment variables when the following Terragrunt commands are called (init, apply,destroy, etc).

azure terragrunt azure-key-vault terraform

What is Geek Coin

What is GeekCash, Geek Token

Best Visual Studio Code Themes of 2021

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Use Azure Key Vault for Secrets in Azure DevOps Pipelines

This blog shows how Azure Key Vault can be used in an Azure DevOps Pipeline build. By using Azure Key Vault to handle all your secrets or certificates, no secrets need to be saved to code, files, or other storage for the initial secrets required in a solution.

Creating Azure Resource Groups Using Terraform And Azure Key Vault

### Introduction  In our previous [article](https://www.c-sharpcorner.com/blogs/creating-resource-groups-in-azure-using-terraform), we described the development process for provisioning an Azure Resource Group using Terraform Code. I promised a...

How to use Azure Functions and secure configuration with Azure Key Vault

In this edition of Azure Tips and Tricks, you'll learn how to use secure configuration for Azure Functions with Azure Key Vault. For more tips and tricks, vi

Implement Azure AD Client credentials flow using Client Certificates for service APIs

This post shows how to implement an Azure client credential flows to access an API for a service-to-service connection. No user is involved in this flow. A client certificate (Private Key JWT authentication) is used to get the access token and the token is used to access the API which is then used and validated in the API. Azure Key Vault is used to create and provide the client certificate.

How to Retrieve Connection Strings in Azure Key Vault from ASP.NET

Configuration builders are mechanisms to retrieve connection strings from external sources. Using configuration builders, you may not have to do much coding besides installing packages and providing XML configurations for connecting to popular sources