Terraform With Azure DevOps


Over the past few weeks I have been helping a couple of my customers take their first steps into the world of DevOps and Infrastructure-as-Code with Terraform.

It’s safe to say there is an array of fantastic content out there already in the community and from the vendors themselves, which have certainly been useful to use with my customers. Some of the content I have been using with my customers is listed below:

So What Is This Blog Post About?

Good question. In this blog post I want to share with you how I configure Azure DevOps (Project, Repos, Pipelines, Artifacts, Branch Policies, Variable Groups, Service Connections etc.) to deploy Terraform into Azure. I’ll also show you how I configure Azure resources like Storage Accounts, Key Vaults & Service Principals to handle the remote state for Terraform with Azure DevOps and handling access secrets securely.

This not only applies to Azure and could also re-purposed very easily for any Terraform style deployment using Azure DevOps to orchestrate the process.

Now I won’t be doing this as a long blog post, as many of my other posts are, instead I have recorded this all as a video and put on YouTube for you all to enjoy instead!

I’ve also created an overview diagram to explain the logical flow from someone creating Terraform code to deployment. Which will hopefully help everyone understand all the pieces involved in this process!

So with that, checkout the below diagram, video walk through and beneath all that code snippets and example Terraform files; enjoy!

Process Flow Diagram

Click on the diagram above to open it in full in another tab

The diagram is also available below in Visio & PDF formats:

Video Walk Through

Code Snippets

Terraform Plan Build Pipeline

Terraform Init

terraform init -backend-config="access_key=$(NAME OF KEY VAULT SECRET FOR STORAGE ACCOUNT KEY)"

Terraform Validate

terraform validate

Terraform Plan

terraform plan -input=false -out=tfplan -var="spn-client-id=$(CHANGEME-spn-client-id)" -var="spn-client-secret=$(CHANGEME-spn-secret)" -var="spn-tenant-id=$(CHANGEME-spn-tenant-id)"

Create Archive Step


Publish Artifact Step

# File/Directory To Publish

# Artifact Name

Terraform Apply Release Pipeline

Extract Archive

$(System.ArtifactsDirectory)/_Terraform Plan/$(Build.BuildId)-tfplan/$(Build.BuildId)-tfplan.tgz

Terraform Init

terraform init -backend-config="access_key=$(NAME OF KEY VAULT SECRET FOR STORAGE ACCOUNT KEY)"

Terraform Apply

terraform apply -auto-approve -input=false tfplan 

Terraform File Examples


1terraform {
2  backend "azurerm" {
3    storage_account_name = "tfazdodemostg001"
4    container_name       = "terraform-state"
5    key                  = "tf-azdo-demo.tfstate"
6  }


1provider "azurerm" {
2  version = "= 2.37.0"
3  features {}
4  subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
5  client_id       = var.spn-client-id
6  client_secret   = var.spn-client-secret
7  tenant_id       = var.spn-tenant-id


1variable "spn-client-id" {}
2variable "spn-client-secret" {}
3variable "spn-tenant-id" {}