Terraform authentication multi-subscription using multiple service principals

Question

I want my terraform scripts to be able to authenticate on multiple azure subscriptions using multiple service principal.

Here is what I think:

• Create a service principal (App registration).
• Deploy terraform scripts in azure container instances
• Give the "contributor" role to my service principal on the subscription (x)
• Configure terraform scripts with environment variables to select the right credentials when I want to create resources in this subscription.

$ export ARM_SUBSCRIPTION_ID=159f2485-xxxx-xxxx-xxxx-xxxxxxxxxxxx     # Client subscription
$ export ARM_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx           # client_id of the service principal
$ export ARM_CLIENT_SECRET=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
$ export ARM_TENANT_ID=72f988bf-xxxx-xxxx-xxxx-xxxxxxxxxxxx           # the same tenant for all clients

Is this correct?

Do you have a more secure way to authenticate on multiple subscriptions when using terraform cloud? (ideally without client_secret)

Answer 1

If the container instance can run Terraform script, then there is no problem with the steps. You give permission to the service principal and change the environment variable ARM_SUBSCRIPTION_ID for different subscriptions, then Terraform script works for different subscriptions.

A safer way is to use the authentication with Azure CLI. If you set different subscriptions with the CLI command:

az account set --subscription="SUBSCRIPTION_ID"

Then the Terraform script will also work for different subscriptions. In this way you don't need to set the secret as the environment variable.