create an azure resource group under a subscription with terraform

Question

I am looking at this example from the terraform docs for creating an azure group:

resource "azurerm_resource_group" "test" {
  name     = "testResourceGroup1"
  location = "West US"

  tags = {
    environment = "Production"
  }
}

It does not specify the subscription anywhere.

How can I specify the subscription?

Answer 1

For your issue, you know the Terraform deploy the Azure resources through the Azure CLI. And there are four ways to authenticate.

Authenticating to Azure using the Azure CLI

Authenticating to Azure using Managed Service Identity

Authenticating to Azure using a Service Principal and a Client Certificate

Authenticating to Azure using a Service Principal and a Client Secret

If you do not set the tenant Id and subscription Id in the Terraform code, then you must use the first method in default. And you authenticate via the Azure CLI with the account that you log in the Azure CLI. So which subscription you set in the CLI then you use it for your Terraform.

But as the Terraform recommend:

We recommend using either a Service Principal or Managed Service Identity when running Terraform non-interactively (such as when running Terraform in a CI server) - and authenticating using the Azure CLI when running Terraform locally.

So that you could grant the more appropriate permission for the service principal as you want.

Answer 2

Subscription is set when you configure Terraform to log in to Azure. The recommended way is to use an Azure AD service principal and environment variables.

To configure Terraform to use your Azure AD service principal, set the following environment variables, which are then used by the Azure Terraform modules. You can also set the environment if working with an Azure cloud other than Azure public.

• ARM_SUBSCRIPTION_ID
• ARM_CLIENT_ID
• ARM_CLIENT_SECRET
• ARM_TENANT_ID
• ARM_ENVIRONMENT

Reference