» Azure Stack Provider: Authenticating using the Azure CLI

Terraform supports authenticating to Azure Stack using the Azure CLI, a Service Principal (either using a Client Secret or a Client Certificate).

Terraform supports authenticating to Azure Stack using the Azure CLI (which is detailed in this guide) or a Service Principal, either using a Client Secret or using a Client Certificate.

This guide assumes that the Certificate being used for Azure Stack is valid, or has been trusted on your machine (instructions for trusting the Azure Stack Certificate can be found here).


We need to add the details for your Azure Stack Configuration to the Azure CLI:

$ az cloud register -n AzureStack --endpoint-resource-manager "https://management.region.mycloud.com" --suffix-storage-endpoint "region.mycloud.com" --suffix-keyvault-dns ".vault.region.mycloud.com"

Once that's done we can now switch to using the newly registered AzureStack cloud:

$ az cloud set --name AzureStack

Next you'll need to configure the Profile used for Azure Stack:

$ az cloud update --profile 2018-03-01-hybrid

At this point we should be able to log into the Azure Stack instance using the Azure CLI:

$ az login

This will prompt you to open a web browser, as shown below:

$ az login
Note, we have launched a browser for you to login. For old experience with device code, use "az login --use-device-code

Once logged in, it's possible to list the Subscriptions associated with the account via:

$ az account list

The output (similar to below) will display one or more Subscriptions:

[
  {
    "cloudName": "AzureStack",
    "id": "00000000-0000-0000-0000-000000000000",
    "isDefault": true,
    "name": "Example Subscription",
    "state": "Enabled",
    "tenantId": "00000000-0000-0000-0000-000000000000",
    "user": {
      "name": "user@example.com",
      "type": "user"
    }
  }
]

In the snippet above, id refers to the Subscription ID and isDefault refers to whether this Subscription is configured as the default.

$ az account set --subscription="SUBSCRIPTION_ID"

»  Configuring the Provider block when using the Azure CLI

When authenticating using the Azure CLI most of the details required can be inferred, as such to use the Default Subscription configured in the Azure CLI you should be able to use the following Provider Block:

provider "azurestack" {
  # whilst the version attribute is optional, we recommend pinning the Provider version being used
  version = "=0.5.0"
}

If you're using multiple subscriptions (or have access to multiple tenants) - it's possible to specify the Subscription ID to target a specific Subscription:

provider "azurestack" {
  # whilst the version attribute is optional, we recommend pinning the Provider version being used
  version         = "=0.5.0"
  subscription_id = "00000000-0000-0000-0000-000000000000"
}

More information on the fields supported in the Provider block can be found here.