Quickstart: Create an Azure confidential ledger using Terraform
In this quickstart, you create an Azure resource group and a confidential ledger using Terraform. Azure confidential ledger is a fully managed service that provides a tamper-proof register for storing sensitive data. It's built on Azure confidential computing, which uses hardware-based trusted execution environments to protect data from threats even when it's in use. This ledger is designed to maintain the confidentiality and integrity of the data it stores, making it ideal for use cases that require high levels of data protection. The resources created in this script include the Azure confidential ledger and an Azure resource group.
Terraform enables the definition, preview, and deployment of cloud infrastructure. Using Terraform, you create configuration files using HCL syntax. The HCL syntax allows you to specify the cloud provider - such as Azure - and the elements that make up your cloud infrastructure. After you create your configuration files, you create an execution plan that allows you to preview your infrastructure changes before they're deployed. Once you verify the changes, you apply the execution plan to deploy the infrastructure.
- Generate a random pet name for the resource group.
- Create an Azure resource group with the generated name.
- Retrieve the current Azure client configuration.
- Generate a random string for the Azure confidential ledger name.
- Create an Azure confidential ledger with the generated name and assign it to the resource group.
- Assign an Azure AD based service principal to the confidential ledger.
- Tag the confidential ledger as an example.
- Output the resource group name, confidential ledger name, confidential ledger type, and confidential ledger role name.
- Specify the required version of Terraform and the required providers.
- Define the Azure provider with no additional features.
- Define variables for the resource group name prefix, resource group location, confidential ledger name, confidential ledger type, and confidential ledger role name.
Prerequisites
Create an Azure account with an active subscription. You can create an account for free.
Implement the Terraform code
Note
The sample code for this article is located in the Azure Terraform GitHub repo. You can view the log file containing the test results from current and previous versions of Terraform.
See more articles and sample code showing how to use Terraform to manage Azure resources:
Create a directory in which to test and run the sample Terraform code and make it the current directory.
Create a file named
main.tf, and insert the following code:resource "random_pet" "rg_name" { prefix = var.resource_group_name_prefix } resource "azurerm_resource_group" "rg" { location = var.resource_group_location name = random_pet.rg_name.id } data "azurerm_client_config" "current" { } resource "random_string" "azurerm_confidential_ledger_name" { length = 13 lower = true numeric = false special = false upper = false } resource "azurerm_confidential_ledger" "example" { name = coalesce(var.confidential_ledger_name, "ledger-${random_string.azurerm_confidential_ledger_name.result}") resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location ledger_type = var.confidential_ledger_type azuread_based_service_principal { principal_id = data.azurerm_client_config.current.object_id tenant_id = data.azurerm_client_config.current.tenant_id ledger_role_name = var.confidential_ledger_role_name } tags = { IsExample = "True" } }Create a file named
outputs.tf, and insert the following code:output "resource_group_name" { value = azurerm_resource_group.rg.name } output "confidential_ledger_name" { value = azurerm_confidential_ledger.example.name } output "confidential_ledger_type" { value = azurerm_confidential_ledger.example.ledger_type } output "confidential_ledger_role_name" { value = azurerm_confidential_ledger.example.azuread_based_service_principal[0].ledger_role_name }Create a file named
providers.tf, and insert the following code:terraform { required_version = ">=1.0" required_providers { azurerm = { source = "hashicorp/azurerm" version = "~>3.0" } random = { source = "hashicorp/random" version = "~>3.0" } } } provider "azurerm" { features {} }Create a file named
variables.tf, and insert the following code:variable "resource_group_name_prefix" { type = string default = "rg" description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription." } variable "resource_group_location" { type = string default = "eastus" description = "Location of the resource group." } variable "confidential_ledger_name" { type = string description = "The name of the confidential ledger resource. The value will be randomly generated if blank." default = "" } variable "confidential_ledger_type" { type = string default = "Public" validation { condition = contains(["Public", "Private"], var.confidential_ledger_type) error_message = "The confidential ledger type value must be one of the following: Public, Private." } description = "Type of the confidential ledger." } variable "confidential_ledger_role_name" { type = string default = "Administrator" description = "Role name for the confidential ledger." }
Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources.
terraform init -upgrade
Key points:
- The
-upgradeparameter upgrades the necessary provider plugins to the newest version that complies with the configuration's version constraints.
Create a Terraform execution plan
Run terraform plan to create an execution plan.
terraform plan -out main.tfplan
Key points:
- The
terraform plancommand creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources. - The optional
-outparameter allows you to specify an output file for the plan. Using the-outparameter ensures that the plan you reviewed is exactly what is applied.
Apply a Terraform execution plan
Run terraform apply to apply the execution plan to your cloud infrastructure.
terraform apply main.tfplan
Key points:
- The example
terraform applycommand assumes you previously ranterraform plan -out main.tfplan. - If you specified a different filename for the
-outparameter, use that same filename in the call toterraform apply. - If you didn't use the
-outparameter, callterraform applywithout any parameters.
Verify the results
Azure CLI
Run az confidential-ledger show to view the Azure confidential ledger.
az confidentialledger show --ledger-name <ledger_name> --resource-group <resource_group_name>
You must replace <ledger_name> with the name of your Azure confidential ledger and <resource_group_name> with the name of your resource group.
Clean up resources
When you no longer need the resources created via Terraform, do the following steps:
Run terraform plan and specify the
destroyflag.terraform plan -destroy -out main.destroy.tfplanKey points:
- The
terraform plancommand creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources. - The optional
-outparameter allows you to specify an output file for the plan. Using the-outparameter ensures that the plan you reviewed is exactly what is applied.
- The
Run terraform apply to apply the execution plan.
terraform apply main.destroy.tfplan
Troubleshoot Terraform on Azure
Troubleshoot common problems when using Terraform on Azure.