In order to provide a foundation for their Infrastructure as Code initiative, a client would like to train all their Tier 1 team on using Terraform. All of the client’s Tier 1 engineers are Windows administrators and engineers, familiar with Windows operating systems and PowerShell. In order to make this a repeatable process, I’ve added PowerShell commands to most steps to provide for even more automation! Please note that Terraform is available via Chocolatey, however is not maintained by Hashicorp itself.

In this guide, we will be preforming the below steps:

Download, verify and install Terraform in Windows
Install Azure CLI and connect to Azure
Create an example Terraform configuration file
Deploy a small Windows server for testing purposes
Connecting via RDP to the Azure Windows server
Shutting down and destroying the the created infrastructure

Quick Introduction to Terraform

Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers as well as custom in-house solutions.
Configuration files describe to Terraform the components needed to run a single application or your entire datacenter. Terraform generates an execution plan describing what it will do to reach the desired state, and then executes it to build the described infrastructure. As the configuration changes, Terraform is able to determine what changed and create incremental execution plans which can be applied.

https://www.terraform.io/intro/index.html

Basic Terraform Workflow

In the image below, we can see the three primary steps (and commands) of a Terraform workflow. First, “terraform init” is used to initialize the project in the project folder. This downloads the provider plugins (Azure, AWS, GCP) to work with your cloud.

Next, “terraform plan” is used in conjunction with a Terraform configuration file “main.tf”. This configuration file contains all of the resources and infrastructure as code needed to deploy your desired resources. The “terraform plan” step also verifies the creation process.

Last, “terraform apply” is used to create the actual resources in your cloud. In addition, it creates a state file in order to track future changes of your deployment.

Anatomy of a Terraform configuration file

In order to deploy resources, terraform needs to know what you’d like deployed. Terraform uses a configuration filed named “main.tf” for this purpose. In this file, the major sections are borken down as follows:

required_providers - this tells Terraform you’ll be working in Azure

variable - this allows Terraform to ask you for input, such as a local admin account and password

resource - this is the meat of the file. Here you define resources such as security groups, virtual machines, networks and firewall rules

Setup Terraform on Windows

Although not necessarily best-practice, and for simplicity’s sake, we will be running all operations from C:\users\[userName]\Downloads directory. You will need to run PowerShell as Administrator for this guide.

First download both the Windows x64 Terraform release and sha256 checksum file from the official Hashicorp site:

Invoke-WebRequest -Uri https://releases.hashicorp.com/terraform/0.14.10/terraform_0.14.10_windows_amd64.zip -OutFile C:\users\$env:USERNAME\Downloads\terraform_0.14.10_windows_amd64.zip

Invoke-WebRequest -Uri https://releases.hashicorp.com/terraform/0.14.10/terraform_0.14.10_SHA256SUMS -OutFile C:\users\$env:USERNAME\Downloads\terraform_0.14.10_SHA256SUMS.txt

In order to follow the Clean Source Principal, verify the checksum of the binary using (feel free to check out my earlier post on verifying checksums with PowerShell if you’d like)

$hash = Get-FileHash C:\users\$env:USERNAME\Downloads\terraform_0.14.10_windows_amd64.zip -Algorithm SHA256 | Select-Object -ExpandProperty Hash
Select-String -Path C:\users\$env:USERNAME\Downloads\terraform_0.14.10_SHA256SUMS.txt -Pattern $hash

Extract the zip file

Expand-Archive C:\users\$env:USERNAME\Downloads\terraform_0.14.10_windows_amd64.zip -DestinationPath C:\users\$env:USERNAME\Downloads\terraform_0.14.10_windows_amd64

Set your PATH environment variable so that Windows/PowerShell knows where to find the Terraform executable

Set-Item -Path Env:Path -Value ($Env:Path + ";C:\Users\$env:USERNAME\Downloads\terraform_0.14.10_windows_amd64")

To verify that the path was registered and PowerShell can access the Terraform executable file, type:

terraform -help

You should see output as seen below:

Setup Azure CLI on Windows

Next, download and install the Azure CLI

Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile C:\users\$env:USERNAME\Downloads\AzureCLI.msi
Set-Location C:\users\$env:USERNAME\Downloads
Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'

Now that Azure CLI is installed, we need to login to Azure. Have your credentials and MFA token ready!

az login

Note: you may need to close and re-open PowerShell for the Azure CLI commands to register

A browser window will appear. Provide your credentials and MFA approval

You will see the subscription that is enrolled with your Azure account

Now Azure CLI is setup!

Setup Terraform

Create a new directory, from which we will store our Terraform configuration files. Then, change directory to the empty Terraform folder.

New-Item -Path "C:\users\$env:USERNAME\Downloads\terraformDemo" -Name "terraformDemo" -ItemType Directory
Set-Location -Path C:\users\$env:USERNAME\Downloads\terraformDemo

Next, download the main.tf from my GitHub repo and place it into the terraformDemo folder. Please note that I used the main.tf from the Terraform guide here as a basis for my main.tf file.

Invoke-WebRequest -Uri  https://raw.githubusercontent.com/tanktopSecurity/terraformDemo/bbe92820caae6cb5ac80f02410c2c16209a66039/main.tf -OutFile C:\users\$env:USERNAME\Downloads\terraformDemo\main.tf