What you need installed and configured before running terraform apply.
- Terraform
~> 1.15— usesephemeralresources and write-only Key Vault secret attributes, both introduced in 1.10/1.11. The pin lives in terraform/providers.tf. - Azure CLI, logged in (
az login) with the target subscription set as the default (az account set --subscription <id>).
The caller must be able to create custom role definitions and role assignments at the subscription scope — in practice this means Owner, or User Access Administrator + Contributor.
- Your current public IPv4 is only required when
access_mode = "public_ip"(it becomes the only source allowed inbound to the VM NIC NSG and the matchingserversubnet NSG rules — see access-modes.md). - The Key Vault firewall is currently
default_action = "Allow", so the IP is not strictly required to read KV secrets; see known-gaps.md for the planned tightening. - The
data.http.current_ipdata source callshttps://api.ipify.orgon every plan / apply / destroy to auto-detect the operator IP. Air-gapped or restricted-egress runners need outbound HTTPS to that host (or a code change to short-circuit the data source).
The provider authenticates from environment variables — they are not
read from *.tfvars.hcl:
export ARM_SUBSCRIPTION_ID=<subscription-guid>
export ARM_TENANT_ID=<tenant-guid>
# For service-principal auth (skip both when using `az login` /
# `az account set` for interactive auth):
export ARM_CLIENT_ID=<sp-app-id>
export ARM_CLIENT_SECRET=<sp-secret>terraform/environments/example.tfvars.hcl lists
these ARM_* names as a copy-paste reference for the variables you need to
export; no values are required from the tfvars file (the operator IP is
auto-detected via ipify, and allowed_ip_addresses is optional).
State is currently local (no backend configured). For team use, add an
azurerm backend block to terraform/providers.tf;
see known-gaps.md.