How to create Azure Subscription and deploy into it in same stream

Hi,
Help me please find the way how to create Azure susbcription:

resource "azurerm_subscription" "example" {
  subscription_name = "My Example EA Subscription"
  billing_scope_id  = data.azurerm_billing_enrollment_account_scope.example.id
}

and be able to deploy resources into this sub.
What I tried, was to use alias but of course sub id is not known yeat, at that stage.

 provider "azurerm" {
  alias = "onboarded"
  features {}
  subscription_id = data.azurerm_subscription.sub.subscription_id
}

Any suggestions please? thanks much

I have been doing with using my own credentials, rather than a service principal.

Essentially, I create the subscription, then use the local-exec within the subscription resource to reload the subscription data. This part is pretty essential, as when you log in, it stores list of subscriptions at that point in time. So you need to re-login again to see the new subscription you created.

Once that is done, the provider needs to reference it.

Here’s a brief snippet of what I did:

below is in a module
resource "azurerm_subscription" "ow" {
  # Set name according to debug
  subscription_name = local.subscription_final_2_name

  billing_scope_id = data.azurerm_billing_mca_account_scope.ow.id

  workload = var.workload

  provisioner "local-exec" {
    command = "az login --allow-no-subscriptions --tenant xxxxx"
  }


  tags = local.tags
}

Then your provider looks like this:

provider "azurerm" {
  features {}
  alias           = "default"
  subscription_id = "managment-subscription-id"
  tenant_id       = "tenant id"
}

# This is the subscription we want to deploy to
provider "azurerm" {
  features {}
  alias           = "internal"
  subscription_id = module.client_subscription.subscription_id
  tenant_id       = "tenant id"
}

then you use the provider stanza in each resource to deploy to the specific subscription.

1 Like

Can you please explain the line above a little further.
I get features error when I try to validate my tf scripts.

By “stanza” I guess @c240amg means to use the reference to a provider that is relevant to your use case.

Depending on whether you’re using a resource or a module, the provider reference has a different format:

Two examples: Provider Configuration - Configuration Language | Terraform | HashiCorp Developer

Resource block

resource "aws_instance" "foo" {
  provider = aws.west

  # ...
}

Module block

module "aws_vpc" {
  source = "./aws_vpc"
  providers = {
    aws = aws.west
  }
}

In short, you define your providers, allowing differentiation by using alias. If there is no alias, then that is the default and you do not need to use provider = aws.west or providers = {} in your resource/module. You then tell your resource/module which provider, (set of credentials + subscription) to use.

Currently, I’m trying to work out how to get @c240amg’s solution to work with Terraform Enterprise.

It’s probably a lot easier to break this down into different state files. e.g:

Create subscription(s) in one state file.
Switch state/provider and create the contents for the subscription.

Two workflows but with CD it should be easily automated.

HTH