Azure Subscription

The azure_subscription resource provisions sandboxed Azure subscriptions for lab environments. It creates controlled Azure subscriptions with user management, service principal access, and resource restrictions suitable for educational and training purposes.

Use Cases

As a lab author, you can use azure_subscription resources to:

Azure Training Labs: Create realistic Azure environments for hands-on cloud training and certification preparation
Service-Specific Learning: Restrict access to specific Azure services for focused learning experiences

Azure subscription resources provide realistic cloud environments while maintaining educational control and cost management.

HCL Syntax

Basic Syntax

1
resource "azure_subscription" "name" {
2
  regions = ["westeurope"]
3
  services = ["Microsoft.Compute", "Microsoft.Storage"]
4

5
  user "student" {
6
    roles = ["Contributor"]
7
  }
8
}

Full Syntax

1
resource "azure_subscription" "name" {
2
  regions = ["westeurope", "eastus"]
3
  services = ["Microsoft.Compute", "Microsoft.Storage", "Microsoft.Network"]
4

5
  tags = {
6
    Environment = "Training"
7
    Purpose = "Lab"
8
    Team = "Education"
9
  }
10

11
  user "admin" {
12
    roles = ["Owner", "User Access Administrator"]
13
  }
14

15
  user "developer" {
16
    roles = ["Contributor"]
17
  }
18

19
  service_principal "automation" {
20
    roles = ["Reader", "Contributor"]
21
  }
22
}

Fields

Field	Type	Description
`regions`	list(string)	Azure regions where resources can be provisioned. Defaults to empty list.
`services`	list(string)	Azure services that users can access. Defaults to empty list.
`tags`	map(string)	Tags to apply to the Azure subscription. Defaults to empty map.

User Block

azure_subscription → user

User blocks define Azure AD users to create within the subscription:

Field	Required	Type	Description
`name`	✓	label	Username for the Azure AD user (specified as block label)
`roles`		list(string)	Azure RBAC roles to assign to the user. Defaults to empty list.

Service Principal Block

azure_subscription → service_principal

Service principal blocks define Azure AD service principals for application authentication:

Field	Required	Type	Description
`name`	✓	label	Name for the Azure AD service principal (specified as block label)
`roles`		list(string)	Azure RBAC roles to assign to the service principal. Defaults to empty list.

Computed Attributes

These attributes are set by the system after subscription provisioning:

Field	Type	Description
`tenant_id`	string	The Azure AD tenant ID
`subscription_id`	string	The Azure subscription ID

User Computed Attributes

For each user block, these attributes are computed:

Field	Type	Description
`user_id`	string	The Azure AD user object ID
`username`	string	The Azure AD username
`password`	string	The user's password for Azure portal access

Service Principal Computed Attributes

For each service_principal block, these attributes are computed:

Field	Type	Description
`service_principal_id`	string	The Azure AD service principal object ID
`app_id`	string	The application (client) ID
`password`	string	The service principal secret for authentication

Validation Rules

Region names must be valid Azure regions (e.g., “westeurope”, “eastus”, “southeastasia”)
Service names must be valid Azure resource provider names (e.g., “Microsoft.Compute”, “Microsoft.Storage”)
Role names must be valid Azure RBAC roles (e.g., “Owner”, “Contributor”, “Reader”)
User and service principal names must follow Azure AD naming requirements

Examples

Basic Azure Training Environment

1
resource "azure_subscription" "training" {
2
  regions = ["westeurope"]
3
  services = ["Microsoft.Compute", "Microsoft.Storage", "Microsoft.Network"]
4

5
  tags = {
6
    Environment = "Training"
7
    Course = "Azure Fundamentals"
8
  }
9

10
  user "student" {
11
    roles = ["Contributor"]
12
  }
13
}
14

15
output "student_credentials" {
16
  value = {
17
    username = resource.azure_subscription.training.user.student.username       # e.g., "student@contoso.onmicrosoft.com"
18
    password = resource.azure_subscription.training.user.student.password       # e.g., "TempPass123!"
19
    tenant_id = resource.azure_subscription.training.tenant_id                  # e.g., "12345678-1234-1234-1234-123456789012"
20
  }
21
  sensitive = true
22
}

Multi-User Workshop Environment

1
resource "azure_subscription" "workshop" {
2
  regions = ["westeurope", "eastus"]
3
  services = [
4
    "Microsoft.Compute",
5
    "Microsoft.Storage",
6
    "Microsoft.Network",
7
    "Microsoft.Web",
8
    "Microsoft.Sql"
9
  ]
10

11
  tags = {
12
    Environment = "Workshop"
13
    Event = "Azure Solutions Architect Training"
14
    Instructor = "Jane Doe"
15
  }
16

17
  # Instructor with full access
18
  user "instructor" {
19
    roles = ["Owner", "User Access Administrator"]
20
  }
21

22
  # Student with contributor access
23
  user "student" {
24
    roles = ["Contributor"]
25
  }
26

27
  # Observer with read-only access
28
  user "observer" {
29
    roles = ["Reader"]
30
  }
31

32
  # Service principal for automation
33
  service_principal "automation" {
34
    roles = ["Contributor"]
35
  }
36
}

Service Principal Integration Lab

1
resource "azure_subscription" "automation_lab" {
2
  regions = ["westeurope"]
3
  services = [
4
    "Microsoft.Compute",
5
    "Microsoft.Storage",
6
    "Microsoft.Resources"
7
  ]
8

9
  tags = {
10
    Environment = "Automation-Lab"
11
    Technology = "Service-Principals"
12
    Level = "Advanced"
13
  }
14

15
  user "developer" {
16
    roles = ["Contributor"]
17
  }
18

19
  service_principal "ci_cd" {
20
    roles = ["Contributor"]
21
  }
22

23
  service_principal "monitoring" {
24
    roles = ["Reader", "Monitoring Reader"]
25
  }
26
}
27

28
resource "container" "azure_cli" {
29
  image {
30
    name = "mcr.microsoft.com/azure-cli"
31
  }
32

33
  environment = {
34
    AZURE_CLIENT_ID = resource.azure_subscription.automation_lab.service_principal.ci_cd.app_id              # e.g., "12345678-1234-1234-1234-123456789012"
35
    AZURE_CLIENT_SECRET = resource.azure_subscription.automation_lab.service_principal.ci_cd.password        # e.g., "abcdef123456..."
36
    AZURE_TENANT_ID = resource.azure_subscription.automation_lab.tenant_id                                   # e.g., "87654321-4321-4321-4321-210987654321"
37
    AZURE_SUBSCRIPTION_ID = resource.azure_subscription.automation_lab.subscription_id                       # e.g., "11111111-2222-3333-4444-555555555555"
38
  }
39
}

Template Integration

1
resource "azure_subscription" "lab" {
2
  regions = ["westeurope"]
3
  services = ["Microsoft.Compute", "Microsoft.Storage"]
4

5
  user "student" {
6
    roles = ["Contributor"]
7
  }
8

9
  service_principal "app" {
10
    roles = ["Reader"]
11
  }
12
}
13

14
resource "template" "azure_credentials" {
15
  source = <<-EOF
16
    # Azure CLI Login
17
    az login --service-principal \
18
      --username ${resource.azure_subscription.lab.service_principal.app.app_id} \
19
      --password ${resource.azure_subscription.lab.service_principal.app.password} \
20
      --tenant ${resource.azure_subscription.lab.tenant_id}
21

22
    # Set subscription context
23
    az account set --subscription ${resource.azure_subscription.lab.subscription_id}
24
  EOF
25

26
  destination = "./azure-login.sh"
27
}
28

29
resource "template" "lab_info" {
30
  source = <<-EOF
31
    # Azure Lab Environment
32

33
    ## Subscription Details
34
    - Tenant ID: ${resource.azure_subscription.lab.tenant_id}                    # e.g., "12345678-1234-1234-1234-123456789012"
35
    - Subscription ID: ${resource.azure_subscription.lab.subscription_id}        # e.g., "87654321-4321-4321-4321-210987654321"
36

37
    ## User Credentials
38
    - Username: ${resource.azure_subscription.lab.user.student.username}         # e.g., "student@contoso.onmicrosoft.com"
39
    - Password: ${resource.azure_subscription.lab.user.student.password}         # e.g., "TempPass123!"
40

41
    ## Service Principal
42
    - App ID: ${resource.azure_subscription.lab.service_principal.app.app_id}    # e.g., "11111111-2222-3333-4444-555555555555"
43
    - Secret: ${resource.azure_subscription.lab.service_principal.app.password}  # e.g., "abcdef123456..."
44
  EOF
45

46
  destination = "./lab-info.md"
47
}

Multi-Region Development Environment

1
resource "azure_subscription" "global_dev" {
2
  regions = [
3
    "westeurope",     # West Europe
4
    "eastus",         # East US
5
    "southeastasia"   # Southeast Asia
6
  ]
7

8
  services = [
9
    "Microsoft.Compute",
10
    "Microsoft.Storage",
11
    "Microsoft.Network",
12
    "Microsoft.Web",
13
    "Microsoft.ContainerRegistry"
14
  ]
15

16
  tags = {
17
    Environment = "Multi-Region-Dev"
18
    Purpose = "Global Architecture Training"
19
    Duration = "2-days"
20
  }
21

22
  user "architect" {
23
    roles = ["Contributor"]
24
  }
25

26
  service_principal "deployment" {
27
    roles = ["Contributor"]
28
  }
29
}

Role-Based Access Control Lab

1
resource "azure_subscription" "rbac_lab" {
2
  regions = ["westeurope"]
3
  services = ["Microsoft.Compute", "Microsoft.Storage"]
4

5
  tags = {
6
    Environment = "RBAC-Training"
7
    Focus = "Access-Management"
8
  }
9

10
  # Different users with different permission levels
11
  user "owner_user" {
12
    roles = ["Owner"]
13
  }
14

15
  user "contributor_user" {
16
    roles = ["Contributor"]
17
  }
18

19
  user "reader_user" {
20
    roles = ["Reader"]
21
  }
22

23
  user "storage_admin" {
24
    roles = ["Storage Account Contributor"]
25
  }
26

27
  user "vm_admin" {
28
    roles = ["Virtual Machine Contributor"]
29
  }
30

31
  # Service principals for different scenarios
32
  service_principal "backup_service" {
33
    roles = ["Backup Contributor"]
34
  }
35

36
  service_principal "monitoring_service" {
37
    roles = ["Monitoring Reader"]
38
  }
39
}

PowerShell Integration

1
resource "azure_subscription" "powershell_lab" {
2
  regions = ["westeurope"]
3
  services = ["Microsoft.Compute", "Microsoft.Storage"]
4

5
  user "admin" {
6
    roles = ["Owner"]
7
  }
8
}
9

10
resource "template" "powershell_script" {
11
  source = <<-EOF
12
    # Azure PowerShell Login
13
    $securePassword = ConvertTo-SecureString "${resource.azure_subscription.powershell_lab.user.admin.password}" -AsPlainText -Force
14
    $credential = New-Object System.Management.Automation.PSCredential("${resource.azure_subscription.powershell_lab.user.admin.username}", $securePassword)
15

16
    Connect-AzAccount -Credential $credential -TenantId "${resource.azure_subscription.powershell_lab.tenant_id}"
17
    Set-AzContext -SubscriptionId "${resource.azure_subscription.powershell_lab.subscription_id}"
18

19
    # Verify connection
20
    Get-AzSubscription
21
  EOF
22

23
  destination = "./azure-connect.ps1"
24
}

Best Practices

Principle of Least Privilege: Assign only the minimum roles required for the lab objectives
Service Restrictions: Limit services to those essential for the learning experience
Regional Constraints: Restrict regions to control costs and simplify the environment
Role Separation: Use different users and service principals for different lab scenarios
Service Principal Usage: Demonstrate both user and service principal authentication patterns
Cost Controls: Monitor resource usage and implement appropriate restrictions
Tagging Strategy: Use consistent tags for cost tracking and resource management
Credential Security: Mark credential outputs as sensitive and manage access carefully