First Thoughts on Azure Terrafy

Posted on by Dustin

There has been a lot of buzz related to Azure Terrafy lately with presentations at HashiConf Global and videos from Ned Bellavance. I have always had rather tempered expectations of the tool with good reason and my recent experience cemented my initial thoughts.

Limitations

The tool is not going to turnaround and generate elegant HCL for Terraform, full stop. It is writing largely 1-to-1 a completely hardcoded resource in HCL for the respective Azure resource. Each property is hardcoded. One thing that is largely puzzling and will hopefully be addressed is that Azure Terrafy does develop a good sense of dependencies, but it doesn’t create them in HCL in the normal way, it rather creates a manual depends_on statement:

resource "azurerm_network_security_group" "res-1" {
  location = "eastus"
  name = "myNetworkSecurityGroup"
  resource_group_name = "myResourceGroup"
  depends_on = [
    azurerm_resource_group.res-0,
  ]
}

Challenges

The tool has been updated a lot lately giving the ability to scope at the resource group, the individual resource, or with a resource graph query. Many of the examples do not show this setting, simply offering usage as follows:

aztfy myResourceGroup

However, now it must use a subcommand providing the scope:

aztfy rg myResourceGroup

In addition, I ran into a issue where Azure Terrafy could not determine the subscription for which I was concerned:

Screenshot 2022-10-26 at 11.07.38 AM

This was extremely strange because I had used the AzCli in order to authenticate and set the subscription:

az account set --subscription mySubscription

In order to overcome this, I needed to manually set the subscription ID, as experienced by others in Issue 113. In order to overcome this, the subscription ID can be passed to Azure Terrafy with (in descending order of priority):

  1. On the command-line: --subscription-id SubscriptionId <SubscriptionId>
  2. Environment variable: export AZTFY_SUBSCRIPTION_ID=<SubscriptionId>
  3. Environment variable: export ARM_SUBSCRIPTION_ID=<SubscriptionId>
  4. (Default) AzCli: az account show --query id

If I manually execute the last command, it shows the subscription ID that I have set, as one would expect, but still no resolution. Instead, I set the AZTFY_SUBSCRIPTION_ID environment variable and it worked like a charm.

Use Cases

Realistically, you do not want to use the Terraform HCL generated by Azure Terrafy. It could be used to capture the current state of the environment and combined with Pluralith to get a diagram of the environment (my specific use case). Or, it could be with the new drift detection feature in Terraform Cloud. What you realistically want to do is refactor the code to be idiomatic HCL.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s