Terraform Baseline Deployment
Deploying the Terraform Baseline
This folder contains the Terraform baseline for the Day 1 Cloud Security lab environment.
The goal of this baseline is to create a small Azure environment that students can use during the Identity and Access Management labs.
You will use this environment to investigate Azure resources, managed identities, RBAC role assignments, Key Vault access, logging resources, and later security improvements.
1. What this baseline creates
The Terraform configuration creates the following Azure resources:
Resource Group
Storage Account for frontend static website hosting
App Service Plan
Linux Web App for the backend API
System-assigned managed identity for the backend
Key Vault
Demo Key Vault secret
Log Analytics Workspace
Application InsightsThese resources form the basic lab environment for Day 1.
Tips
The environment is intentionally small. This keeps the lab understandable and makes it easier to inspect permissions, roles, scopes, and resource relationships.
2. Requirements
Before continuing, make sure you have:
[ ] Azure CLI installed
[ ] Terraform installed
[ ] Access to the correct Azure tenant
[ ] Access to the correct Azure subscription
[ ] Permission to create resources in the subscriptionCheck your local tools:
az version
terraform --version3. Log in to Azure
Log in with Azure CLI:
az loginA browser window will open. Log in with your course Azure account.
After logging in, check the active account and subscription:
az account show --output tableVerify the following values:
Subscription name
Subscription ID
Tenant ID
Signed-in user4. Select the correct subscription
If you have access to multiple Azure subscriptions, list them:
az account list --output tableSet the correct subscription:
az account set --subscription "<SUBSCRIPTION_ID_OR_NAME>"Check again:
az account show --output tableWarning
Always verify the active subscription before running Terraform.
Terraform will create real Azure resources. If the wrong subscription is active, resources may be deployed to the wrong environment.
5. Prepare your variables file
Copy the example variables file:
cp terraform.tfvars.example student.tfvarsOpen student.tfvars in your editor.
Set a unique student prefix:
student_prefix = "jdoe"
location = "westeurope"
environment = "dev"Replace jdoe with your own unique prefix.
Good examples:
jdoe
mmommers
student01
team03Warning
Your student_prefix must be unique.
Azure resource names such as Storage Accounts and Key Vaults must be globally unique. If two students use the same prefix, deployment may fail.
6. Initialize Terraform
Initialize the Terraform folder:
terraform initExpected result:
Terraform has been successfully initialized!This downloads the required Terraform providers and prepares the working directory.
7. Format and validate the configuration
Format the Terraform files:
terraform fmtValidate the configuration:
terraform validateExpected result:
Success! The configuration is valid.Tips
terraform fmt makes the files consistent.
terraform validate checks whether the configuration is syntactically valid before you try to deploy it.
8. Review the deployment plan
Create a Terraform plan:
terraform plan -var-file="student.tfvars"Review what Terraform wants to create.
Look for resources such as:
azurerm_resource_group
azurerm_storage_account
azurerm_service_plan
azurerm_linux_web_app
azurerm_key_vault
azurerm_key_vault_secret
azurerm_log_analytics_workspace
azurerm_application_insightsTips
Do not skip the plan step.
The plan shows what Terraform will create, change, or destroy before it makes any changes in Azure.
9. Deploy the baseline
Apply the Terraform configuration:
terraform apply -var-file="student.tfvars"Terraform will show the deployment plan again.
Confirm with:
yesThe deployment may take a few minutes.
10. Show Terraform outputs
After deployment, show all outputs:
terraform outputUseful outputs include:
terraform output resource_group_name
terraform output backend_app_url
terraform output frontend_static_website_url
terraform output key_vault_nameYou can also retrieve raw output values without quotes:
terraform output -raw resource_group_name
terraform output -raw backend_app_url
terraform output -raw frontend_static_website_url
terraform output -raw key_vault_nameThese values are used in later setup and deployment steps.
11. Verify the created resources
List the resources in your lab resource group:
az resource list `
--resource-group "$(terraform output -raw resource_group_name)" `
--output tableYou should see resource types similar to:
Microsoft.Web/sites
Microsoft.Web/serverfarms
Microsoft.Storage/storageAccounts
Microsoft.KeyVault/vaults
Microsoft.OperationalInsights/workspaces
Microsoft.Insights/componentsYou can also open the Azure Portal and search for your resource group.
12. Open the backend URL
Show the backend URL:
terraform output backend_app_urlOpen the URL in your browser.
Depending on whether the application code has already been deployed, you may see:
A working backend response
An Azure default page
An application error pageTips
The infrastructure deployment creates the Azure resources. The application code may still need to be deployed separately.
13. Open the frontend static website URL
Show the frontend static website URL:
terraform output frontend_static_website_urlOpen the URL in your browser.
Depending on whether the frontend has already been uploaded, you may see:
The frontend application
A blank/static website page
A 404 or missing content messageThis is expected if the frontend files have not been deployed yet.
14. Important Terraform state warning
Terraform stores information about the deployed resources in a state file.
For this lab, the state is stored locally in files such as:
terraform.tfstate
terraform.tfstate.backupCaution
Do not delete or manually edit the Terraform state file.
Without the state file, Terraform may no longer know which resources it manages.
Also do not commit local state or personal variable files to Git.
Make sure these files are ignored:
.terraform/
terraform.tfstate
terraform.tfstate.backup
*.tfvars15. Cleanup
Destroy the lab environment when instructed by the teacher.
In many lab environments, this should be done after every class to avoid unnecessary Azure costs.
Run:
terraform destroy -var-file="student.tfvars"Terraform will show which resources will be destroyed.
Confirm with:
yesCaution
Only run terraform destroy from your own lab folder.
Before destroying resources, check that you are using the correct Azure subscription:
az account show --output tableNever destroy resources from another student, team, or environment.
16. Deployment checklist
Before continuing to the next lab, verify the following:
[ ] I am logged in with Azure CLI.
[ ] I selected the correct Azure subscription.
[ ] I copied terraform.tfvars.example to student.tfvars.
[ ] I configured a unique student_prefix.
[ ] terraform init completed successfully.
[ ] terraform fmt completed successfully.
[ ] terraform validate completed successfully.
[ ] terraform plan showed the expected resources.
[ ] terraform apply completed successfully.
[ ] I can run terraform output.
[ ] I can see my resource group in Azure.
[ ] I can list the resources with az resource list.
[ ] I know how to destroy the lab environment when instructed.17. Common problems
Terraform cannot create the Storage Account
Storage Account names must be globally unique.
Try changing your student_prefix in student.tfvars.
Terraform cannot create the Key Vault
Key Vault names must be globally unique.
Try changing your student_prefix, or ask the teacher whether a previous deployment with the same name still exists.
Terraform fails because Azure CLI is not logged in
Run:
az loginThen try again:
terraform apply -var-file="student.tfvars"Terraform deploys to the wrong subscription
Check the active subscription:
az account show --output tableSet the correct one:
az account set --subscription "<SUBSCRIPTION_ID_OR_NAME>"Then run the Terraform command again.
You do not have enough permissions
If Terraform fails with an authorization error, you may not have enough permissions in the Azure subscription.
Ask the teacher or lab administrator to verify your access.
18. Why this baseline matters
This Terraform baseline gives every student a repeatable lab environment.
It also makes the security labs more realistic:
The backend has an Azure identity.
The application has cloud resources around it.
Permissions can be inspected.
Role assignments can be changed.
Key Vault access can be tested.
Logging resources are available for later labs.This environment is the starting point for the Day 1 cloud security investigation.