Wanting to import existing Azure resources into Terraform? A recently announced tool called Terrafy will be something you will be certainly interested in! In this blog, I will have a look at using Aztfy and its configuration to both import Azure resources into terraform state locally and also directly to an Azure Storage Account.
“A tool to bring your existing Azure resources under the management of Terraform.”
Azure Terrafy imports the resources that are supported by the Terraform AzureRM provider within a resource group, into the Terraform state, and generates the corresponding Terraform configuration. Both the Terraform state and configuration are expected to be consistent with the resources’ remote state, i.e.,
https://github.com/Azure/aztfyterraform planshows no diff. The user then is able to use Terraform to manage these resources.
Installing Aztfy
Full install instructions found here
For my self, I used brew:
brew install aztfy
The state I want to import in this example will be from resource group: storage_account_azcopy.
Using Aztfy
I will be using Aztfy in non-interactive mode, further reference here to interactive v non-interactive.
Running Aztfy is very simple, you just pass in the resource group you want to import terraform state:
aztfy rg --non-interactive storage_account_azcopy
You will then see cli output that it is performing an import of (0/28) resources for example:
(20/28) Importing https://tamopssadestination.file.core.windows.net/fileshare as azurerm_storage_share.r
Once completed, running a terraform state list to see what has been imported:
thomast@MGH97DTW40 test % terraform state list
azurerm_linux_virtual_machine.res-1
azurerm_network_interface.res-2
azurerm_network_interface_security_group_association.res-3
azurerm_network_security_group.res-4
azurerm_network_security_rule.res-5
azurerm_public_ip.res-6
azurerm_resource_group.res-0
azurerm_storage_account.res-22
azurerm_storage_account.res-9
azurerm_storage_container.res-11
azurerm_storage_container.res-12
azurerm_storage_container.res-13
azurerm_storage_container.res-14
azurerm_storage_container.res-15
azurerm_storage_container.res-16
azurerm_storage_container.res-24
azurerm_storage_share.res-18
azurerm_storage_share.res-19
azurerm_subnet.res-8
azurerm_virtual_network.res-7
With the folder you run the command Aztfy in, it will store a number of required terraform files to plan/apply this terraform in the future along with the required terraform.tfstate file – awesome!
Reviewing main.tf you will notice all available (those Azure resources that have a terraform resource available) will be displayed, those who know me, know I write alot of Terraform – it is a good foundation for your automation. Nothing complex is considered in terms of Terraform modules, variables file etc but it is a good introduction and start. ๐
For example, here is the virtual network & subnet shown in the initial resource group, with the Terraform created using Aztfy.
resource "azurerm_virtual_network" "res-7" {
address_space = ["10.1.0.0/16"]
location = "uksouth"
name = "storage_account_azcopy-vnet"
resource_group_name = "storage_account_azcopy"
depends_on = [
azurerm_resource_group.res-0,
]
}
resource "azurerm_subnet" "res-8" {
address_prefixes = ["10.1.0.0/24"]
name = "default"
resource_group_name = "storage_account_azcopy"
virtual_network_name = "storage_account_azcopy-vnet"
depends_on = [
azurerm_virtual_network.res-7,
]
}
To finish, an even cooler feature is that the Aztfy terraform state file it creates can be stored remotely within an Azure Storage Account, example of this below!
aztfy rg --non-interactive --backend-type=azurerm `
--backend-config=resource_group_name=storage_account_azcopy `
--backend-config=storage_account_name=tamopssadestination `
--backend-config=container_name=tfstate `
--backend-config=key=terraform.tfstate `
storage_account_azcopy
A few thoughts from using Aztfy:
- Great basic tool for importing your Azure resources into Terraform
- Only works currently with a specific Azure resource or resource group
- The main.tf file it creates is a great start to having your resources in Terraform automation, for something more granular such as a Terraform module, you will have to create this – though a great start
- Further limitations noted by Aztfy
A definite tool to watch, only released a few months ago – it has already received several incremental versions! I look forward to hearing more about this tool in the future – possibly another blog post with new features ๐
Thomas Thornton - Microsoft Azure MVP - GitHub Star - HashiCorp Ambassador 
Interesting… My first question is if you are going to be using Azure specific items (i.e. not ensuring 100% cloud portability) then why not use Azure tooling? [e.g. Bicep]?
Always an interesting discussion, Terraform vs Bicep vs ARM vs other IaC ๐
It can really depend on the organisation team, preference and their journey – no fully correct answer to which to use , multiple dependencies etc
My personal view in very short response is that I prefer Terraform , I enjoy having a state to work with and how Terraform operates
Thanks
Thomas
A fair and honest answer. Thanks. For me (and in a general sense) I am always concerned about “lag” and “support” as more vendors are added into the mix. Heck even when more teams are involved at the vendor (this transcends the particular we are talking about).
As a concrete (relevant) example. There are times when there is a window of Azure teams publishing a new capability. The JSON/Bicep parts are updated, but there is a lag till the documentation and portal are (could be either order and varying duration). There would also be (presumably) a delay before Terraform (or any other vendor) can update….
For many (most?) this is not a primary or even secondary concern; but for the space I live it, it has been – so my goal in asking was to discover if I was missing any special items..
Have a great day (And since posted on a Friday: Great weekend)
After AzApi provider I don’t see the issue with feature lag as an important one any more. Terraform provides a far superior planning tool than ARM what-if, in my opinion.
The use of tooling often depends on the customer you are consulting for. Some use Bicep, some use Terraform. If they use ARM, it is time to migrate to Bicep.. In five years time we most likely have some new frameworks or toolsets. This always changes.
Cloud portability as a sales point for Terraform is also a somewhat moot point. You need to write for each provider anyway, and if multi-cloud was the purpose you could advocate using PowerShell/cli against the cloud providers.
Great response! Very true with AzAPI as its been a game changer!
It’s been such a journey regarding toolsets from the days of when PowerShell was the only option ๐
With alot of organisations this is what I see in terms of using Terraform due to portability and potentially having a number of projects on the likes of Azure and AWS where Terraform knowledge and fundamentals can be transferred between both!