Author: Subhro

Terraform alias — Solving Multi-Subscription Deployment Challenges

 

In cloud environments, especially in Azure, infrastructure is often spread across multiple subscriptions for security and organizational reasons.

Hub and Spoke Topology is a classic pattern where:

    • The Hub VNet (shared resources, security services, DNS zones etc.) lives in its own subscription.
    • The Spoke VNets (application workloads) live in different subscriptions, each managing their own state files.

While everything works smoothly for independent deployments, the real problem starts when you need cross-subscription interactions, like:

    • VNet Peering between Hub and Spoke (both sides need peering objects)
    • Private Endpoint + Private DNS Zones (Private Endpoint in spoke, DNS zone in hub)

By default, Terraform executes operations only against a single provider configuration (in our case, a single Azure subscription).

So, how can we create resources in two different subscriptions at the same time from within the spoke configuration?

Answer → Terraform alias provider.

Continue reading “Terraform alias — Solving Multi-Subscription Deployment Challenges”

Terraform ignore_changes : A Life Saver When Azure Resources Drift

 

If you work with Azure resources and Terraform, sooner or later, you’ll face this.

You deploy a resource (say, a Managed Identity) using Terraform, and after a few days, you want to add something simple — maybe a Role Assignment.

But as soon as you run:

terraform plan

Boom — you see a terrifying message:

-/+ resource "azurerm_user_assigned_identity" "my_identity" {
      id          = "/subscriptions/xxxxxxx/resourceGroups/xyz/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my_identity"
      location    = "eastus"
      name        = "my_identity"
    ~ principal_id = "11111111-1111-1111-1111-111111111111" => "22222222-2222-2222-2222-222222222222"
    ~ tenant_id    = "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" => "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
}

Plan: 1 to add, 0 to change, 1 to destroy.

You start thinking —

“Wait, what?? Why will it recreate my Managed Identity? I did nothing except plan to add a role assignment!”

Continue reading “Terraform ignore_changes : A Life Saver When Azure Resources Drift”

Terraform Data Block Deep Dive — From Real World Experience

 

Terraform’s data block is often misunderstood or underused until you hit real-world scenarios where your configuration has to reference existing resources.
This article will not rehash basic documentation. Instead, we will walk through why, when, and how to use data blocks, supported with practical scenarios and alternatives — all based on day-to-day usage.

Continue reading “Terraform Data Block Deep Dive — From Real World Experience”