In an effort to better understand Terraform, I have signed up for 4 pay-as-you-go subscriptions in Azure:

  • automationadmin-hub-nonprod
  • automationadmin-hub-prod
  • automationadmin-spoke-nonprod
  • automationadmin-spoke-prod

This is a common model people use for managing cloud providers as you can search hub and spoke model and get hundreds of results. One of the first links is to Microsoft’s Cloud Adoption Framework which I reference often. In it, they basically say:

  • In your hub subscriptions, you can have DNS zones, Express Route connections, etc. setup.
  • In your spoke subscriptions, you can reference your hub subscription resources as needed.

This is a common theme you will see in my Terraform Examples Repo where I will be passing two subscription ID’s as environmental variables ( for example). The key here is that those will always be used to build two providers:

Then, in your deployment’s for example, you can reference resources in your hub subscription if needed by passing the providers.

  • You can see this in the common data lookup module call.
  • This is because that module references resources both hub nonprod and hub prod subscriptions.
  • This example uses a different method to build providers on the fly and call a module. I don’t have an example on my blog where you pass a hub and spoke provider but it happens all the time at my job where modules will need to reference resources in the spoke subscription and the hub subscription so just be aware.

The following posts go into more details about my “test lab”:

Lastly, I have written tons of posts about terraform and how to use it with CI/CD pipelines so be sure to give those a read. Thanks!