How to create resource group in Azure when you are working with multiple tenant IDs?

Question

The issue is that I have 2 tenant ids (D and V) and 2 subscriptions id (D and V) because I'am working for 2 different clients.

This cmd is for changing the tenant ID

az login --tenant <myTenantID>

And this cmd is for changing the subscription id

az login --subscription <mysubscriptionID>

currently I am working on V subscription/tenant id and I want to switch to D subscription/tenant id.

I have run these commands mentioned above, a browser page opens and i can log in. But when I run my terraform command init, plan and apply. The terraform code creates the new resource group in the V subscription/tenant id and not in the D subscription/tenant id where I want.

Btw currently my default account is D but still it creates in the V account.

Answer 1

You can customize your azurerm terraform provider as per your requirements by passing the relative argument.

Terraform Code

Single Directory Structure (Depends on you but not recommended from my POV)

If you want to manage both tenants from a single directory, with only one providers.tf then you have to also use the alias feature of terraform providers.

• providers.tf

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.37.0"
    }
  }
}

provider "azurerm" {
  alias = "tenant_D_sub_D"
  features {}
  tenant_id       = "tenant_D_id"
  subscription_id = "subscription_D_id"
}

provider "azurerm" {
  alias = "tenant_V_sub_V"
  features {}
  tenant_id       = "tenant_V_id"
  subscription_id = "subscription_V_id"
}

• resource_groups.tf

## Create respective variables[name,location] definitions in your variables.tf 
resource "azurerm_resource_group" "stackoverflow_D" {
  provider = azurerm.tenant_D_sub_D

  name     = var.name
  location = var.location
}

resource "azurerm_resource_group" "stackoverflow_V" {
  provider = azurerm.tenant_V_sub_V

  name     = var.name
  location = var.location
}

Per-tenant-directory structure

• Directory Tree

.
├── tenant1
│   ├── sub1
│   │   └── providers.tf
│   └── sub2
│       └── providers.tf
└── tenant2
    ├── sub1
    │   └── providers.tf
    └── sub2
        └── providers.tf

• providers.tf in any Sub

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.37.0"
    }
  }
}

provider "azurerm" {
  features {}
  tenant_id       = "respective_tenant_id"
  subscription_id = "respective_subscription_id"
}

Technically you can remove these tenant_id and subscription_id arguments from here but you have to make sure via az cli or environment variables that the correct tenant and subscription id are selected. Similar providers.tf file can be used for other subscriptions.

• resource_group.tf

## Create respective variables[name,location] definitions in your variables.tf
resource "azurerm_resource_group" "stackoverflow" {

  name     = var.name
  location = var.location
}

This will simplify your configurations and reduce maintenance efforts by a ton.

Important Considerations

• Please note that the service principal/user should have permission on both tenants as well as subscriptions while making deployments either via a single directory or per-tenant-directory structure.

Documentation URLs

• refer to this azurerm-terraform-provider official documentation for more options.
• refer to alias-multiple-provider-configurations terraform documentation.