Microsoft Fabric admin: First thoughts and use cases on using Terraform for Infrastructure as Code (IaC)
Context
Microsoft just announced here on September 26, 2024 the new Terraform provider for Microsoft Fabric (public preview) and I am really excited about it :)
In this blog post, I’d like to share my thoughts and a specific use case (problem) using Terraform to create a new workspace, assign a Fabric Capacity to the workspace and also add Microsoft Entra ID security groups to the workspace. This can be very useful especially for Fabric Admins to automate some tasks.
Please be aware that the Terraform provider for Microsoft Fabric is still in Public Preview (as of this writing) before using it in production.
Why Terraform?
Before we dive into our problem, I think it is important to understand why I should consider using Terraform. Of course, I could also solve this problem using the Fabric / Power BI REST APIs or PowerShell. Well, here is one of the differences between Terraform and Python / PowerShell: Terraform is a declarative language while Python / PowerShell is an imperative language.
Declarative language:
You define what you want to achieve and you don’t have to worry about how to achieve it
It focuses on the desired end state of the infrastructure
Imperative language:
You need to define how to achieve something writing the exact steps to execute the code
It focuses on how things should be done and you can control each step
I think it is important to understand this difference before choosing which method to use (REST APIs, PowerShell, Terraform…). Of course, this is a really short explanation since it is not the focus of this writing. With that in mind, let’s get started with our specific use case for Microsoft Fabric.
Solution
Prerequisites to perform this task:
Install Terraform (if not already installed)
Authentication: There are various authentication methods available. I am going to use a Service Principal with a client secret. I won’t go through the steps how to create a service principal, because there are already plenty of great tutorials explaining how to do that. For example, this video from Guy in a Cube
API permission: the Service Principal needs the API permission “Directory.Read.All” as Application type to read the Entra ID groups and users. This will be used to add users / security groups to the workspace
Set the service principal in the Fabric capacity settings as at least Contributor, if you want to assign a Fabric capacity to the workspace
Allow the usage of the service principal in the Fabric tenant settings. See below:
You can find the Terraform code below as screenshot:
To run this code in VS Code, you need to run the following commands in your terminal:
terraform init: initializes your Terraform workspace
terraform plan -out=tfplan: this command creates an execution plan and saves it to a file name “tfplan”. By using the -out=tfplan option, you save this execution plan to a file, ensuring that the same actions will be taken when you run the apply command.
terraform apply tfplan: this command applies the changes defined in the execution plan saved in “tfplan”
The purpose of this blog post is to test the new Terraform provider for Microsoft Fabric and to keep it simple. But the goal would be to implement this in your CI/CD pipeline (such as in Azure DevOps, Github, Gitlab…). So, you can for example save your credentials (e.g. your Secret) as environment variable in your CI/CD pipeline. Just make sure your credentials are safely stored :)
You can find below the Terraform code in my Github repo:
Github Repo with the Terraform code
Conclusion
In this post we talked about how Terraform can be used in Microsoft Fabric and how Fabric Admins could automate their work. It is important to keep in mind that the Terraform provider for Microsoft Fabric is still in Public Preview (as of this writing) and should not be used in production. I am really happy that Microsoft has released this Terraform provider and I am excited for what might come next.
Last updated on September 29, 2024