1# Terraform Patterns
2 
3Common patterns for Terraform Azure deployments.
4 
5## File Structure
6 
7```
8infra/
9├── main.tf             # Main resources
10├── variables.tf        # Variable definitions
11├── outputs.tf          # Output values
12├── terraform.tfvars    # Variable values
13├── backend.tf          # State backend
14└── modules/
15    └── ...
16```
17 
18## Provider Configuration
19 
20```hcl
21# backend.tf
22terraform {
23  required_version = ">= 1.5.0"
24 
25  required_providers {
26    azurerm = {
27      source  = "hashicorp/azurerm"
28      version = "~> 3.0"
29    }
30    azurecaf = {
31      source  = "aztfmod/azurecaf"
32      version = "~> 1.2"
33    }
34  }
35 
36  backend "azurerm" {
37    resource_group_name  = "rg-terraform-state"
38    storage_account_name = "tfstate<unique>"
39    container_name       = "tfstate"
40    key                  = "app.terraform.tfstate"
41  }
42}
43 
44provider "azurerm" {
45  features {}
46}
47```
48 
49## Variables
50 
51```hcl
52# variables.tf
53variable "environment" {
54  type        = string
55  description = "Environment name"
56}
57 
58variable "location" {
59  type        = string
60  description = "Azure region"
61  default     = "eastus2"
62}
63```
64 
65## Main Configuration
66 
67```hcl
68# main.tf
69resource "azurerm_resource_group" "main" {
70  name     = "rg-${var.environment}"
71  location = var.location
72  tags     = { environment = var.environment }
73}
74 
75module "app" {
76  source              = "./modules/app"
77  resource_group_name = azurerm_resource_group.main.name
78  location            = azurerm_resource_group.main.location
79  environment         = var.environment
80}
81```
82 
83## Outputs
84 
85```hcl
86# outputs.tf
87output "resource_group_name" {
88  value = azurerm_resource_group.main.name
89}
90 
91output "app_url" {
92  value = module.app.url
93}
94```
95 
96## Naming with Azure CAF
97 
98```hcl
99resource "azurecaf_name" "storage" {
100  name          = var.environment
101  resource_type = "azurerm_storage_account"
102  random_length = 5
103}
104 
105resource "azurerm_storage_account" "main" {
106  name = azurecaf_name.storage.result
107  # ...
108}
109```
110 
111## State Backend Setup
112 
113```bash
114# Create state storage
115az group create --name rg-terraform-state --location eastus2
116 
117az storage account create \
118  --name tfstate<unique> \
119  --resource-group rg-terraform-state \
120  --sku Standard_LRS
121 
122az storage container create \
123  --name tfstate \
124  --account-name tfstate<unique>
125```
126 
127## Security Requirements
128 
129| Requirement | Pattern |
130|-------------|---------|
131| No hardcoded secrets | Use Key Vault data sources |
132| Managed Identity | `identity { type = "UserAssigned" }` |
133| State encryption | Azure Storage encryption |
134| State locking | Azure Blob lease |
135 
136## Container Apps with ACR
137 
138> **⚠️ Two-Phase Deployment Required.** See [Container Apps Terraform Patterns](../../services/container-apps/terraform.md) for full details.
139 
140Use a **public placeholder image** during initial provisioning. Never reference an ACR image that hasn't been built yet. Do **not** use `admin_enabled` on the ACR or add a `registry` block with `username`/`password_secret_name` — use managed identity instead.
141 
142```hcl
143resource "azurerm_container_app" "api" {
144  # ...
145  template {
146    container {
147      name   = "api"
148      image  = "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest"
149      # ...
150    }
151  }
152 
153  # Prevent Terraform from reverting post-apply image and registry updates
154  lifecycle {
155    ignore_changes = [
156      template[0].container[0].image,
157      registry,
158    ]
159  }
160}
161```
162 
163After `terraform apply`, build the real image and update the Container App via CLI — see the **azure-deploy** skill's `references/recipes/terraform/README.md` (Container Apps Two-Phase Deployment section).
164