End-to-End Azure Governance with Terraform: Users, Groups, RBAC & Policy

 

Managing access and governance in Azure can quickly become complex without automation. Using Terraform, we can build a scalable and repeatable setup that includes identity management, access control, and policy enforcement.

In this blog, we implement:

• Azure AD Users (dynamic with for_each)
• Azure AD Groups (Admin & Tester)
• RBAC Role Assignments
• Azure Storage Account
• Azure Policy Enforcement

---

🧩 Architecture Overview

Azure AD Users → Azure AD Groups → RBAC → Azure Resource
↑
Azure Policy

---

👤 Step 1: Create Users using for_each

We define multiple users using a Terraform map and dynamically create them:

variable "users" {
  type = map(object({
    user_principal_name = string
    display_name        = string
    password            = string
  }))
}

This allows scalable identity creation.

---

👥 Step 2: Create Groups

We define two groups:

• Admin Group → Full access
• Tester Group → Read-only access

---

🔐 Step 3: Assign Users to Groups

Each user is mapped to a group, following best practices of group-based access control.

---

🏗️ Step 4: Deploy Azure Resource

We create:

• Resource Group
• Storage Account

---

🔑 Step 5: RBAC (Access Control)

Roles are assigned at the resource level:

• Admin Group → Storage Account Contributor
• Tester Group → Storage Blob Data Reader

This ensures least privilege access.

---

📜 Step 6: Azure Policy (Governance)

We enforce a policy:

✔ Only allow Standard_LRS storage accounts

"effect": "deny"

This prevents non-compliant resources.

 

 Full Code:

 terraform {

  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
    }
    azuread = {
      source = "hashicorp/azuread"
    }
  }
}

provider "azurerm" {
  features {}
}

provider "azuread" {}

# -------------------------------------------------
# USERS (FOREACH)
# -------------------------------------------------
variable "users" {
  type = map(object({
    user_principal_name = string
    display_name        = string
    password            = string
  }))

  default = {
    user1 = {
      user_principal_name = "user1_demo@eduarng.com"
      display_name        = "User One Demo"
      password            = "TempPassword@12345!"
    }

    user2 = {
      user_principal_name = "user2_demo@eduarng.com"
      display_name        = "User Two Demo"
      password            = "TempPassword@12345!"
    }
  }
}

# -------------------------------------------------
# CREATE USERS
# -------------------------------------------------
resource "azuread_user" "users" {
  for_each = var.users

  user_principal_name   = each.value.user_principal_name
  display_name          = each.value.display_name
  password              = each.value.password
  force_password_change = true
}

# -------------------------------------------------
# ADMIN GROUP
# -------------------------------------------------
resource "azuread_group" "admin_group" {
  display_name     = "Admin-Group"
  security_enabled = true
}

# -------------------------------------------------
# TESTER GROUP
# -------------------------------------------------
resource "azuread_group" "tester_group" {
  display_name     = "Tester-Group"
  security_enabled = true
}

# -------------------------------------------------
# GROUP MEMBERSHIP
# -------------------------------------------------
resource "azuread_group_member" "user1_admin" {
  group_object_id  = azuread_group.admin_group.object_id
  member_object_id = azuread_user.users["user1"].object_id
}

resource "azuread_group_member" "user2_tester" {
  group_object_id  = azuread_group.tester_group.object_id
  member_object_id = azuread_user.users["user2"].object_id
}

# -------------------------------------------------
# RESOURCE GROUP
# -------------------------------------------------
resource "azurerm_resource_group" "demo_rg" {
  name     = "rg-aad-rbac-policy-demo"
  location = "East US"
}

# -------------------------------------------------
# STORAGE ACCOUNT
# -------------------------------------------------
resource "azurerm_storage_account" "storage" {
  name                     = "aadstoragedemo12345"
  resource_group_name      = azurerm_resource_group.demo_rg.name
  location                 = azurerm_resource_group.demo_rg.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

# -------------------------------------------------
# RBAC FOR ADMIN GROUP
# -------------------------------------------------
resource "azurerm_role_assignment" "admin_rbac" {
  scope                = azurerm_storage_account.storage.id
  role_definition_name = "Storage Account Contributor"
  principal_id         = azuread_group.admin_group.object_id
}

# -------------------------------------------------
# RBAC FOR TESTER GROUP
# -------------------------------------------------
resource "azurerm_role_assignment" "tester_rbac" {
  scope                = azurerm_storage_account.storage.id
  role_definition_name = "Storage Blob Data Reader"
  principal_id         = azuread_group.tester_group.object_id
}

# -------------------------------------------------
# AZURE POLICY DEFINITION
# -------------------------------------------------
resource "azurerm_policy_definition" "storage_policy" {
  name         = "restrict-storage-sku-policy"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Allow only Standard_LRS Storage Accounts"

  policy_rule = jsonencode({
    if = {
      allOf = [
        {
          field  = "type"
          equals = "Microsoft.Storage/storageAccounts"
        },
        {
          field     = "Microsoft.Storage/storageAccounts/sku.name"
          notEquals = "Standard_LRS"
        }
      ]
    }
    then = {
      effect = "deny"
    }
  })
}

# -------------------------------------------------
# POLICY ASSIGNMENT
# -------------------------------------------------
resource "azurerm_resource_policy_assignment" "storage_policy_assign" {
  name = "storage-policy-assignment"

  resource_id = azurerm_storage_account.storage.id

  policy_definition_id = azurerm_policy_definition.storage_policy.id
}

---

🎯 WHAT CHANGED

✔ user1 → Admin Group
✔ user2 → Tester Group
✔ RBAC roles aligned:

• Admin → Contributor-like access
• Tester → Read-only access

---

🎯 Final Outcome

With a single Terraform file, we achieve:

✔ Identity management (Azure AD)
✔ Access control (RBAC)
✔ Resource deployment
✔ Governance enforcement (Azure Policy)

---

💡 Conclusion

This setup reflects a real-world enterprise model where:

• Access is controlled via groups
• Permissions follow least privilege
• Policies enforce compliance

Using Terraform ensures everything is automated, consistent, and reusable.

Easy to Install and Use Grafana on Windows – Step-by-Step Beginner to Advanced DevOps Tutorial 2026

WHY MOST PEOPLE STRUGGLE WITH GRAFANA

Most IT professionals struggle when they first hear about Grafana.

They think:

• “Is it too complex?”
• “Do I need Linux for this?”
• “Why is dashboard setup confusing?”

Here’s the truth:

👉 Grafana is NOT hard.
👉 Installation is NOT complex.
👉 The real issue is lack of guided steps.

If you’re working in DevOps, Cloud, or System Monitoring, learning Grafana is no longer optional.

It’s a must-have skill in 2026+ IT careers.

---

🌍 2. INDUSTRY INSIGHTS & WHY GRAFANA MATTERS

Modern systems run on:

• Microservices
• Cloud infrastructure
• Distributed systems

That means:

👉 You cannot manually monitor everything anymore.

Tools like Grafana help visualize:

• CPU usage
• Memory consumption
• API latency
• Cloud metrics

Combined with Prometheus, it becomes a powerful observability stack.

📊 Industry Trends:

• 85% of DevOps teams use monitoring dashboards
• Observability is a top DevOps skill
• Companies are shifting from logs → metrics → visualization

---

📘 3. WHAT IS GRAFANA?

Grafana is an open-source analytics & monitoring platform used to:

• Visualize metrics
• Build dashboards
• Monitor infrastructure
• Track application performance

👉 It connects to multiple data sources:

• Prometheus
• MySQL
• AWS CloudWatch
• Azure Monitor

---

💻 4. STEP-BY-STEP: INSTALL GRAFANA ON WINDOWS

✅ STEP 1: Download Grafana

Download from official site:

• Grafana OSS Windows Installer

---

✅ STEP 2: Install Setup

• Run installer (.msi file)
• Click Next → Install → Finish

👉 Grafana installs as a Windows service

 

---

✅ STEP 3: Start Grafana

Open browser:

http://localhost:3000

Login:

• Username: admin
• Password: admin (change after login)

---

✅ STEP 4: First Login Dashboard

You’ll see:

• Home screen
• Data sources
• Dashboards
• Explore section

---

🔗 5. CONNECT DATA SOURCES

Example: Prometheus

Go to:

• Settings → Data Sources → Add Data Source

Select:

• Prometheus

URL:

http://localhost:9090

Save & Test ✔️

---

📊 6. CREATE YOUR FIRST DASHBOARD

Steps:

1. Click “New Dashboard”
2. Add Panel
3. Select Data Source
4. Write query:

up

5. Save dashboard

---

🛠️ 7. TOOLS USED WITH GRAFANA

• Grafana
• Prometheus
• Amazon Web Services
• Kubernetes
• Docker
• Terraform

---

📊 8. GRAFANA VS OTHER TOOLS

Feature	Grafana	CloudWatch
Visualization	Advanced	Basic
Custom Dashboards	Yes	Limited
Open Source	Yes	No

---

🚀 9. BENEFITS OF LEARNING GRAFANA

• Real-time monitoring
• Better debugging
• Cloud observability
• DevOps automation
• System performance tracking

👉 You don’t just “monitor systems”
👉 You understand infrastructure behavior

---

⚠️ 10. COMMON MISTAKES

❌ Not configuring data sources correctly
❌ Ignoring authentication settings
❌ Using wrong queries
❌ Not setting alerts
❌ Skipping dashboard organization

---

🏢 11. REAL-WORLD CASE STUDY

A fintech company used Grafana to monitor:

• Transaction latency
• API failures
• Server load

Before:

• Manual monitoring
• Delayed response

After Grafana:

• Real-time alerts
• 60% faster issue detection
• Reduced downtime

---

🧪 12. STEP-BY-STEP ADVANCED WORKFLOW

• Install Grafana
• Connect Prometheus
• Add AWS CloudWatch
• Build multi-panel dashboards
• Configure alerts
• Export dashboards as JSON

---

💼 13. CORPORATE ANGLE

Companies use Grafana for:

• Infrastructure monitoring
• Application performance tracking
• SLA compliance
• Incident response

👉 This reduces downtime = saves millions

---

📈 14. CAREER GROWTH

Roles:

• DevOps Engineer
• SRE Engineer
• Cloud Engineer
• Monitoring Specialist

Salary Range:

• ₹6 LPA → ₹35 LPA (India)
• $90K → $150K globally

👉 Grafana is a high-demand DevOps skill

---

🔮 15. FUTURE TRENDS (2026+)

• AI-powered monitoring dashboards
• Auto-healing infrastructure
• Predictive alerts
• Full-stack observability platforms

👉 Grafana will evolve into AI-driven observability

---

🎯 16. CTA – EDUARN LEARNING PATH

Want to master DevOps tools like Grafana?

👉 Visit: https://eduarn.com

At Eduarn.com you can learn:

• DevOps Engineering
• Cloud Computing (AWS, Azure)
• Terraform & Kubernetes
• AI-powered automation

🏢 Corporate training available
🎓 Job-ready skill programs

---

❓ 5 FAQs

1. What is Grafana used for?

Monitoring and visualizing system metrics.

2. Can I install Grafana on Windows?

Yes, it supports Windows natively.

3. Do I need Prometheus for Grafana?

Not mandatory, but commonly used together.

4. Is Grafana free?

Yes, open-source version is free.

5. Is Grafana useful for DevOps?

Absolutely, it’s a core DevOps monitoring tool.

---

🔍 10 HIGH-RANKING KEYWORDS

• install Grafana on Windows
• Grafana tutorial step by step
• DevOps monitoring tools Grafana
• Grafana dashboard setup guide
• Prometheus Grafana integration
• Grafana beginner tutorial
• observability tools DevOps
• Grafana real world use case
• learn Grafana online
• Grafana for DevOps engineers

 

Eduarn.com focuses on bridging the gap between academic learning and real industry requirements, making learners job-ready with practical experience rather than just theory.

---

🎯 Call to Action

If you're aiming to build a career in DevOps, Cloud, or AI, Eduarn.com is designed to guide you from basics to advanced real-world skills.

👉 Explore more or enroll:Eduarn.com

 

What are Terraform Cloud Variables?

 

In Terraform Cloud, variables are used to:

👉 Pass dynamic values to your Terraform code
👉 Avoid hardcoding sensitive or environment-specific data

---

🧠 Simple Definition

👉 Variables = Inputs to your Terraform code

Example:

• Region
• VM name
• Credentials

---

🎯 Why Use Variables?

Without variables:

region = "eastus"

👉 Hardcoded ❌

With variables:

region = var.region

👉 Flexible ✅

---

🧩 Types of Variables in Terraform Cloud

1️⃣ Terraform Variables

Used inside .tf code

Example:

variable "region" {
  type = string
}

---

2️⃣ Environment Variables

Used for:

• Credentials
• API keys

Example:

ARM_CLIENT_ID
ARM_SECRET

---

🔐 Sensitive Variables

👉 Used for secrets:

• Passwords
• Tokens

✔ Hidden in UI
✔ Not printed in logs

---

📍 Where to Define Variables in Terraform Cloud?

Go to:

👉 Workspace → Variables

You’ll see:

• Terraform Variables
• Environment Variables

---

🚀 Step-by-Step: Using Variables

---

🪜 Step 1: Define Variable in Code

variable "resource_group_name" {
  description = "Azure Resource Group"
  type        = string
}

---

🪜 Step 2: Use Variable

resource "azurerm_resource_group" "rg" {
  name     = var.resource_group_name
  location = "East US"
}

---

🪜 Step 3: Add Variable in Terraform Cloud

Go to:
👉 Workspace → Variables → Add Variable

Example:

• Key: resource_group_name
• Value: my-rg-demo

---

🪜 Step 4: Run Terraform

terraform apply

👉 Value comes from Terraform Cloud

---

☁️ Azure Example (Real Use Case)

---

Variables

variable "location" {}
variable "rg_name" {}

---

Resource

resource "azurerm_resource_group" "example" {
  name     = var.rg_name
  location = var.location
}

---

Terraform Cloud Values

Key	Value
rg_name	demo-rg
location	East US

---

🔐 Environment Variables Example (Azure Login)

For **Microsoft Azure:

Set in Terraform Cloud:

ARM_CLIENT_ID
ARM_CLIENT_SECRET
ARM_SUBSCRIPTION_ID
ARM_TENANT_ID

👉 These are required for authentication

---

🧠 Variable Priority (Important)

Terraform uses variables in this order:

1. CLI input
2. .tfvars file
3. Environment variables
4. Terraform Cloud variables

---

📊 Terraform Variables vs Environment Variables

Feature	Terraform Variable	Environment Variable
Usage	Config values	Credentials
Visible	Yes	Hidden
Example	region	API key

---

⚠️ Common Mistakes

❌ Hardcoding secrets
❌ Wrong variable names
❌ Not marking sensitive data

---

✅ Best Practices

✔ Use variables for flexibility
✔ Use environment variables for secrets
✔ Mark sensitive variables
✔ Use naming conventions

---

🧠 Easy Analogy

👉 Terraform code = Template
👉 Variables = Input values

Like:
👉 Form + User input

---

🎯 Final Summary

👉 Variables make Terraform reusable
👉 Terraform Cloud stores them securely
👉 Environment variables handle secrets

 

You’ve learned Terraform basics…

But when it comes to real-world DevOps projects, you hit a wall:

❌ Where do I store Terraform state?
❌ How do teams collaborate?
❌ How do I connect Terraform with Azure securely?
❌ Why does my local setup break in production?

👉 This is where Terraform Cloud changes everything.

Here’s the truth:

“Most beginners fail in Terraform not because of syntax… but because they don’t understand Terraform Cloud.”

In this guide, you’ll learn:

✅ What Terraform Cloud is
✅ How to connect CLI (local + Azure Cloud Shell)
✅ Real Azure use case
✅ Step-by-step implementation
✅ Career + business impact

---

🌍 2. Industry Insights & Trends (2026)

The demand for Infrastructure as Code (IaC) is exploding:

• 80% of enterprises adopting IaC
• Cloud spending crossing $1 trillion
• DevOps engineers among highest-paid roles

Platforms like:

• Microsoft Azure
• Amazon Web Services

👉 Are heavily dependent on Terraform

---

📘 3. What is Terraform Cloud?

Terraform Cloud is a managed service by HashiCorp that allows you to:

👉 Run Terraform remotely
👉 Store state securely
👉 Collaborate with teams
👉 Automate infrastructure

---

🧠 Simple Definition

👉 Terraform Cloud = Remote execution + collaboration + state management

---

🆚 Terraform CLI vs Terraform Cloud

Feature	Terraform CLI	Terraform Cloud
Execution	Local	Remote
State	Local file	Secure cloud
Collaboration	Manual	Built-in
Security	Basic	Enterprise-grade

---

💻 4. How Terraform Cloud Works

Local CLI → Terraform Cloud → Azure Resources

👉 You write code locally
👉 Terraform Cloud executes
👉 Azure infrastructure gets created

---

☁️ 5. Real-World Azure Use Case

Imagine you are deploying:

• Azure VM
• Storage account
• Networking

Instead of:

❌ Manual portal clicks

You use:

👉 Terraform + Terraform Cloud

Result:

✔ Automated
✔ Repeatable
✔ Scalable

---

🛠️ 6. Tools & Technologies

• Terraform CLI
• Terraform Cloud
• Azure Cloud Shell
• Azure Resource Manager
• GitHub (optional)

---

📊 7. Benefits of Terraform Cloud

🚀 Key Advantages

• Remote execution
• Team collaboration
• Secure state storage
• Version control integration
• Policy enforcement

---

⚠️ 8. Common Mistakes

❌ Using local state in production
❌ Hardcoding credentials
❌ Not using workspaces
❌ Wrong CLI configuration

---

🧪 9. Step-by-Step Guide (Hands-On)

---

🪜 Step 1: Create Terraform Cloud Account

• Sign up
• Create Organization
• Create Workspace (CLI-driven)

---

🪜 Step 2: Generate API Token

Go to:
👉 User Settings → Tokens

---

🪜 Step 3: Login via CLI

terraform login

---

🪜 Step 4: Configure Terraform Cloud

terraform {
  cloud {
    organization = "eduarn-org"

    workspaces {
      name = "azure-demo"
    }
  }
}

---

🪜 Step 5: Azure Provider Setup

provider "azurerm" {
  features {}
}

---

🪜 Step 6: Initialize

terraform init

---

🪜 Step 7: Plan & Apply

terraform plan
terraform apply

👉 Runs in Terraform Cloud

---

☁️ 10. Using with Azure Cloud Shell

Use:
👉 Azure Cloud Shell

Steps:

• Open Azure Portal
• Launch shell
• Run Terraform commands

---

🏢 11. Corporate / Business Angle

Companies use Terraform Cloud to:

• Reduce infrastructure cost
• Improve deployment speed
• Standardize environments

👉 ROI:

• 70% faster deployments
• 60% fewer errors

---

📈 12. Career Growth Angle

Roles:

• DevOps Engineer
• Cloud Architect
• Platform Engineer

💰 Salary (India 2026):

• ₹10L – ₹40L+

---

🔮 13. Future Trends (2026–2030)

• AI-driven infrastructure
• Self-healing systems
• Platform engineering rise
• Multi-cloud dominance

---

🎯 14. Strong Call-to-Action

If you want to master Terraform + Azure:

👉 Visit: https://eduarn.com

At Eduarn, we help you:

✔ Learn DevOps hands-on
✔ Work on real projects
✔ Get job-ready

👉 Enroll in DevOps & Cloud programs today
👉 Contact us for corporate training

---

❓ FAQs

1. What is Terraform Cloud used for?

To manage infrastructure remotely with collaboration and security.

2. Can I use Terraform Cloud with Azure?

Yes, it fully supports Azure deployments.

3. Is Terraform Cloud free?

Yes, for individuals and small teams.

4. What is CLI-driven workflow?

Running Terraform locally but execution happens in cloud.

5. Do I need coding skills?

Basic Terraform knowledge is enough.

---

🔍 High-Ranking Keywords

• Terraform Cloud
• Terraform Azure
• Terraform CLI
• Infrastructure as Code
• Azure Terraform tutorial
• Terraform remote state
• DevOps Terraform guide
• Terraform Cloud setup
• Learn Terraform online
• Terraform Cloud Azure

 

 

What is Google IAM?

Google Cloud Platform IAM (Identity and Access Management) is a service that helps you:

👉 Control who can access your cloud resources and what they can do

---

🧠 Simple Definition (Easy to Remember)

👉 IAM = Who + What + Where

• Who → User / Service
• What → Permissions (read, write, delete)
• Where → Resource (VM, storage, database)

---

🎯 Why IAM is Important

Without IAM:

• Anyone could access your resources ❌

With IAM:

• Secure access control ✅
• Limited permissions ✅
• Better management ✅

---

🧩 Core Components

1️⃣ Members (Who)

• User (email)
• Group
• Service Account (used by apps)

---

2️⃣ Roles (What they can do)

Types:

• Viewer (read only)
• Editor (modify)
• Owner (full access)

---

3️⃣ Resources (Where)

• Project
• VM
• Storage bucket

---

🔗 How IAM Works

👉 Member → Role → Resource

Example:

user@gmail.com → Viewer → Project

---

🚀 Step-by-Step: How to Use IAM

Step 1: Open IAM

1. Go to Google Cloud Console
2. Navigate:
   👉 IAM & Admin → IAM

---

Step 2: Add a User

1. Click Grant Access
2. Enter email (user)
3. Select role (e.g., Viewer)
4. Click Save

---

Step 3: Assign Role

Choose based on need:

• Viewer → read only
• Editor → edit resources
• Admin → full control

---

Step 4: Create Service Account (for apps)

1. Go to:
   👉 IAM & Admin → Service Accounts
2. Click Create Service Account
3. Assign role
4. Save

---

Step 5: Test Access

• Login as user
• Check what they can access

---

🧠 Real-Life Example

Scenario:

You have:

• Developer
• Manager

Setup:

• Developer → Editor
• Manager → Viewer

👉 Developer can make changes
👉 Manager can only view

---

⚠️ Best Practices

✔ Give minimum access (least privilege)
✔ Avoid giving “Owner” role
✔ Use service accounts for apps
✔ Regularly review access

---

🧠 Easy Analogy

👉 IAM is like a building security system:

• Members = People
• Roles = Access cards
• Resources = Rooms

---

✅ One-Line Summary

👉 Google IAM controls who can access what resources and what actions they can perform in the cloud.

 

🔐 Required Permission (Simple Answer)

👉 The key permission is:

resourcemanager.projects.setIamPolicy

This allows a user to:

• Add users
• Remove users
• Change roles

---

🎯 Recommended Roles

✅ 1. Project IAM Admin (Best Practice)

Role:
👉 roles/resourcemanager.projectIamAdmin

✔ Can:

• Add/remove users
• Assign roles
• Manage IAM policies

❌ Cannot:

• Modify billing
• Access all resources like Owner

👉 This is the most recommended role

---

⚠️ 2. Owner (Full Access)

Role:
👉 roles/owner

✔ Can:

• Do everything (including IAM)

❌ Risk:

• Too much access (not recommended for security)

---

🛑 3. Editor / Viewer

• Editor ❌ cannot manage IAM
• Viewer ❌ read-only

---

🧠 Simple Explanation

👉 To create users, a person must have:
permission to change IAM policies

---

🏢 Real-World Recommendation

Use:

👉 Project IAM Admin

Because:

• Secure
• Limited access
• Follows best practices

---

📌 Example

If you assign:

user1@gmail.com → Project IAM Admin

👉 That user can:

• Add new users
• Assign roles
• Manage access

---

⚠️ Important Security Tip

✔ Always follow least privilege principle
✔ Avoid giving Owner role unless necessary

---

✅ One-Line Answer

👉 To allow a user to create/manage other users, assign Project IAM Admin role (roles/resourcemanager.projectIamAdmin).