Imagine your Lego city expanding into different countries. Each country has its own rules, language, and entry visa. To build there, you need the right passport and permissions.

In Terraform, these passports are provider configurations and authentication methods. This chapter explains how to configure multiple providers (AWS, Azure, GCP) in a single project and authenticate securely to each cloud.

Key Concepts

1. Provider Blocks

• Each cloud provider requires a provider block in Terraform.
• Terraform downloads provider plugins during terraform init.

provider "aws" {
  region = "us-east-1"
}

provider "azurerm" {
  features {}
}

provider "google" {
  project = "my-gcp-project"
  region  = "us-central1"
}

2. Authentication Methods

AWS

• Shared Credentials File: ~/.aws/credentials.
• IAM Roles: Best practice for production.

Environment Variables:

export AWS_ACCESS_KEY_ID="your_access_key"
export AWS_SECRET_ACCESS_KEY="your_secret_key"

Azure

• Store client ID, secret, tenant ID, subscription ID in environment variables.

Service Principal Authentication:

az ad sp create-for-rbac --name terraform-sp --role Contributor \
  --scopes /subscriptions/<SUBSCRIPTION_ID>

GCP

• Keys generated in GCP Console → IAM → Service Accounts.

Service Account Key File:

provider "google" {
  credentials = file("account.json")
  project     = "my-gcp-project"
  region      = "us-central1"
}

3. Secure Credential Management

• Never hardcode credentials in Terraform code.
• Use:
  • Environment variables.
  • Secret managers (Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager).
  • Terraform Cloud variable sets.

4. Common Pitfalls

• Expired tokens → pipeline failures.
• Wrong region/project → resources deployed in unexpected places.
• Missing IAM permissions → Terraform errors during apply.

Hands‑On Lab / Demo

Lab: Multi‑Cloud Authentication Setup

1. Configure AWS provider with environment variables.
2. Create Azure service principal and export credentials.
3. Generate GCP service account key and reference in provider block.
4. Run terraform init → verify all providers are initialized.
5. Run terraform plan → confirm resources across AWS, Azure, and GCP are included.

Pro Tips & Best Practices

• Use IAM roles/service principals/service accounts instead of static keys.
• Rotate credentials regularly.
• Store secrets in a centralized secret manager.
• Use Terraform Cloud for secure variable management.
• Document provider setup for team onboarding.

Summary & Cheatsheet

• Provider blocks = Passports to each cloud.
• Authentication:
  • AWS → IAM roles, env vars.
  • Azure → Service principals.
  • GCP → Service accounts.
• Best practice: Never hardcode credentials, use secret managers.

Quick mnemonic: Provider = Passport, Auth = Visa

The Hackers Notebook

Provider configuration and authentication are the entry gates to multi‑cloud deployments. By setting up AWS, Azure, and GCP providers securely, you ensure Terraform can orchestrate resources across clouds without risk.