Azure Event Grid Setup Guide

This guide will help you set up Azure Event Grid for blob storage events using Terraform Infrastructure as Code.

Prerequisites

• Azure Subscription

• Azure CLI installed

• Terminal/Command Line access

• Owner or Contributor role in the Azure subscription

Step 1: Install Required Tools

1.1 Install Azure CLI

Check if already installed:

az --version

For macOS:

brew update && brew install azure-cli

For Linux:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

For Windows: Download from: https://aka.ms/installazurecliwindows

1.2 Install Terraform

For macOS:

For Linux:

For Windows: Download from: https://www.terraform.io/downloads

Verify installation:

Step 2: Authenticate with Azure

2.1 Login to Azure

This will open your browser for authentication.

2.2 Set Your Subscription

List available subscriptions:

Set the subscription you want to use:

2.3 Verify Current Subscription

Step 3: Create Terraform Configuration Files

3.1 Create Project Directory

3.2 Create Main Terraform Configuration

Create a file named main.tf with the following content:

3.3 Create Variables File

Create a file named terraform.tfvars with your values:

Option A: Subscription-Level Permissions (Recommended)

Option B: Resource Group-Level Permissions (More Restrictive)

Option C: Full Customization

Replace values with your actual Azure details.

Step 4: Deploy Infrastructure

4.1 Initialize Terraform

Expected output:

4.2 Preview Changes

This shows what will be created. Review carefully.

4.3 Apply Configuration

Type yes when prompted.

Deployment takes 1-2 minutes.

4.4 View Outputs

After successful deployment, you'll see outputs like:

Save these outputs for later use!

Step 5: Retrieve Client Secret

5.1 View Client Secret

This will display the client secret value.

5.2 View Complete Credentials

The credentials are automatically saved to azure-credentials.json:

Output:

Important: Keep this file secure and never commit it to version control!

Step 6: Verify Resources in Azure Portal

6.1 Verify Application Registration

1. Go to Azure Portal

2. Search for Azure Active Directory (or Microsoft Entra ID)

3. Click App registrations

4. You should see: event-subscription-service

5. Click on it to view details

6.2 Verify Service Principal

1. In Azure AD, click Enterprise applications

2. Change filter to All applications

3. Search for: event-subscription-service

4. You should see the service principal

6.3 Verify Role Assignment

For Subscription-Level:

1. Search for Subscriptions

2. Click on your subscription

3. Click Access control (IAM)

4. Click Role assignments tab

5. Search for your application name

6. You should see: EventGrid EventSubscription Contributor role

For Resource Group-Level:

1. Search for Resource groups

2. Click on your resource group

3. Follow steps 3-6 above

6.4 Verify Client Secret

1. In your app registration, click Certificates & secrets

2. You should see one client secret with description "Terraform managed secret"

3. Note the expiration date

Step 7: Configuration Summary

After completing all steps, you have:

Step 8: Using the Service Principal

Now you can use the service principal credentials in your application.

Example: Create Event Grid Subscription

Customization Options

Available Variables

Example Custom Configurations

Production Environment:

Development Environment:

Troubleshooting

Error: "Insufficient privileges"

Cause: Your user account doesn't have permissions to create app registrations.

Solution:

• Ensure you have Application Administrator or Global Administrator role in Azure AD

• Or ask your Azure AD admin to create the app registration for you

Error: "Role assignment already exists"

Cause: The service principal already has the role assigned.

Solution: This is usually safe to ignore. If deployment fails:

Error: "Application already exists"

Cause: An app with the same name already exists.

Solution: Either:

1. Use a different application_name in terraform.tfvars

2. Delete the existing app via Azure Portal

3. Import the existing app:

Error: "Subscription not found"

Cause: The subscription ID is incorrect or you don't have access.

Solution:

Error: "Resource group not found"

Cause: The resource group specified in resource_group_scope doesn't exist.

Solution:

• Verify the resource group name is correct

• Create the resource group first, or

• Use subscription-level permissions by leaving resource_group_scope empty

Managing Your Infrastructure

View Current State

Update Configuration

1. Edit terraform.tfvars with new values

2. Run:

Rotate Client Secret

To create a new client secret:

1. Update expiration in terraform.tfvars (this forces recreation):

1. Apply changes:

This will create a new secret and revoke the old one.

Destroy All Resources

Warning: This will delete all created resources!

Type yes when prompted.

What gets deleted:

• Azure AD Application

• Service Principal

• Client Secret

• Role Assignment

• Local credentials file

Security Best Practices

1. Client Secret Management

DO:

• Store secrets in Azure Key Vault for production

• Rotate secrets every 12-24 months

• Use managed identities when possible

• Set expiration dates on all secrets

DON'T:

• Commit secrets to version control (add *.json to .gitignore)

• Share secrets via email or chat

• Use the same secret across multiple environments

• Set secrets to never expire

2. Principle of Least Privilege

DO:

• Use resource group-level permissions when possible

• Create separate service principals for different environments

• Regularly audit role assignments

• Remove unused service principals

DON'T:

• Grant subscription-level permissions unless necessary

• Use Owner or Contributor roles when specific roles exist

• Share service principals across applications

3. Terraform State Management

DO:

• Store Terraform state in Azure Storage Account with encryption

• Enable state locking

• Restrict access to state files

• Use separate state files for different environments

DON'T:

• Commit terraform.tfstate to version control

• Share state files publicly

• Skip state backups

Example: Remote State Configuration

Add to your main.tf:

4. Monitoring and Alerting

DO:

• Enable Azure AD sign-in logs

• Monitor service principal usage

• Set up alerts for unusual activity

• Review audit logs regularly

Cost Optimization

Terraform Resources Cost

Ongoing Costs (when using Event Grid)

Comparison: Manual vs Terraform Approach

Next Steps

After completing this setup, you can:

1. Create Storage Accounts for your event sources

2. Configure Event Grid Subscriptions using the service principal

3. Set up Webhooks to receive events

4. Integrate with your application using the credentials

Additional Resources

• Terraform Azure Provider Documentation

• Terraform Azure AD Provider Documentation

• Azure Event Grid Documentation

• Service Principal Best Practices

• Azure Storage Events Schema

Appendix A: Quick Reference Commands

Appendix B: Terraform State Files

After running Terraform, you'll have these files:

Recommended .gitignore:

Appendix C: Using Azure Key Vault for Secrets

For production environments, store credentials in Azure Key Vault:

Retrieve from Key Vault:

Last Updated: October 2025 Version: 1.0 Author: Azure Event Grid Setup Team