Azure
The Azure plugin enables formae to manage Azure resources using the Azure Resource Manager APIs.
Configuration
Target
Configure an Azure target in your Forma file:
import "@formae/formae.pkl"
import "@azure/azure.pkl"
target: formae.Target = new formae.Target {
label = "my-azure-target"
config = new azure.Config {
subscriptionId = "your-subscription-id"
}
}The subscription ID can also be read from an environment variable:
config = new azure.Config {
subscriptionId = read?("env:AZURE_SUBSCRIPTION_ID") ?? "default-subscription-id"
}Credentials
The plugin uses DefaultAzureCredential which tries the following methods in order:
-
Environment Variables:
export AZURE_CLIENT_ID="your-client-id" export AZURE_CLIENT_SECRET="your-client-secret" export AZURE_TENANT_ID="your-tenant-id" -
Managed Identity: When running on Azure (VMs, App Service, Functions, etc.), credentials are automatically retrieved from the managed identity.
-
Azure CLI:
az login
OIDC (for CI/CD):
For GitHub Actions, use azure/login action with OIDC federation.
Examples
Examples are bundled with formae at /opt/pel/formae/examples/formae-plugin-azure/.
Before running any example, resolve the Pkl dependencies:
pkl project resolve /opt/pel/formae/examples/formae-plugin-azureAvailable examples:
| Example | Description |
|---|---|
| networking | VNet and subnet setup |
| kubernetes | AKS cluster with ACR |
| database | PostgreSQL flexible server |
| virtual-machine | VM with networking |
| subscription-bootstrap | Resource group, managed identities, and RBAC |
# Evaluate an example
formae eval /opt/pel/formae/examples/formae-plugin-azure/subscription-bootstrap/main.pkl
# Apply resources
formae apply --mode reconcile --watch /opt/pel/formae/examples/formae-plugin-azure/subscription-bootstrap/main.pklSupported Resources
| Type | Discoverable | Extractable | Comment |
|---|---|---|---|
| Azure::Authorization::RoleAssignment | ✅ | ✅ | |
| Azure::Compute::VirtualMachine | ✅ | ✅ | |
| Azure::ContainerRegistry::Registry | ✅ | ✅ | |
| Azure::ContainerService::ManagedCluster | ✅ | ✅ | |
| Azure::DBforPostgreSQL::FirewallRule | ✅ | ✅ | |
| Azure::DBforPostgreSQL::FlexibleServer | ✅ | ✅ | |
| Azure::KeyVault::Vault | ✅ | ✅ | |
| Azure::ManagedIdentity::UserAssignedIdentity | ✅ | ✅ | |
| Azure::Network::NetworkInterface | ✅ | ✅ | |
| Azure::Network::NetworkSecurityGroup | ✅ | ✅ | |
| Azure::Network::PublicIPAddress | ✅ | ✅ | |
| Azure::Network::Subnet | ✅ | ✅ | |
| Azure::Network::VirtualNetwork | ✅ | ✅ | |
| Azure::Resources::ResourceGroup | ✅ | ✅ | |
| Azure::Storage::StorageAccount | ✅ | ✅ |