27/02/2026

GetToTheCloud

Terraform | Azure Virtual Desktop

Alex ter Neuzen014 mins
Header terraform avd
Reading Time: 5 minutes

In Azure | Deploy Azure Virtual Desktop – GetToTheCloud, we have setup Azure Virtual Desktop with PowerShell and the GUI. Repeating this every time for different customers can be a bit boring. The main focus of an admin is: “If we can automate it, we will”. At least that should be, because repeating once is fine but repeating twice is just being stupid.

To automate this, there a few options.

  • PowerShell
    Using PowerShell will make you depending on modules and the code is not efficient like you want to be
  • Azure Bicep
    Using Azure Bicep is an option. The approach is the same but it is only used on Microsoft Azure
  • Terraform
    Using Terraform will give you the ability to maybe later rebuild it to for example to Google Cloud or AliBaba Cloud (yes AliBaba Cloud).

In this blogpost we will use Terraform.

Requirements

First you need to install Terraform. Second you need to create an App Registration with some permissions.
Login to https://portal.azure.com and browse to Azure Active Directory / App Registrations. Once there click on New registration and fill in the form with a name and register the application. Once created the app registration browse to the certificates & secrets tab in the app registration. Create a new client secret and write down, we will need this later on.

Now browse to subscriptions

Select your subscription and click Access control (IAM). Select Add to add permissions.

Select Privileged administrator roles and click Role

Select Contributor and click Members

Select Select Members and search for you app registration which you created at the first step. In this case I named the app Terraform deployer.

Now we have given permissions to the app on subscription level, we need to write down some information:

  • subscriptionId
  • applicationId (clientId)
  • tenantId
  • clientsecret

Security group for users that will connect

Create a User group for Users that will be able to sign in to the Azure Virtual Desktop
Browse to Azure Active Directory groups and create a new group and add the users

Resource group

Of course it is possible to create a resource group with Terraform. But in this example we create it manually in Microsoft Azure.
Browse to Resource groups – Microsoft Azure and click Create and assign the correct location for the resource group. After creation you need to apply some permissions to the resource group.

Permissions

You need to assign the just created group permissions to login to the Virtual Machines that will be created. Because there is a possibility that you create a large amount of machines, we are setting the permissions for the group on the Resource group.

Browse to the Resource group and select Access control (IAM), click Add and choose for Add role assignment

Select the assignment type: Job function roles

Search for Virtual Machine User Login and select that role

Add the group created before with the users that must connect to the Azure Virtual Desktop and click review + assign

Terraform files

To keep things clear, we create multiple terraform files:

  • providers.tf
    Will hold the azure app registration information
  • deploy.tf
    Will deploy the virtual network and avd hostpool, workspace and application group
  • results.tf
    Will display the results of variables
  • variables.tf
    The only file that needs to be edited
providers.tf

This file will hold the app registration information. This will be different for each environment and is not necessary needed to be called providers.tf. It can have also the name of your environment so you can reuse it.

provider "azurerm" {
  subscription_id = "your_subscription_id"
  client_id       = "your_client_id"
  client_secret   = "your_client_secret"
  tenant_id       = "your_tenant_id"
  features {}
}
deploy.tf

This file will hold the Azure Virtual Desktop resources that needs to be created.

# Create AVD workspace
resource "azurerm_virtual_desktop_workspace" "workspace" {
  name                = var.workspace
  resource_group_name = var.rg_name
  location            = var.resource_group_location
  friendly_name       = "${var.prefix} Workspace"
  description         = "${var.prefix} Workspace"
}

# Create AVD host pool
resource "azurerm_virtual_desktop_host_pool" "hostpool" {
  resource_group_name      = var.rg_name
  location                 = var.resource_group_location
  name                     = var.hostpool
  friendly_name            = var.hostpool
  validate_environment     = true
  custom_rdp_properties    = "targetisaadjoined:i:1;audiocapturemode:i:1;audiomode:i:0;"
  description              = "${var.prefix} HostPool"
  type                     = "Pooled"
  maximum_sessions_allowed = 16
  load_balancer_type       = "DepthFirst" #[BreadthFirst DepthFirst]
}

resource "azurerm_virtual_desktop_host_pool_registration_info" "registrationinfo" {
  hostpool_id     = azurerm_virtual_desktop_host_pool.hostpool.id
  expiration_date = var.rfc3339
}

# Create AVD DAG
resource "azurerm_virtual_desktop_application_group" "dag" {
  resource_group_name = var.rg_name
  host_pool_id        = azurerm_virtual_desktop_host_pool.hostpool.id
  location            = var.resource_group_location
  type                = "Desktop"
  name                = "${var.prefix}-dag"
  friendly_name       = "Desktop AppGroup"
  description         = "AVD application group"
  depends_on          = [azurerm_virtual_desktop_host_pool.hostpool, azurerm_virtual_desktop_workspace.workspace]
}

# Associate Workspace and DAG
resource "azurerm_virtual_desktop_workspace_application_group_association" "ws-dag" {
  application_group_id = azurerm_virtual_desktop_application_group.dag.id
  workspace_id         = azurerm_virtual_desktop_workspace.workspace.id
}
results.tf

At the end of the execution will these lines be printed in the console to confirm the information from the variables

output "azure_virtual_desktop_compute_resource_group" {
  description = "Name of the Resource group in which to deploy session host"
  value       = var.rg_name
}

output "azure_virtual_desktop_host_pool" {
  description = "Name of the Azure Virtual Desktop host pool"
  value       = azurerm_virtual_desktop_host_pool.hostpool.name
}

output "azurerm_virtual_desktop_application_group" {
  description = "Name of the Azure Virtual Desktop DAG"
  value       = azurerm_virtual_desktop_application_group.dag.name
}

output "azurerm_virtual_desktop_workspace" {
  description = "Name of the Azure Virtual Desktop workspace"
  value       = azurerm_virtual_desktop_workspace.workspace.name
}

output "location" {
  description = "The Azure region"
  value       = var.resource_group_location
}
variables.tf

Maybe the most important file. The variables, the settings, the only file that needs to be edited, beside providers.tf, to deploy in the environment

variable "resource_group_location" {
default     = "westeurope"
description = "Location of the resource group."
}

variable "rg_name" {
type        = string
default     = "CHANGE TO YOUR OWN RESOURCE GROUP NAME" # Change with your own value which you created at the first stap
description = "Name of the Resource group in which to deploy service objects"
}

variable "workspace" {
type        = string
description = "Name of the Azure Virtual Desktop workspace"
default     = "AVD-Workspace"
}

variable "hostpool" {
type        = string
description = "Name of the Azure Virtual Desktop host pool"
default     = "AVD-Hostpool"
}

variable "rfc3339" {
type        = string
default     = "2023-06-10T12:43:13Z" #Change the date to maximum 30 days in advance
description = "Registration token expiration"
}

variable "prefix" {
type        = string
default     = "AVD"
description = "Prefix of the name of the AVD machine(s)"
}

variable "node_address_space" {
  default = ["10.0.0.0/16"]
}

#variable for network range
variable "node_address_prefix" {
  default = "10.0.1.0/24"
}

variable "virtualnetwork" {
    type = string
  default = "AVD-VirtualNetwork"
}
variable "subnet_range" {
  default = ["10.0.1.0/24"]

}
variable "subnet_name" {
  default = "AVD-Subnet"
  type = string
}

There are two points to be noticed:
# Resource group name is hard coded. This is created above here so this name needs to be changed
# rfc3339 expiration token date. This needs to be changed to a value with the maximum of 30 days from the current time

After deployment

After the deployment you need to add the User group (created before) added to the Application group assignment. Users needs to be added to the group and Virtual Machines needs to be deployed. (this will be added later)

Code can be found at the github page: GetToThe-Cloud/Website (github.com)

Share and Enjoy !

Shares

Related News

Designer (23)

Stay close to the action—follow GetToThe.Cloud across social!
Deep dives and hands‑on how‑tos on Azure Local, hybrid cloud, automation, PowerShell/Bicep, AVD + FSLogix, image pipelines, monitoring, networking, and resilient design when the internet/Azure is down.

🔗 Our channels
▶️ YouTube: https://www.youtube.com/channel/UCa33PgGdXt-Dr4w3Ub9hrdQ
💼 LinkedIn Group: https://www.linkedin.com/groups/9181126/
✖️ X (Twitter): https://x.com/Gettothecloud
🎵 TikTok: https://www.tiktok.com/@gettothecloud
🐙 GitHub: https://github.com/GetToThe-Cloud/Website
💬 Slack: DM us for an invite
📲 WhatsApp: DM for the community link

Share

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. View more
Cookies settings
Accept
Privacy & Cookie policy
Privacy & Cookies policy
Cookies list
Cookie name Active

Who we are

Our website address is: https://www.gettothe.cloud

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select "Remember Me", your login will persist for two weeks. If you log out of your account, the login cookies will be removed.If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.
Save settings
Cookies settings