Terraforming Azure Management Groups

If you’ve been following my blog, or are connected with me on LinkedIn and Twitter, you’ll know that I’m engaged in a project where I am a part of a team that’s designing and deploying a global enterprise-level environment using Infrastructure-as-Code (IaC) via Terraform.

Part of this enterprise-level environment will include the use of Azure Management Groups.

Management Groups

As a quick primer for anyone that has not used Management Groups before, it allows you to group your Azure Subscriptions together. Why would you want to do that? Well, you can use it to apply governance controls (like Role-Based Access Control, Policy, etc.) to multiple Subscriptions at the same time.

For some ‘getting started’ info, check out this article: Organize your resources with Azure management groups

Management Groups Example


Now, let’s take a look at a simple block of code (in Terraform) to create a Management Group. Notice in this example, we have both a Parent and Child Management Group.

Terraform code to create Azure Management Groups

As part of the code execution, I am also passing a Subscription ID into the variable, and therefore moving it under the Child Management Group.

After running the code, we have the Parent-Child-Subscription relationship created as we defined it in the code.

The nice thing about Terraform, is that we can “test” our code through ‘terraform apply’, and also tear it down when we’re done testing through ‘terraform destroy’.

However, when it comes to Management Groups, this doesn’t work exactly as expected.

Yes, the ‘terraform apply’ works (as that’s how we created the Management Groups), but when you run ‘terraform destroy’ it doesn’t.

Notice in the ‘terraform destroy’ output, that there’s an error:

Error de-associating Subscription “/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX” from Management Group “XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX”

Terraform Destroy Error

The issue is, ‘terraform destroy’ is not able to move/re-assign the Subscription to another Management Group (i.e. like the Root Management Group). As a result, it can’t reverse what it’s created.


While Terraform is a nice, human-readable coding language, there are some caveats and limitations. Working with Management Groups is an example. Now, that’s not to say this issue will not be resolved in a future code update, but it’s where we are now.

Just keep that in mind, and always perform unit tests of your code (in as small amounts of code as possible), to ensure you discovery any challenges with the approach you’re trying to utilize.

Stay tuned for a lot more Terraforming fun.

%d bloggers like this: