Azure Blueprint · 2020. 9. 18. · Azure Blueprint - create consistent and repeatable environments...
Transcript of Azure Blueprint · 2020. 9. 18. · Azure Blueprint - create consistent and repeatable environments...
Azure Blueprint
– our PoV
Azure Blueprint - create consistent and repeatable environments
Page 1
Table of Contents
Overview ........................................................................................................................ 3
Process Flow- Blueprint Lifecycle ............................................................................... 4
Some Facts About Blueprints ...................................................................................... 5
Different Approach to use Azure Blueprint Service ................................................... 5
Limitations ................................................................................................................. 6
Configure Azure Blueprint using Azure Portal ........................................................... 6
Creation of a blueprint .............................................................................................. 6 Add Various Artifacts to blueprint ............................................................................. 8
Add Resource group to blueprint .................................................................................................. 8
Add Policy Assignment Artifact ................................................................................................... 10
Add Role Assignment to blueprint ............................................................................................... 12
Add Azure Resource Manager template to blueprint ................................................................. 13
Publishing a blueprint ............................................................................................. 16
Assigning the blueprint ........................................................................................... 17
Checking the output after assigning the blueprint ............................................... 19 Checking Resource Group ........................................................................................................... 20
Manage Azure Blueprint through REST API ............................................................. 22
Blueprint Definition Using REST API URI .............................................................. 23
Add Various Artifacts to blueprint ........................................................................... 26 Role Assignment Using REST API URI .......................................................................................... 27
Policy Assignment Using REST API URI ........................................................................................ 28
Add ARM Template Artifact Using REST API URI ........................................................................ 30
Publishing a Blueprint REST API URI .................................................................... 33
Assigning the Blueprint to a Scope ....................................................................... 34
Conclusion ................................................................................................................... 34
Azure Blueprint - create consistent and repeatable environments
Page 2
Revision History
Version Control
Version Date Description of Changes Author
1.0 05/09/2019 First draft version Sudip kumar Mondal
2.0 10/09/2019 Inclusion of REST API approach Sudip kumar Mondal
3.0 23/09/2019 Final version after review and changes Sudip kumar Mondal
Azure Blueprint - create consistent and repeatable environments
Page 3
Overview
Azure blueprint is a new feature which allows organizations to define a package of artifacts (resource groups, Azure policies, role assignments & Resource Manager templates and more) which can be targeted to one or multiple Azure subscriptions to create consistent and repeatable environments. Azure blueprints are part of Azure governance and currently in preview, which means more feature will be added once it becomes generally available as a complete service.
Azure Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:
Resource Hierarchy Options
Role Assignments Subscription, Resource group
Policy Assignments Subscription, Resource group
Aure Resource Manager
templates
Subscription, Resource group
Resource Groups Subscription
Azure Blueprint - create consistent and repeatable environments
Page 4
Azure Resource Manager template is a key building block (artifact) of a blueprint definition. All existing Resource Manager templates can be used in new blueprints. While Resource Manager templates are used only during deployment and do not preserve relationships with deployed resources, Azure Blueprints preserve these relationships, supporting improved tracking and auditing of deployments and the ability to upgrade subscriptions governed by the same blueprint.
With Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments. Also, previous efforts to develop and maintain a library of Resource Manager templates are reusable in Blueprints as each Blueprint consists of zero or more Resource Manager template artifacts.
Process Flow- Blueprint Lifecycle
Azure Blueprint - create consistent and repeatable environments
Page 5
Some Facts About Blueprints
• Blueprints can be applied to any subscription governed by single Azure Active Directory
• The default location where all the Azure blueprints can reside is Azure Management Groups.
• Blueprints can be saved to a management group or subscription where you have Contributor access rights. If the location is a management group, the blueprint is available to assign to any child subscription of that management group.
• Azure Blueprint service is backed by the Azure Cosmos DB and replicated to multiple Azure Regions to provide the high availability and disaster recovery capability
Different Approach to use Azure Blueprint Service
There are two ways by which we can manage Blueprint.
1. Azure Portal: -
You can create blueprint, add artifacts, assign and then deploy it to a subscription using azure portal. In
Azure portal, select All services in the left pane. Search for and select Blueprints. Use this blueprint
service to create a blueprint quickly. For more details, check https://docs.microsoft.com/en-
us/azure/governance/blueprints/create-blueprint-portal
2. REST API and PowerShell: -
You can also create, assign, and manage blueprint definitions in Azure by using REST APIs. You can
consider using Azure PowerShell Az module to use Blueprint REST APIs for creating/managing azure
blueprint. For more details, check https://docs.microsoft.com/en-
us/azure/governance/blueprints/create-blueprint-rest-api
Azure Blueprint - create consistent and repeatable environments
Page 6
Limitations • Azure Blueprints give you an easy way to bundle together governance artifacts like Azure Policy
and Resource Manager Templates, then apply them to the relevant subscriptions under a management group. But what if you want to duplicate these across to a subscription in a different management group? There’s no copy and paste capability in the portal for that.
• As the Azure Blueprints service is still in Preview, you won’t find a full-featured set in azure portal.
• Blueprint created through portal have to be exported and then imported in order to use it in other management group or environment.
Configure Azure Blueprint using Azure Portal To have a better understanding, let us consider creation of a BluePrint Resource Group at subscription
level and adding Policy, Role and ARM Template artifacts.
These tasks include:
• Creation of a new blueprint named “MyBlueprint”
• Add Resource Group Artifact named “RG1”
• Add Policy Assignment Artifact named “Allow location” which will be a part of
Resource Group Artifacts named “RG1”
• Add Role Assignment Artifact, assign a “Reader” role to a user
• Add more resource like azure storage by using ARM template artifact.
• Publishing the Blueprint
• Assigning and deploying the blueprint
• Checking the blueprint deployment status and resources created after deployment
Creation of a blueprint
1. Select All services in the left pane. Search for and select Blueprints.
Azure Blueprint - create consistent and repeatable environments
Page 7
2. Select Blueprint definitions from the page on the left and select the + Create blueprint button at the top of the page.
Or, select Create from the Getting started page to go straight to creating a blueprint.
3. There are some Pre-defined blueprint samples to help and get you started quickly. So, either you use blank blue print template or pre-defined template available for creating blueprint.
Azure Blueprint - create consistent and repeatable environments
Page 8
4. Provide a Blueprint name such as MyBlueprint. (Use up to 48 letters and numbers, but no spaces or special characters). Leave Blueprint description blank for now.
5. In the Definition location box, select the ellipsis on the right, select the management group or subscription where you want to save the blueprint, and choose Select.
Add Various Artifacts to blueprint
Resources supported as artifacts include resource groups, resource manager templates, policy assignments, and role assignments.
Add Resource group to blueprint
a) Select the + Add artifact row under Subscription. b) Select Resource group for Artifact type. c) Leave the Artifact display name, Resource Group Name, and Location boxes blank,
but make sure that the check box is checked for each parameter property to make them dynamic parameters.
Azure Blueprint - create consistent and repeatable environments
Page 9
d) Select Add to add this artifact to the blueprint.
Azure Blueprint - create consistent and repeatable environments
Page 10
e) Select Resource Group and fill the information based on the print screen. you can also check the box if you want to fill this information during the assignment. Click Add
Add Policy Assignment Artifact
What I am going to do is, restrict the location for the resources within the resources group “RG1”. In
other words, we can say that the resources within the resource group will be deployed to a specific
location. This policy enables you to restrict the locations your organization can specify when deploying
resources.
a) Select the + Add artifact row under the role assignment artifact. b) Select Policy assignment for Artifact type. c) Change Type to Built-in. In Search, enter location. d) Click out of Search for the filtering to occur. Select Append Allow Locations. e) Select Add to add this artifact to the blueprint.
Azure Blueprint - create consistent and repeatable environments
Page 11
f) Specify the location value where the resources will get deployed.
Azure Blueprint - create consistent and repeatable environments
Page 12
Add Role Assignment to blueprint
What I am going to assign a user which is as part of my active directory as Reader.
a) Select the + Add artifact row under Subscription. The Add artifact window opens on the right side of the browser.
b) Select Role assignment for Artifact type. c) Under Role, select Reader. Leave the Add user, app or group box with the check box
that indicates a dynamic parameter. d) Add user and then Select Add to add this artifact to the blueprint.
Azure Blueprint - create consistent and repeatable environments
Page 13
Add Azure Resource Manager template to blueprint
In my opinion the Azure Resource Manager Template artifact is the most impactful of the Blueprint artifact types because you can define such a variety of resources here. It opens the Blueprint to the power of ARM in general. Hopefully in the future we will see more scripting capability or the ability to load PowerShell scripts
I am going to add azure storage by using Azure Resource Manager Template as artifacts.
a) Select the + Add artifact row under the ResourceGroup entry. b) Select Azure Resource Manager template for Artifact type, set Artifact display name
to StorageAccount, and leave Description blank. c) On the Template tab in the editor box, paste the following Resource Manager template. After
you paste the template, select the Parameters tab and note that the template parameters storageAccountType and location were detected. Each parameter was automatically detected and populated, but configured as a dynamic parameter.
Azure Blueprint - create consistent and repeatable environments
Page 14
Azure Blueprint - create consistent and repeatable environments
Page 15
d) Clear the storageAccountType check box and note that the drop-down list contains only values included in the Resource Manager template under allowedValues. Select the box to set it back to a dynamic parameter.
e) Select Add to add this artifact to the blueprint.
Once you have added all the artifcats, everything will look like below screen. click on Save Draft
Azure Blueprint - create consistent and repeatable environments
Page 16
Publishing a blueprint Select Blueprint Definition and select the blueprint you have recently created, this will open up a new
window and publish this newly created blueprint. you can’t assign a blueprint until its published. provide
a version to the blueprint, if you edit this blueprint to add more artifacts, you can always add a new
version. when you assign a blueprint to a subscription, latest version gets applied. this versioning is
helpful to determine which versioning has deployed what resources in your subscription.
Azure Blueprint - create consistent and repeatable environments
Page 17
Assigning the blueprint Once published, we can now assign this blueprint to an Azure subscription. if the blueprint isn’t
published, it can’t be assigned. now select the blueprint again and you will see Assign Blueprint will
appear. select that and fill the information mentioned in below print screens. In my case “Subscription”
dropdown is disable because I don’t have the rights to assign the blueprint to any other subscription.
Azure Blueprint - create consistent and repeatable environments
Page 18
Once assigned, you can go back to Assigned Blueprints and select the assignment name, you used in
previous step. this will show you the current progress of the assignment. if there was any failure, you
will be able to see it here.
Azure Blueprint - create consistent and repeatable environments
Page 19
Now you can check the resources deployed by this blueprint in the subscription. if require, this blueprint
can be further modified to update or add any new artifacts. if the blueprint isn’t in use, you can also
delete the blueprint. deleting a blueprint doesn’t delete the resources it has deployed.
Checking the output after assigning the blueprint When blueprint is assigned to any subscription, it starts deploying. So in this use case we can see that,
the resources are being created automatically by the blueprint. The resource group named “RG11” is
being created. The Role assignment and Policy assignment has been automatically applied to those
created resources.
Azure Blueprint - create consistent and repeatable environments
Page 20
Checking Resource Group
As we can see the resource group named “RG11” is being created automatically by the blueprint.
Azure Blueprint - create consistent and repeatable environments
Page 21
Within the resource group “RG11”, azure storage is also being automatically created which was
mentioned in ARM template within the blueprint.
Azure Blueprint - create consistent and repeatable environments
Page 22
Manage Azure Blueprint through REST API
First we should create the necessary tokens to connect to our Azure Environment. We can use Management Groups. When managing multiple subscriptions we can make use of Management Groups as they are great for organizing your subscriptions, teams and resources (https://docs.microsoft.com/en-us/azure/governance/management-groups/).
PowerShell can be used with Azure PowerShell Az Module , which will provide the tokens to make calls to the REST API (more detailed information at https://docs.microsoft.com/en-us/powershell/azure/new-azureps-module-az?view=azps-1.4.0).
The example below, I have used POSTMAN tool for REST API call and using the bearer token for the authentication to my azure subscription.
Azure Blueprint - create consistent and repeatable environments
Page 23
Make sure you are that you possess the necessary information like bearer token to invoke REST
requests and communicate with the API's.
Blueprint Definition Using REST API URI
The Blueprint level parameters are defined in the Blueprint definition. This is important to keep in mind as this will impact the artifacts you will later be creating. In each REST API URI, there are variables that are used that you need to replace with your own values:
• {YourMG} - Replace with the ID of your management group • {subscriptionId} - Replace with your subscription ID • {BlueprintName} - Replace with your Blueprint Name
Create the initial blueprint object. The Request Body includes properties about the blueprint, any resource groups to create, and all of the blueprint level parameters. The parameters are set during assignment and used by the artifacts added in later steps.
• REST API URI https://management.azure.com/providers/Microsoft.Management/managementGroups/{YourMG}/providers/Microsoft.Blueprint/blueprints/{BlueprintName}?api-version=2018-11-01-preview
Check with https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-rest-api
Azure Blueprint - create consistent and repeatable environments
Page 24
To understand, we will be considering one use case.
These tasks include:
• Creation of a new blueprint named “simpleBlueprint”
• Add Policy assignment
• Add Role assignment
• Add artifacts using Azure Resource Manager Template which will include a Resource Group and a Storage under that resource group.
• Publishing the blue print
Lets keep it small and start by implementing parameters for the App service names. These parameters will later be available within our artifacts (storageAccountType, tagName, tagValue, contributors etc).
Json Request body
{
"properties": {
"description": "This blueprint sets tag policy and role assignment on the subscription, creates a ResourceGroup, and deploys a resource template and role assignment to that ResourceGroup.",
"targetScope": "subscription",
"parameters": {
"storageAccountType": {
"type": "string",
"metadata": {
"displayName": "storage account type.",
"description": null
}
},
"tagName": {
"type": "string",
"metadata": {
"displayName": "The name of the tag to provide the policy assignment.",
"description": null
Azure Blueprint - create consistent and repeatable environments
Page 25
}
},
"tagValue": {
"type": "string",
"metadata": {
"displayName": "The value of the tag to provide the policy assignment.",
"description": null
}
},
"contributors": {
"type": "array",
"metadata": {
"description": "List of AAD object IDs that is assigned Contributor role at the subscription"
}
},
"owners": {
"type": "array",
"metadata": {
"description": "List of AAD object IDs that is assigned Owner role at the resource group"
}
}
},
"resourceGroups": {
"storageRG": {
"description": "Contains the resource template deployment and a role assignment."
}
}
}
}
Azure Blueprint - create consistent and repeatable environments
Page 26
Json Response or Output after execution
Add Various Artifacts to blueprint
Resources supported as artifacts include resource groups, resource manager templates, policy assignments, and role assignments. Let us now add artifacts one by one.
Azure Blueprint - create consistent and repeatable environments
Page 27
Role Assignment Using REST API URI
Role assignment is one of the artifacts which we will add in order to define role for users present in the
active directory. So, to add role assignment at subscription we need to use below mentioned Rest Api
• REST API URI
https://management.azure.com/providers/Microsoft.Management/managementGroups/{Y
ourMG}/providers/Microsoft.Blueprint/blueprints/{YourBlueprintName}/artifacts/roleCo
ntributor?api-version=2018-11-01-preview
Json Request body
{
"kind": "roleAssignment",
"properties": {
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalIds": "[parameters('contributors')]"
}
}
In the above example, request body defines the kind of artifact “roleAssignment”.. In the example
below, role is configured to a parameter that is set during blueprint assignment. This example uses the
Contributor built-in role with a GUID of b24988ac-6180-42a0-ab88-20f7382dd24c.
After the rest api call, we get the below output in portal.
Azure Blueprint - create consistent and repeatable environments
Page 28
Policy Assignment Using REST API URI
The first step in enforcing compliance with Azure Policy is to assign a policy definition. A policy definition
defines under what condition a policy is enforced and what effect to take. more detailed information
at https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage.
An artifact is needed that will hold the Policy Assignment.We will create the artifact in the next step.
Now we will add policy assignment for Storage tag (reusing storageAccountType parameter which is
defined in blueprint defination). Thus we can see that a parameter defined on the blueprint is usable by
more than one artifact(for now I am using one artifact in this example). In the example,
the storageAccountType is used to set a tag on the resource group. This value provides information
about the storage account that is created in the next step. This example uses the Apply tag and its
default value to resource groups built-in policy with a GUID of 49c88fc8-6fd1-46fd-a676-f12d1d3a4c71.
• REST API URI
https://management.azure.com/providers/Microsoft.Management/managementGroups/{Y
ourMG}/providers/Microsoft.Blueprint/blueprints/{Your Blueprint
Name}/artifacts/policyStorageTags?api-version=2018-11-01-preview
Json Request body for policyAssignment
Azure Blueprint - create consistent and repeatable environments
Page 29
{
"kind": "policyAssignment",
"properties": {
"description": "Apply storage tag and the parameter also used by the template to resource groups",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71",
"parameters": {
"tagName": {
"value": "StorageType"
},
"tagValue": {
"value": "[parameters('storageAccountType')]"
}
}
}
}
Note:- that you can find the policyDefinitionId by going to the Policy definitions using the Azure Portal.
After the rest api call, we get the below output in portal.
Azure Blueprint - create consistent and repeatable environments
Page 30
Add ARM Template Artifact Using REST API URI
Blueprint artifacts for resources are not much different from ARM Templates. You can grab the same template and put it into an artifact.
We can create/update artifacts using REST APIs. For more details check https://docs.microsoft.com/en-us/rest/api/blueprints/artifacts/createorupdate#examples
• REST API URI
https://management.azure.com/providers/Microsoft.Management/managementGroups/{Y
ourMG}/providers/Microsoft.Blueprint/blueprints/{Your Blueprint
Name}/artifacts/templateStorage?api-version=2018-11-01-preview
Here we will use Azure Resource Manager Template which will include a Resource Group and a Storage under that resource group. The Request Body for a Resource Manager template includes the normal JSON component of the template and defines the target resource group with properties.resourceGroup.
Json Request body for policyAssignment
{
"kind": "template",
Azure Blueprint - create consistent and repeatable environments
Page 31
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountTypeFromBP": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_ZRS",
"Premium_LRS"
],
"metadata": {
"description": "Storage Account type"
}
},
"tagNameFromBP": {
"type": "string",
"defaultValue": "NotSet",
"metadata": {
"description": "Tag name from blueprint"
}
},
"tagValueFromBP": {
"type": "string",
"defaultValue": "NotSet",
"metadata": {
"description": "Tag value from blueprint"
}
}
},
Azure Blueprint - create consistent and repeatable environments
Page 32
"variables": {
"storageAccountName": "[concat(uniquestring(resourceGroup().id), 'standardsa')]"
},
"resources": [{
"type": "Microsoft.Storage/storageAccounts",
"name": "[variables('storageAccountName')]",
"apiVersion": "2016-01-01",
"tags": {
"[parameters('tagNameFromBP')]": "[parameters('tagValueFromBP')]"
},
"location": "[resourceGroups('storageRG').location]",
"sku": {
"name": "[parameters('storageAccountTypeFromBP')]"
},
"kind": "Storage",
"properties": {}
}],
"outputs": {
"storageAccountSku": {
"type": "string",
"value": "[variables('storageAccountName')]"
}
}
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountTypeFromBP": {
"value": "[parameters('storageAccountType')]"
},
"tagNameFromBP": {
"value": "[parameters('tagName')]"
},
"tagValueFromBP": {
Azure Blueprint - create consistent and repeatable environments
Page 33
"value": "[parameters('tagValue')]"
}
}
}
}
After the rest api call, we get the below output in portal.
Publishing a Blueprint REST API URI
Now that the artifacts have been added to the blueprint, it's time to publish it. Publishing makes it
available to assign to a subscription.
• REST API URI
https://management.azure.com/providers/Microsoft.Management/managementGroups/{Y
ourMG}/providers/Microsoft.Blueprint/blueprints/{Your Blueprint
Name}/versions/{BlueprintVersion}?api-version=2018-11-01-preview
Azure Blueprint - create consistent and repeatable environments
Page 34
After the rest api call, we get the below output in portal.The blueprint “simpleBlueprint” got published
with version “V1”.
Assigning the Blueprint to a Scope
The last step in the process is assigning the Blueprint to a scope. Assign the Blueprint to a Subscription
within the Management Group. This is when we will populate the parameters as defined in the blueprint
definition. And this is exactly the place where you want to manage your parameters.
Conclusion Azure Blueprint has got lot of potential to enhance DevOps process by speeding up new environment
setups. It includes ARM and policies to start with. We expect Blueprint to include lot more Azure
artifacts and services to spun up new infrastructure, Kubernetes clusters.