Today infrastructure-as-a-code is something that is picking up the pace at an exponential rate. Although the very concept of Infrastructure-as-a-code is pretty enticing that’s just once the face of the coin, what sits behind the shadows is compliance and access rights which plays a major role in the organizational setup.
So, today we would be covering one such service that Azure provides us i.e. Azure Blueprints which makes our lives even easier by incorporating the infrastructure and compliance under the same umbrella.
- Azure Blueprints allows you to create and update artifacts (like policies and ARM templates) and assign them to environments and version them.
- The workflow of Azure Blueprint follows the below steps:
- First, we create a draft where we assemble to components of the blueprint.
- Then we publish the blueprint which gives us a version number for that blueprint.
- Finally, we assign the blueprint to our environment.
- Blueprints have a very strapping locking mechanism that can ensure that nobody not even the owner of the subscription can delete the resources protected by blueprints definition.
- Azure Blueprints are made up of artifacts, the artifacts could be:
- Resource Groups
- ARM Templates
- RBAC Assignments
- Policy Assignments
- Now we will create a blueprint, first of all, log into your Azure portal and navigate to Azure Blueprints and we will create a blueprint definition
- We will start by creating a blueprint from scratch, we give it a name and make sure there are no spaces.
- For the Blueprint location, we can either store it at a subscription scope or the Management scope, the management scope makes the blueprint available for all the underlying subscriptions.
- Now we will move on to the artifact section, we will start by adding a Resource Group and we can parametrize almost all the values for our artifact and we can hard code them as well, here we have kept the Resource Group name to be specified at the time of creation but we have set the location here itself
- Now we will add an ARM template as our next artifact and we are using the ARM template for Vnet provided by Microsoft.
- Now we will add a policy to our blueprint
- Now we will finally add an RBAC role to out blueprint
- Now we will save our blueprint as a draft and then publish it, while publishing we will assign it a version number
- Once the blueprint is published we can assign the blueprint, assignment is nothing but the deployment. While assigning we can set the locks here we will protect our resources against deletion for which Azure will cerate a system-assigned managed identity.
- The rest comprises just the parameters, to which we can assign the values based on our configuration earlier. We have assigned the name and the RBAC user in our parameters.
- Now we will Assign our blueprint, essentially what it is doing here is, it is defining our full environment for our deployment. we can see the status of our assigned blueprint in the ‘Assigned Blueprint’ section.
- Once the deployment is successful we would just update our blueprint definition to modify our environment, this gives us centralized control over all our resources.
- Now we can check the resources created by our blueprint and as we have created a deletion prevention lock we can see the deny assignment that affects all the principals including the owner.
- We can verify the same by trying to delete a subnet from our setup as we have only provided ‘contributor access to the user, the user is not able to delete the resources.
Now, with the help of Azure blueprints, we are able to easily not just create the infrastructure but also manage the compliance in our infrastructure. In this blog, we have grabbed a firm understanding of Azure blueprints and how we can best utilize them to make a production-ready infrastructure.
So, there you have it guys “Any environment, any subscription, it’s all at one place – Azure Blueprints”.
Opstree is an End to End DevOps solution provider