Azure Blueprint · 2020. 9. 18. · Azure Blueprint - create consistent and repeatable environments Page 3 Overview Azure blueprint is a new feature which allows organizations to

Azure Blueprint

– our PoV

Azure Blueprint - create consistent and repeatable environments

Page 1

Table of Contents

Overview ........................................................................................................................ 3

Process Flow- Blueprint Lifecycle ............................................................................... 4

Some Facts About Blueprints ...................................................................................... 5

Different Approach to use Azure Blueprint Service ................................................... 5

Limitations ................................................................................................................. 6

Configure Azure Blueprint using Azure Portal ........................................................... 6

Creation of a blueprint .............................................................................................. 6 Add Various Artifacts to blueprint ............................................................................. 8

Add Resource group to blueprint .................................................................................................. 8

Add Policy Assignment Artifact ................................................................................................... 10

Add Role Assignment to blueprint ............................................................................................... 12

Add Azure Resource Manager template to blueprint ................................................................. 13

Publishing a blueprint ............................................................................................. 16

Assigning the blueprint ........................................................................................... 17

Checking the output after assigning the blueprint ............................................... 19 Checking Resource Group ........................................................................................................... 20

Manage Azure Blueprint through REST API ............................................................. 22

Blueprint Definition Using REST API URI .............................................................. 23

Add Various Artifacts to blueprint ........................................................................... 26 Role Assignment Using REST API URI .......................................................................................... 27

Policy Assignment Using REST API URI ........................................................................................ 28

Add ARM Template Artifact Using REST API URI ........................................................................ 30

Publishing a Blueprint REST API URI .................................................................... 33

Assigning the Blueprint to a Scope ....................................................................... 34

Conclusion ................................................................................................................... 34


Page 2

Revision History

Version Control

Version Date Description of Changes Author

1.0 05/09/2019 First draft version Sudip kumar Mondal

2.0 10/09/2019 Inclusion of REST API approach Sudip kumar Mondal

3.0 23/09/2019 Final version after review and changes Sudip kumar Mondal


Page 3

Overview

Azure blueprint is a new feature which allows organizations to define a package of artifacts (resource groups, Azure policies, role assignments & Resource Manager templates and more) which can be targeted to one or multiple Azure subscriptions to create consistent and repeatable environments. Azure blueprints are part of Azure governance and currently in preview, which means more feature will be added once it becomes generally available as a complete service.

Azure Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:

Resource Hierarchy Options

Role Assignments Subscription, Resource group

Policy Assignments Subscription, Resource group

Aure Resource Manager

templates

Subscription, Resource group

Resource Groups Subscription


Page 4

Azure Resource Manager template is a key building block (artifact) of a blueprint definition. All existing Resource Manager templates can be used in new blueprints. While Resource Manager templates are used only during deployment and do not preserve relationships with deployed resources, Azure Blueprints preserve these relationships, supporting improved tracking and auditing of deployments and the ability to upgrade subscriptions governed by the same blueprint.

With Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments. Also, previous efforts to develop and maintain a library of Resource Manager templates are reusable in Blueprints as each Blueprint consists of zero or more Resource Manager template artifacts.

Process Flow- Blueprint Lifecycle


Page 5

Some Facts About Blueprints

• Blueprints can be applied to any subscription governed by single Azure Active Directory

• The default location where all the Azure blueprints can reside is Azure Management Groups.

• Blueprints can be saved to a management group or subscription where you have Contributor access rights. If the location is a management group, the blueprint is available to assign to any child subscription of that management group.

• Azure Blueprint service is backed by the Azure Cosmos DB and replicated to multiple Azure Regions to provide the high availability and disaster recovery capability

Different Approach to use Azure Blueprint Service

There are two ways by which we can manage Blueprint.

1. Azure Portal: -

You can create blueprint, add artifacts, assign and then deploy it to a subscription using azure portal. In

Azure portal, select All services in the left pane. Search for and select Blueprints. Use this blueprint

service to create a blueprint quickly. For more details, check https://docs.microsoft.com/en-

us/azure/governance/blueprints/create-blueprint-portal

2. REST API and PowerShell: -

You can also create, assign, and manage blueprint definitions in Azure by using REST APIs. You can

consider using Azure PowerShell Az module to use Blueprint REST APIs for creating/managing azure

blueprint. For more details, check https://docs.microsoft.com/en-

us/azure/governance/blueprints/create-blueprint-rest-api

https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal

https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal

https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-rest-api



Page 6

Limitations • Azure Blueprints give you an easy way to bundle together governance artifacts like Azure Policy

and Resource Manager Templates, then apply them to the relevant subscriptions under a management group. But what if you want to duplicate these across to a subscription in a different management group? There’s no copy and paste capability in the portal for that.

• As the Azure Blueprints service is still in Preview, you won’t find a full-featured set in azure portal.

• Blueprint created through portal have to be exported and then imported in order to use it in other management group or environment.

Configure Azure Blueprint using Azure Portal To have a better understanding, let us consider creation of a BluePrint Resource Group at subscription

level and adding Policy, Role and ARM Template artifacts.

These tasks include:

• Creation of a new blueprint named “MyBlueprint”

• Add Resource Group Artifact named “RG1”

• Add Policy Assignment Artifact named “Allow location” which will be a part of

Resource Group Artifacts named “RG1”

• Add Role Assignment Artifact, assign a “Reader” role to a user

• Add more resource like azure storage by using ARM template artifact.

• Publishing the Blueprint

• Assigning and deploying the blueprint

• Checking the blueprint deployment status and resources created after deployment

Creation of a blueprint

1. Select All services in the left pane. Search for and select Blueprints.


Page 7

2. Select Blueprint definitions from the page on the left and select the + Create blueprint button at the top of the page.

Or, select Create from the Getting started page to go straight to creating a blueprint.

3. There are some Pre-defined blueprint samples to help and get you started quickly. So, either you use blank blue print template or pre-defined template available for creating blueprint.


Page 8

4. Provide a Blueprint name such as MyBlueprint. (Use up to 48 letters and numbers, but no spaces or special characters). Leave Blueprint description blank for now.

5. In the Definition location box, select the ellipsis on the right, select the management group or subscription where you want to save the blueprint, and choose Select.

Add Various Artifacts to blueprint

Resources supported as artifacts include resource groups, resource manager templates, policy assignments, and role assignments.

Add Resource group to blueprint

a) Select the + Add artifact row under Subscription. b) Select Resource group for Artifact type. c) Leave the Artifact display name, Resource Group Name, and Location boxes blank,

but make sure that the check box is checked for each parameter property to make them dynamic parameters.


Page 9

d) Select Add to add this artifact to the blueprint.


Page 10

e) Select Resource Group and fill the information based on the print screen. you can also check the box if you want to fill this information during the assignment. Click Add

Add Policy Assignment Artifact

What I am going to do is, restrict the location for the resources within the resources group “RG1”. In

other words, we can say that the resources within the resource group will be deployed to a specific

location. This policy enables you to restrict the locations your organization can specify when deploying

resources.

a) Select the + Add artifact row under the role assignment artifact. b) Select Policy assignment for Artifact type. c) Change Type to Built-in. In Search, enter location. d) Click out of Search for the filtering to occur. Select Append Allow Locations. e) Select Add to add this artifact to the blueprint.


Page 11

f) Specify the location value where the resources will get deployed.


Page 12

Add Role Assignment to blueprint

What I am going to assign a user which is as part of my active directory as Reader.

a) Select the + Add artifact row under Subscription. The Add artifact window opens on the right side of the browser.

b) Select Role assignment for Artifact type. c) Under Role, select Reader. Leave the Add user, app or group box with the check box

that indicates a dynamic parameter. d) Add user and then Select Add to add this artifact to the blueprint.


Page 13

Add Azure Resource Manager template to blueprint

In my opinion the Azure Resource Manager Template artifact is the most impactful of the Blueprint artifact types because you can define such a variety of resources here. It opens the Blueprint to the power of ARM in general. Hopefully in the future we will see more scripting capability or the ability to load PowerShell scripts

I am going to add azure storage by using Azure Resource Manager Template as artifacts.

a) Select the + Add artifact row under the ResourceGroup entry. b) Select Azure Resource Manager template for Artifact type, set Artifact display name

to StorageAccount, and leave Description blank. c) On the Template tab in the editor box, paste the following Resource Manager template. After

you paste the template, select the Parameters tab and note that the template parameters storageAccountType and location were detected. Each parameter was automatically detected and populated, but configured as a dynamic parameter.


Page 14


Page 15

d) Clear the storageAccountType check box and note that the drop-down list contains only values included in the Resource Manager template under allowedValues. Select the box to set it back to a dynamic parameter.

e) Select Add to add this artifact to the blueprint.

Once you have added all the artifcats, everything will look like below screen. click on Save Draft


Page 16

Publishing a blueprint Select Blueprint Definition and select the blueprint you have recently created, this will open up a new

window and publish this newly created blueprint. you can’t assign a blueprint until its published. provide

a version to the blueprint, if you edit this blueprint to add more artifacts, you can always add a new

version. when you assign a blueprint to a subscription, latest version gets applied. this versioning is

helpful to determine which versioning has deployed what resources in your subscription.


Page 17

Assigning the blueprint Once published, we can now assign this blueprint to an Azure subscription. if the blueprint isn’t

published, it can’t be assigned. now select the blueprint again and you will see Assign Blueprint will

appear. select that and fill the information mentioned in below print screens. In my case “Subscription”

dropdown is disable because I don’t have the rights to assign the blueprint to any other subscription.


Page 18

Once assigned, you can go back to Assigned Blueprints and select the assignment name, you used in

previous step. this will show you the current progress of the assignment. if there was any failure, you

will be able to see it here.


Page 19

Now you can check the resources deployed by this blueprint in the subscription. if require, this blueprint

can be further modified to update or add any new artifacts. if the blueprint isn’t in use, you can also

delete the blueprint. deleting a blueprint doesn’t delete the resources it has deployed.

Checking the output after assigning the blueprint When blueprint is assigned to any subscription, it starts deploying. So in this use case we can see that,

the resources are being created automatically by the blueprint. The resource group named “RG11” is

being created. The Role assignment and Policy assignment has been automatically applied to those

created resources.


Page 20

Checking Resource Group

As we can see the resource group named “RG11” is being created automatically by the blueprint.


Page 21

Within the resource group “RG11”, azure storage is also being automatically created which was

mentioned in ARM template within the blueprint.


Page 22

Manage Azure Blueprint through REST API

First we should create the necessary tokens to connect to our Azure Environment. We can use Management Groups. When managing multiple subscriptions we can make use of Management Groups as they are great for organizing your subscriptions, teams and resources (https://docs.microsoft.com/en-us/azure/governance/management-groups/).

PowerShell can be used with Azure PowerShell Az Module , which will provide the tokens to make calls to the REST API (more detailed information at https://docs.microsoft.com/en-us/powershell/azure/new-azureps-module-az?view=azps-1.4.0).

The example below, I have used POSTMAN tool for REST API call and using the bearer token for the authentication to my azure subscription.

https://docs.microsoft.com/en-us/azure/governance/management-groups/

https://docs.microsoft.com/en-us/powershell/azure/new-azureps-module-az?view=azps-1.4.0

https://docs.microsoft.com/en-us/powershell/azure/new-azureps-module-az?view=azps-1.4.0


Page 23

Make sure you are that you possess the necessary information like bearer token to invoke REST

requests and communicate with the API's.

Blueprint Definition Using REST API URI

The Blueprint level parameters are defined in the Blueprint definition. This is important to keep in mind as this will impact the artifacts you will later be creating. In each REST API URI, there are variables that are used that you need to replace with your own values:

• {YourMG} - Replace with the ID of your management group • {subscriptionId} - Replace with your subscription ID • {BlueprintName} - Replace with your Blueprint Name

Create the initial blueprint object. The Request Body includes properties about the blueprint, any resource groups to create, and all of the blueprint level parameters. The parameters are set during assignment and used by the artifacts added in later steps.

• REST API URI https://management.azure.com/providers/Microsoft.Management/managementGroups/{YourMG}/providers/Microsoft.Blueprint/blueprints/{BlueprintName}?api-version=2018-11-01-preview

Check with https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-rest-api



Page 24

To understand, we will be considering one use case.

These tasks include:

• Creation of a new blueprint named “simpleBlueprint”

• Add Policy assignment

• Add Role assignment

• Add artifacts using Azure Resource Manager Template which will include a Resource Group and a Storage under that resource group.

• Publishing the blue print

Lets keep it small and start by implementing parameters for the App service names. These parameters will later be available within our artifacts (storageAccountType, tagName, tagValue, contributors etc).

Json Request body

{

"properties": {

"description": "This blueprint sets tag policy and role assignment on the subscription, creates a ResourceGroup, and deploys a resource template and role assignment to that ResourceGroup.",

"targetScope": "subscription",

"parameters": {

"storageAccountType": {

"type": "string",

"metadata": {

"displayName": "storage account type.",

"description": null

}

},

"tagName": {

"type": "string",

"metadata": {

"displayName": "The name of the tag to provide the policy assignment.",

"description": null


Page 25

}

},

"tagValue": {

"type": "string",

"metadata": {

"displayName": "The value of the tag to provide the policy assignment.",

"description": null

}

},

"contributors": {

"type": "array",

"metadata": {

"description": "List of AAD object IDs that is assigned Contributor role at the subscription"

}

},

"owners": {

"type": "array",

"metadata": {

"description": "List of AAD object IDs that is assigned Owner role at the resource group"

}

}

},

"resourceGroups": {

"storageRG": {

"description": "Contains the resource template deployment and a role assignment."

}

}

}

}


Page 26

Json Response or Output after execution

Add Various Artifacts to blueprint

Resources supported as artifacts include resource groups, resource manager templates, policy assignments, and role assignments. Let us now add artifacts one by one.


Page 27

Role Assignment Using REST API URI

Role assignment is one of the artifacts which we will add in order to define role for users present in the

active directory. So, to add role assignment at subscription we need to use below mentioned Rest Api

• REST API URI

https://management.azure.com/providers/Microsoft.Management/managementGroups/{Y

ourMG}/providers/Microsoft.Blueprint/blueprints/{YourBlueprintName}/artifacts/roleCo

ntributor?api-version=2018-11-01-preview

Json Request body

{

"kind": "roleAssignment",

"properties": {

"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",

"principalIds": "[parameters('contributors')]"

}

}

In the above example, request body defines the kind of artifact “roleAssignment”.. In the example

below, role is configured to a parameter that is set during blueprint assignment. This example uses the

Contributor built-in role with a GUID of b24988ac-6180-42a0-ab88-20f7382dd24c.

After the rest api call, we get the below output in portal.


Page 28

Policy Assignment Using REST API URI

The first step in enforcing compliance with Azure Policy is to assign a policy definition. A policy definition

defines under what condition a policy is enforced and what effect to take. more detailed information

at https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage.

An artifact is needed that will hold the Policy Assignment.We will create the artifact in the next step.

Now we will add policy assignment for Storage tag (reusing storageAccountType parameter which is

defined in blueprint defination). Thus we can see that a parameter defined on the blueprint is usable by

more than one artifact(for now I am using one artifact in this example). In the example,

the storageAccountType is used to set a tag on the resource group. This value provides information

about the storage account that is created in the next step. This example uses the Apply tag and its

default value to resource groups built-in policy with a GUID of 49c88fc8-6fd1-46fd-a676-f12d1d3a4c71.

• REST API URI


ourMG}/providers/Microsoft.Blueprint/blueprints/{Your Blueprint

Name}/artifacts/policyStorageTags?api-version=2018-11-01-preview

Json Request body for policyAssignment

https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage

https://management.azure.com/providers/Microsoft.Management/managementGroups/%7bYourMG%7d/providers/Microsoft.Blueprint/blueprints/%7bYour



Page 29

{

"kind": "policyAssignment",

"properties": {

"description": "Apply storage tag and the parameter also used by the template to resource groups",

"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71",

"parameters": {

"tagName": {

"value": "StorageType"

},

"tagValue": {

"value": "[parameters('storageAccountType')]"

}

}

}

}

Note:- that you can find the policyDefinitionId by going to the Policy definitions using the Azure Portal.



Page 30

Add ARM Template Artifact Using REST API URI

Blueprint artifacts for resources are not much different from ARM Templates. You can grab the same template and put it into an artifact.

We can create/update artifacts using REST APIs. For more details check https://docs.microsoft.com/en-us/rest/api/blueprints/artifacts/createorupdate#examples

• REST API URI



Name}/artifacts/templateStorage?api-version=2018-11-01-preview

Here we will use Azure Resource Manager Template which will include a Resource Group and a Storage under that resource group. The Request Body for a Resource Manager template includes the normal JSON component of the template and defines the target resource group with properties.resourceGroup.

Json Request body for policyAssignment

{

"kind": "template",

https://docs.microsoft.com/en-us/rest/api/blueprints/artifacts/createorupdate#examples

https://docs.microsoft.com/en-us/rest/api/blueprints/artifacts/createorupdate#examples




Page 31

"properties": {

"template": {

"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

"contentVersion": "1.0.0.0",

"parameters": {

"storageAccountTypeFromBP": {

"type": "string",

"defaultValue": "Standard_LRS",

"allowedValues": [

"Standard_LRS",

"Standard_GRS",

"Standard_ZRS",

"Premium_LRS"

],

"metadata": {

"description": "Storage Account type"

}

},

"tagNameFromBP": {

"type": "string",

"defaultValue": "NotSet",

"metadata": {

"description": "Tag name from blueprint"

}

},

"tagValueFromBP": {

"type": "string",

"defaultValue": "NotSet",

"metadata": {

"description": "Tag value from blueprint"

}

}

},


Page 32

"variables": {

"storageAccountName": "[concat(uniquestring(resourceGroup().id), 'standardsa')]"

},

"resources": [{

"type": "Microsoft.Storage/storageAccounts",

"name": "[variables('storageAccountName')]",

"apiVersion": "2016-01-01",

"tags": {

"[parameters('tagNameFromBP')]": "[parameters('tagValueFromBP')]"

},

"location": "[resourceGroups('storageRG').location]",

"sku": {

"name": "[parameters('storageAccountTypeFromBP')]"

},

"kind": "Storage",

"properties": {}

}],

"outputs": {

"storageAccountSku": {

"type": "string",

"value": "[variables('storageAccountName')]"

}

}

},

"resourceGroup": "storageRG",

"parameters": {

"storageAccountTypeFromBP": {

"value": "[parameters('storageAccountType')]"

},

"tagNameFromBP": {

"value": "[parameters('tagName')]"

},

"tagValueFromBP": {


Page 33

"value": "[parameters('tagValue')]"

}

}

}

}


Publishing a Blueprint REST API URI

Now that the artifacts have been added to the blueprint, it's time to publish it. Publishing makes it

available to assign to a subscription.

• REST API URI



Name}/versions/{BlueprintVersion}?api-version=2018-11-01-preview


Page 34

After the rest api call, we get the below output in portal.The blueprint “simpleBlueprint” got published

with version “V1”.

Assigning the Blueprint to a Scope

The last step in the process is assigning the Blueprint to a scope. Assign the Blueprint to a Subscription

within the Management Group. This is when we will populate the parameters as defined in the blueprint

definition. And this is exactly the place where you want to manage your parameters.

Conclusion Azure Blueprint has got lot of potential to enhance DevOps process by speeding up new environment

setups. It includes ARM and policies to start with. We expect Blueprint to include lot more Azure

artifacts and services to spun up new infrastructure, Kubernetes clusters.

Azure Blueprint · 2020. 9. 18. · Azure Blueprint - create consistent and repeatable environments Page 3 Overview Azure blueprint is a new feature which allows organizations to

Documents