Day[65/100] #100DaysOfCloud – Jonnychipz – Enterprise Scale – Landing Zone OpenHack – Day 2

Ok, so feet first into Day 2 of the Open Hack around Enterprise Scale Landing Zones.

Today was all centred around Azure Policy Definition and Assignments as well as a really interesting point and demo around AzOps.

Azure Policy

Today we picked up from where we left off, first of all we needed to make sure our account had the relevant permisisons to create and manage ‘Management Groups’ at root:

upn=$(az ad signed-in-user show --query userPrincipalName --output tsv)
 az role assignment create --assignee $upn --role "User Access Administrator" --scope "/"
 az role assignment create --assignee $upn --role "Contributor" --scope "/"

Then created our Management Group Structure for our Fictitious Company:

From here we had a little look over which Policies would suit our requirements, like I said in the previous post, I am not going to share the content of the actual company albeit fictitious to cover showing anything I shouldn’t be!

So, we have two options when it comes to Policy Definitions, Built in, or Custom.

We can quickly filter and search for specific policies directly in the portal:

And we also have some key resources to help us find the definitions we might need to provide our Guard Rails:

So we deployed our first custom policy Definition for controlling access to specific VM SKU’s:

{
  "properties": {
    "displayName": "Deny VM SKUS",
    "policyType": "Custom",
    "mode": "Indexed",
    "metadata": {
      "version": "1.0.1",
      "category": "Compute",
      "createdBy": "2f7ce367-49ab-4f84-ab18-0f4309ae0c44",
      "createdOn": "2020-11-11T12:43:33.503573Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "listOfDeniedSKUs": {
        "type": "Array",
        "metadata": {
          "displayName": "Denied Size SKUs",
          "description": "The list of size SKUs that are denied for virtual machines.",
          "strongType": "VMSKUs"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/sku.name",
            "in": "[parameters('listOfDeniedSKUs')]"
          }
        ]
      },
      "then": {
        "effect": "Deny"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/AB/providers/Microsoft.Authorization/policyDefinitions/16979827-0035-41df-a602-33d1757041f6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "16979827-0035-41df-a602-33d1757041f6"
}

Then we created our Assignment file:

{
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "input": {
      "value": {
        "Identity": null,
        "Location": null,
        "Name": "14d5474432b74b55b63acd5f",
        "PolicyAssignmentId": "/providers/Microsoft.Management/managementGroups/AB/providers/Microsoft.Authorization/policyAssignments/14d5474432b74b55b63acd5f",
        "Properties": {
          "Description": "No M-Series or LS-Series VMs can be deployed",
          "DisplayName": "Deny VM SKUS",
          "NotScopes": [
            "/providers/Microsoft.Management/managementGroups/AB-LZ-Prod-London",
            "/providers/Microsoft.Management/managementGroups/AB-LZ-Prod-NewYork"
          ],
          "Parameters": {
            "listOfDeniedSKUs": {
              "value": [
                "standard_m128",
                "standard_m128-32ms",
                "standard_m128-64ms",
                "standard_m128m",
                "standard_m128ms",
                "standard_m128s",
                "standard_m16-4ms",
                "standard_m16-8ms",
                "standard_m16ms",
                "standard_m208ms_v2",
                "standard_m208s_v2",
                "standard_m32-16ms",
                "standard_m32-8ms",
                "standard_m32ls",
                "standard_m32ms",
                "standard_m32ts",
                "standard_m416-208ms_v2",
                "standard_m416-208s_v2",
                "standard_m416ms_v2",
                "standard_m416s_v2",
                "standard_m64",
                "standard_m64-16ms",
                "standard_m64-32ms",
                "standard_m64ls",
                "standard_m64m",
                "standard_m64ms",
                "standard_m64s",
                "standard_m8-2ms",
                "standard_m8-4ms",
                "standard_m8ms"
              ]
            }
          },
          "PolicyDefinitionId": "/providers/Microsoft.Management/managementGroups/AB/providers/Microsoft.Authorization/policyDefinitions/16979827-0035-41df-a602-33d1757041f6",
          "Scope": "/providers/Microsoft.Management/managementGroups/AB"
        },
        "ResourceId": "/providers/Microsoft.Management/managementGroups/AB/providers/Microsoft.Authorization/policyAssignments/14d5474432b74b55b63acd5f",
        "ResourceName": "14d5474432b74b55b63acd5f",
        "ResourceType": "Microsoft.Authorization/policyAssignments",
        "Sku": {
          "name": "A0",
          "tier": "Free"
        }
      }
    }
  }
}

There we have it, our first custom policy.

Some key take away for me were around making sure you look at Built In policy before trying to move to Custom, and also looking to utilise the Community / ES and Built in repos on Github to find a policy that closely matches before you modify.

Also, the ‘DeployIfNotExist’ parameter enabled offer Policy a really interesting concept of being able to act as that fail safe. i.e. if you place configuration into IaC and deploy, the Policy can act as your backup if any option is missed. Clearly there could be some differing scenarios over this being a relied up on feature or something that might just act as backup.

Later in the day a new concept was introduced……

AzOps……?!?

So, in summary……

  • The ability to connect your GitHub account to your Azure Tenant
  • Discover and report back all management group structure as an AzOps folder into your GitHub repo
  • Modify Policy definition and assignments in a new Branch
  • Create Pull Request into Main
  • Automatic Push back into your Azure Tenant.

SO basically, a DevOps Pipeline for Management Group, Policy Definition creation and assignment via GitHub! How cool is that!

We had a play!!!

Clones the Azure/EnterpriseScale GitHub repo into my own account:

Created my Azure Credentials Logon in my Github and ran the automated Pull request from my Azure Tenant:

Cloned it to my local machine for update in VSCode:

Saw that my AZ State was captured from the pull run in GutHub:

Created a new Branch and modified a policy:

Just added WooHoo2 to the description! (Very Crerative!)

Ran Git Commit and sync’d back to orgin (GitHub)

Then finally created a Pull Request to merge Branch2 into Main, which inturn triggers off an automated Push of the AZState into my Azure Tenant!!!

And there we have it, my first AzOps Enterprise Scale management of Policy definitions and Assignments!!!!

We finally ended the day with an awesome talk around Microsoft Cloud Adoption Framework and Enterprise Scale with knowledge that there are some great things comming in the pipeline related to the wider tech stack in Azure!!! #watchthisspace

I hope you have enjoyed this post, please reach out if you have any quesitons.

For all of these demos aka.ms/enterprisescale tutorials will be your friend:

100DaysOfCloud Overview

My Main ReadMe Page is all set up with a bit about me!

The guys at 100DaysofCloud have set up the GitHub repo to be cloned and also have a great repo containing ideas and areas to collaborate on: https://github.com/100DaysOfCloud/100DaysOfCloudIdeas

My Github Journey tracker can be found here: https://github.com/jonnychipz/100DaysOfCloud

Please Watch/Star my repo and feel free to comment of contribute to anything I push! I really look forward to hearing from anyone who is going to jump on the journey around the same time as me! Lets see where I get to in 100 days!

I would encourage others to jump on this journey, I’m not sure that I will be able to commit every day for 100 days, but as long as I can complete 100 days that will be great!

http://www.100daysofcloud.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s