Portal intro to RBAC
- Show subscription and established roles (1 owner, 1 reader)
- Log in as reader and attempt to create something
- Update reader to Restart VM (custom role) and show result
Automation
Create custom role with Azure CLI, two samples in the repo:
Read / Write Container Instances:
az role definition create --role-definition container-instances-all.json
Assign custom role with Azure CLI
az role assignment create --role "Container Instances Read / Write" --assignee [email protected]
Portal intro to Policy
Manually create policy (audit resource group location) to demo portal and built in policy.
Automation
Create policy with Azure CLI, three sample in the repo:
Deny: Enforce naming by resource type
sh ./policyEnforceName.sh
Deny: Enforce resource tag
sh ./policyTagDeny.sh
pwsh ./policy/tag-deny/policyTagDeny.ps1 -ResourceGroupName DemoTagDenyPolicy -PolicyName DemoTagDenyPolicy -Location eastus
Append: resource tag
sh ./policyTagAppend.sh
pwsh ./policy/tag-append/policyTagAppend.ps1 -ResourceGroupName DemoTagAppendPolicy -PolicyName DemoTagAppendPolicy -Location eastus
Initiative:
TODO - add CLI example for initiative.
Manual Demo
Create blueprint consisting of two of the above policies, and resource group, and Resource Manager template.
Automation
Currently no PowerShell or CLI support for Blueprints. I've included PowerShell scripts to demo the REST interface, they are rough. I've also configured a Azure DevOps pipeline to demonstrate CI/CD. If you would like access, let me know.
Rest Demo
Create and Publish:
pwsh ./CreateUpdateBlueprint.ps1
Assign:
pwsh ./AssignBlueprint.ps1
Azure DevOps and Blueprints
Test Deployment:
Manual script execution
pwsh CreateUpdateBlueprint.ps1 -TenantID $(az keyvault secret show --name AzureTenantID --vault-name nepeterskv007 --query value -o tsv) -ClientID $(az keyvault secret show --name AzureClientID --vault-name nepeterskv007 --query value -o tsv) -ClientSecret $(az keyvault secret show --name AzureClientSecret --vault-name nepeterskv007 --query value -o tsv) -SubscriptionId $(az keyvault secret show --name AzureSubscriptionID --vault-name nepeterskv007 --query value -o tsv) -Blueprint blueprint-body.json -ManagementGroup nepeters-internal -BlueprintName DevOpsBluePrint -Artifacts ./artifacts
pwsh AssignBlueprint.ps1 -TenantID $(az keyvault secret show --name AzureTenantID --vault-name nepeterskv007 --query value -o tsv) -ClientID $(az keyvault secret show --name AzureClientID --vault-name nepeterskv007 --query value -o tsv) -ClientSecret $(az keyvault secret show --name AzureClientSecret --vault-name nepeterskv007 --query value -o tsv) -SubscriptionId $(az keyvault secret show --name AzureSubscriptionID --vault-name nepeterskv007 --query value -o tsv) -Blueprint assign-blueprint-body.json -ManagementGroup nepeters-internal -BlueprintName DevOpsBluePrint