In this post, we are going to have a look at one of the latest offerings of Azure called Azure Blueprint. Azure Blueprint helps tom fully govern the cloud environments in a repetitive manner.
Overview of Azure Blueprint
As the naming says, Azure Blueprint enables the cloud solutions architects to defined a set of rules to compose a set of Azure cloud resources in a repeatable manner adhering to the organizations’ rules, requirements, patterns, and policies. This helps the development or cloud infrastructure team of an organization to have full confidence when they go for speedy cloud deployment and delivery in a repeatable manner.
An Azure Blueprint is aggregated of one, more or all of the four following components in Azure, they are called “Artifacts” in Azure Blueprint terms.
- Resource Groups
- Role Assignments
- Policy Assignments
- Azure Resource Manager Templates
Azure Blueprint is dynamic in nature, saying that we can assign different roles when we do different Azure Blueprint assignment. Azure Blueprints also supports a locking mechanism to lock resources that are created as a part of the Blueprint assignment
How does this differentiate with ARM Templates or Azure Policies
ARM Template does the deployment of one or more, interdependent or independent resources in a given Azure subscription while Azure Policies are there to enforce restrictions in a subscription or a resource group. Azure Blueprint is an actual aggregation of both ARM Templates and Policies. An Azure Blueprint can be defined either in an Azure Management Group or in an Azure Subscription. Once defined in an Azure Management Group, which is an aggregation of one or more Azure Subscriptions, the Blueprint can be assigned to one or more subscriptions under that management group.
The lifecycle of an Azure Blueprint
An Azure Blueprint is consists of several stages in its lifecycle. The life cycle starts with the definition of an Azure Blueprint on either an Azure Management group or in an Azure subscription.
Blueprint Definition is creating a blueprint definition. As was mentioned earlier a blueprint may contain, ARM templates, role definitions, policy definitions, and resource group definitions.
To create a new Blueprint definition:
1: Go to Blueprint blade in Azure portal
2: Click the “Create” button under the “Create a blueprint” section
3: It will launch the “Create Blueprint” wizard, from where you can start with creating a blank blueprint and write your own definition or choose an existing blueprint definition template that is already available.
Microsoft already provides a list of industry-specific blueprint definitions for you to make a clone from (eg: IRS 1075, ISO 27001 specifications)
By choosing “Start with a blank blueprint” the wizard move to the “Basic” information page for the creation of a new blueprint definition, where you need to provide name, description, and location for the blueprint definition to be stored. When it comes to the “definition location you can either choose any subscription or any management group. Once defined in a location the blueprint definition will only available in that location. This is a tricky part to remember, if you defined a blueprint in a subscription it will not be a problem, but if you defined a blueprint in a management group, it will only available for the assignment in that management group and will not be available in its children management groups as well.
Clicking “Next: Artifacts” takes you to the page to define the artifacts of the blueprint. In the artifacts, you can choose ARM templates, role definitions, policy definitions, and resource group definitions. When it comes to ARM templates you should be aware if it is a subscription template or a resource group template and position it at the correct level. In the case of a resource group template, make a resource group artifact first and position the ARM template artifact under it. The same is applicable to the role assignments and policy assignments as well. In the below image the ARM template artifact I am choosing is a resource group template, thus its places under the resource group which will be created as a part of the blueprint assignment later named “Name of Resource Group”. When you add an artifact, you can decide to parameterize the information of it which can be provided later when the blueprint assignment happens as well. Once done, you can press the “Save Draft” button to save the definition as a draft. Later when you go to the blueprint definitions blade and select the scope, this definition will be shown as an unpublished blueprint definition.
Click the draft blueprint definition and you will be taken to the draft blueprint definition information page, where you can either perform further modifications to the blueprint, publish it or delete it. Publishing a blueprint definition will make it eligible to be assigned in the subscription that is was defined or in the subscriptions that are under the management group it was defined. When publishing you should provide a version for the blueprint and change notes are optional.
After publishing a blueprint, it is still possible to make changes to the blueprint definition and republish it with those changes.
Once published, a blueprint definition becomes eligible for the assignment – the actual deployment of the artifacts defined in the blueprint definition to the azure subscriptions which are coming under the blueprint definition scope. To assign a blueprint,
1: Go to the Blueprint Definition blade.
2: Choose the scope you need to assign the blueprint
3: Select the blueprint definition, which will open the blueprint details blade.
4: Click “Assign Blueprint” to assign it.
You have to provide basic information such as assignment name, in which subscriptions the blueprint needs to be assigned, assignment locks (we will discuss about it later in this post), location (this is not the resource deployment locations defied in the ARM template or the resource group location, but this is the blueprint assignment location). You also have to provide the artifact parameters for the blueprint deployment.
When you press the “Assign” button, the blueprint assignment will be set to the “waiting” state in this state Azure Blueprint service principal will be assigned with the “Owner” role to the target subscription(s). Later it changes as “deploying” state, in which azure deploys the artifacts in order. If there are any policy violations or resource parameter violations, azure will stop the assignment and set the state to “Failed”, else once everything is deployed properly the state of the assignment will become “Succeeded”. You can track these statuses in the Azure Blueprint Assignment tracker.
Update the assignment
Once a blueprint is assigned successfully, you can modify the blueprint assignment if you any changes to it. Or if it is failed because of a parameter validation failed (eg: proving “sa” as a value for the Azure SQL user name) you can use this update assignment feature to correct it as well. Also, if you have an assignment with “lock” and if you want to remove those locks, you can update the assignment with the “Don’t lock” option.
Unassignment of the blueprint will just remove the assignment record and will not remove any artifacts they are deployed as a part of the blueprint assignment. If you have an assignment lock and if you decide to remove an artifact that is deployed as a part of the assignment, you have to unassign the blueprint first before you proceed.
This is a safety feature given in Azure blueprints to avoid the resources which were deployed as a part of a blueprint assignment deleted or modified intentionally or unintentionally. This is nothing but an Azure Policy that is enforced as a part of the blueprint assignment. Even someone with Owner access right is not allowed to perform removal or modification. There are three options given under assignment lock
- Don’t lock – no locks involved and you can modify or delete a resource after assignment successful from the azure portal
- Do not delete – not allow removal of resources, roles or policies created as a part of the blueprint assignment.
- Readonly – make the resources read-only and will not allow any modifications to them after assignment
So, if you want to remove or do a modification, the blueprint assignment needs to be either updated to have no lock (don’t lock) and unassigned.
We have had an overview of Azure blueprint and how it helps the cloud architects to compose a complex, large scale cloud deployment to a single entity and helps the developers to deliver the product as well some technical dive into the creation of a blueprint definition and blueprint assignment. Also, we have had a brief discussion about what are assignment locks as well.
I hope you find this helpful. Feel free to reach out to me via twitter and I am working on a product called “KloudSifu” which helps organizations to better adopt to Azure and manage deployments using Blueprints and Management groups – compose an email to firstname.lastname@example.org to know more about the product and schedule a demo.