Create an environment from a blueprint sample
Create blueprint definition from sample
First, implement the blueprint sample. Importing creates a new blueprint in your environment based on the sample.
- Select All services in the left pane. Search for and select Blueprints.
- From the Getting started page on the left, select the Create button under Create a blueprint.
- Find the Resource Groups with RBAC blueprint sample under Other Samples and select it.
- Enter the Basics of the blueprint sample:
- Blueprint name: Provide a name for your copy of the blueprint sample. For this tutorial, we’ll use the name two-rgs-with-role-assignments.
- Definition location: Use the ellipsis and select the management group or subscription to save your copy of the sample to.
- Select the Artifacts tab at the top of the page or Next: Artifacts at the bottom of the page.
- Review the list of artifacts that make up the blueprint sample. This sample defines two resource groups, with display names of ProdRG and PreProdRG. The final name and location of each resource group are set during blueprint assignment. The ProdRG resource group is assigned the Contributor role and the PreProdRG resource group is assigned the Owner and Readers roles. The roles assigned in the definition are static, but user, app, or group that is assigned the role is set during blueprint assignment.
- Select Save Draft when you’ve finished reviewing the blueprint sample.
This step creates a copy of the sample blueprint definition in the selected management group or subscription. The saved blueprint definition is managed like any blueprint created from scratch. You may save the sample to your management group or subscription as many times as needed. However, each copy must be provided a unique name.
Once the Saving blueprint definition succeeded portal notification appears, move to the next step.
Publish the sample copy
Your copy of the blueprint sample has now been created in your environment. It’s created in Draft mode and must be Published before it can be assigned and deployed. The copy of the blueprint sample can be customized to your environment and needs. For this tutorial, we won’t make any changes.
- Select All services in the left pane. Search for and select Blueprints.
- Select the Blueprint definitions page on the left. Use the filters to find the two-rgs-with-role-assignments blueprint definition and then select it.
- Select Publish blueprint at the top of the page. In the new pane on the right, provide Version as 1.0 for your copy of the blueprint sample. This property is useful for if you make a modification later. Provide Change notes such as “First version published from the resource groups with RBAC blueprint sample.” Then select Publish at the bottom of the page.
This step makes it possible to assign the blueprint to a subscription. Once published, changes can still be made. Additional changes require publishing with a new Version value to track differences between different versions of the same blueprint definition.
Once the Publishing blueprint definition succeeded portal notification appears, move to the next step.
Assign the sample copy
Once the copy of the blueprint sample has been successfully Published, it can be assigned to a subscription within the management group it was saved to. This step is where parameters are provided to make each deployment of the copy of the blueprint sample unique.
- Select All services in the left pane. Search for and select Blueprints.
- Select the Blueprint definitions page on the left. Use the filters to find the two-rgs-with-role-assignments blueprint definition and then select it.
- Select Assign blueprint at the top of the blueprint definition page.
- Provide the parameter values for the blueprint assignment:
- Basics
- Subscriptions: Select one or more of the subscriptions that are in the management group you saved your copy of the blueprint sample to. If you select more than one subscription, an assignment will be created for each using the parameters entered.
- Assignment name: The name is pre-populated for you based on the name of the blueprint definition.
- Location: Select a region for the managed identity to be created in. Azure Blueprints uses this managed identity to deploy all artifacts in the assigned blueprint.
- Blueprint definition version: Pick the Published version 1.0 of your copy of the sample blueprint definition.
- Lock AssignmentSelect the Read Only blueprint lock mode. Managed Identity
- Leave the default System assigned option.
- Artifact parametersThe parameters defined in this section apply to the artifact under which it’s defined. These parameters are dynamic parameters since they’re defined during the assignment of the blueprint. For each artifact, set the parameter value to what is defined in the Value column. ForÂ
{Your ID}
, select your Azure user account.Artifact name Artifact type Parameter name Value Description ProdRG resource group Resource group Name ProductionRG Defines the name of the first resource group. ProdRG resource group Resource group Location West US 2 Sets the location of the first resource group. Contributor Role assignment User or Group {Your ID} Defines which user or group to grant the Contributor role assignment within the first resource group. PreProdRG resource group Resource group Name PreProductionRG Defines the name of the second resource group. PreProdRG resource group Resource group Location West US Sets the location of the second resource group. Owner Role assignment User or Group {Your ID} Defines which user or group to grant the Owner role assignment within the second resource group. Readers Role assignment User or Group {Your ID} Defines which user or group to grant the Readers role assignment within the second resource group.
- Basics
- Once all parameters have been entered, select Assign at the bottom of the page.
This step deploys the defined resources and configures the selected Lock Assignment. Blueprint locks can take up to 30 minutes to apply.
Once the Assigning blueprint definition succeeded portal notification appears, move to the next step.
Inspect resources deployed by the assignment
The blueprint assignment creates and tracks the artifacts defined in the blueprint definition. We can see the status of the resources from the blueprint assignment page and by looking at the resources directly.
- Select All services in the left pane. Search for and select Blueprints.
- Select the Assigned blueprints page on the left. Use the filters to find the Assignment-two-rgs-with-role-assignments blueprint assignment and then select it.From this page, we can see the assignment succeeded and the list of created resources along with their blueprint lock state. If the assignment is updated, the Assignment operation dropdown list shows details about the deployment of each definition version. Each listed resource that was created can be selected and opens that resources property page.
- Select the ProductionRG resource group.We see that the name of the resource group is ProductionRG and not the artifact display name ProdRG. This name matches the value set during the blueprint assignment.
- Select the Access control (IAM) page on the left and then the Role assignments tab.Here we see that your account has been granted the Contributor role on the scope of This resource. The Assignment-two-rgs-with-role-assignments blueprint assignment has the Owner role as it was used to create the resource group. These permissions are also used to manage resources with configured blueprint locks.
- From the Azure portal breadcrumb, select Assignment-two-rgs-with-role-assignments to go back one page, then select the PreProductionRG resource group.
- Select the Access control (IAM) page on the left and then the Role assignments tab.Here we see that your account has been granted both the Owner and Reader roles, both on the scope of This resource. The blueprint assignment also has the Owner role like the first resource group.
- Select the Deny assignments tab.The blueprint assignment created a deny assignment on the deployed resource group to enforce the Read Only blueprint lock mode. The deny assignment prevents someone with appropriate rights on the Role assignments tab from taking specific actions. The deny assignment affects All principals.
- Select the deny assignment, then select the Denied Permissions page on the left.The deny assignment is preventing all operations with the * and Action configuration, but allows read access by excluding */read via NotActions.
- From the Azure portal breadcrumb, select PreProductionRG – Access control (IAM). Then select the Overview page on the left and then the Delete resource group button. Enter the name PreProductionRG to confirm the delete and select Delete at the bottom of the pane.The portal notification Delete resource group PreProductionRG failed is displayed. The error states that while your account has permission to delete the resource group, access is denied by the blueprint assignment. Remember that we selected the Read Only blueprint lock mode during blueprint assignment. The blueprint lock prevents an account with permission, even Owner, from deleting the resource.
These steps show that our resources were created as defined and the blueprint locks prevented unwanted deletion, even from an account with permission.
Unassign the blueprint
The last step is to remove the assignment of the blueprint and the resources that it deployed. Removing the assignment doesn’t remove the deployed artifacts.
- Select All services in the left pane. Search for and select Blueprints.
- Select the Assigned blueprints page on the left. Use the filters to find the Assignment-two-rgs-with-role-assignments blueprint assignment and then select it.
- Select the Unassign blueprint button at the top of the page. Read the warning in the confirmation dialog, then select OK.With the blueprint assignment removed, the blueprint locks are also removed. The created resources can once again be deleted by an account with permissions.
- Select Resource groups from the Azure menu, then select ProductionRG.
- Select the Access control (IAM) page on the left and then the Role assignments tab.
The security for each resource group still has the deployed role assignments, but the blueprint assignment no longer has Owner access.
Once the Removing blueprint assignment succeeded portal notification appears, move to the next step.
Tag:Azure