I got a few online readers asking on how to deploy the compliant storage account described here as a blueprint artifact so they could shift the template across team in their environment.
This article is written to walk you through step-by-step to get it done with Azure Blueprint as well as provide the artifacts so your job would just be *copy-n-paste*.
TL;DR: if you already knew how to deploy Azure Blueprint skip the article and grab the template here (https://github.com/azsec/scaf-azure-arm-templates/blob/master/StorageAccount/storage.blueprint.json)
Creating a new blueprint definition
- Step 1: Access to Blueprint page from this link https://portal.azure.com/#blade/Microsoft_Azure_Policy/BlueprintsMenuBlade/ and go to Blueprint definitions then click Create blueprint.
- Step 2: From the page, click Start with blank blueprint.
- Step 3: enter your blueprint name and give it a description. In Definition location select a subscription as a scope you want the blueprint to be assigned later.
- Step 4: click Next: Artifacts >>
- Step 5: click Add artifact. From Artifact type dropdown, select Resource group because you need a resource group where your storage account belongs to.
- Step 6: Enter the display name of the resource group artifact e.g. ResourceGroup. You can provide resource group tag by default to align your governance plan. Click Add once you complete.
- Step 7: Under the newly created resource group artifact, click Add artifact. Select Azure Resource Manager template from Artifact type dropdown. Enter name for the Azure RM template artifact e.g. StorageAccount
- Step 8: Copy code from here and paste to Template box. You can download the file and import. Be sure to check some default value in some parameters such as centralLogWorkspaceId , subnetServiceEndpoint and alertActionGroupId . Click Add once you complete.
- Step 9: Click Save Draft. Once the blueprint is saved as a draft you are redirected to the blueprint definition page. Click the new blueprint and then Publish blueprint.
- Step 10: Enter version for the blueprint (e.g. 1.0) and have change note (used when you update blueprint.
Assigning Blueprint definition
Once you publish your blueprint definition successfully you can stay at the page and assign your blueprint.
- Step 1: Click Assign blueprint
- Step 2: from Assign blueprint page there are bunch of fields you need to fill in. All of them are straightforward. Keep System assigned under Managed Identity, and make sure the account being logged have enough privilege to create a temporary service principal for ease deployment. All fields under Artifact parameters need to be completed.
- Step 3: once you complete click Assign.
- Step 4: go back to the blueprint page and click Assigned blueprints from the left navigation. You should see your new assignment with Waiting/Deploying stage.
- Step 5: to see progress you can click on the assignment. Another way is to go to the resource group you indicated in assignment setting and open Deployment manager
- Step 6: Once everything is done, go to the newly created resource group and check your storage account setting. You should also see alert rule created and is associated to the storage account too.
Conclusion
This article is simply to show you how to use Blueprint to deliver compliant artifact of storage account without going through traditional Azure ARM template deployment. With Azure Blueprint you are given the ability to not only create compliant artifact but also Role assignment (saying you have a dedicated team who is in charge of watching and managing all Storage Account resources and you want to allow people to indicate that team in blueprint assignment) or Azure Policy (e.g. audit advanced threat protection feature enabled).
This article also walk you through step-by-step to deploy a blueprint and would provide more details.
Pingback: Deploy a compliant Storage Account service | All about security on Microsoft Azure
Pingback: Essential tips for building a large Azure blueprint - Microsoft Azure Security RandomnessMicrosoft Azure Security Randomness