Deploy Azure Security Center Blueprint

A few readers after reading this article about Azure Security Center ARM template asked me if they could include Azure Security Center ARM template to their Azure Blueprint so they could deploy it widely along with other artifacts.

In this article, let’s explore on deploying Azure Security Center ARM template with Azure Blueprint programatically.

TL;DR: you can skip this article if you already know what Azure Blueprint is, and how to deploy it and take the template from here to get things done https://github.com/azsec/azure-blueprints/tree/master/AzureSecurityCenter

Blueprint Structure

Specific to blueprint for Azure Security Center, the blueprint folder should have the following files:

  • blueprint.json: this file contains global/dynamic parameters that individual artifact works with. The blueprint.json also provides some information about your blueprint.

parameters in blueprint.json  can be referenced widely in any individual artifact inside artifacts folder. They can be exactly like what we declared in Azure Security Center template.

  • artifact.asc.json: this file contains template and parameters for deploying/updating (Incremental mode) Azure Security Center.

Code inside template element is the same as in azuredeploy.json. Inside parameters element (same level of template element) is where you can reference to what are declared as parameters in blueprint.json

  • assign.json: this file contains actual value of parameters that you want to pass to. This would be similar to azuredeploy.parameters.json in Azure ARM template.

There are a couple of notes:

  • Azure Security Center can be deployed against subscription or management group level. Ensure you specify the correct schema https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#
  • When using with Az.Blueprint module you must put all artifacts in artifacts folder because the PowerShell cmdlet
    Import-AzBlueprintWithArtifact  looks into artifacts path and recursively query every .json file

Blueprint Deployment and Assignment

Once you prepare Azure Security Center blueprint artifact you can run a script to import a draft blueprint to a subscription.

Once you import your artifact into subscription successfully you can publish using Publish-AzBlueprint  cmdlet:

After publishing your blueprint, you can assign it with parameters defined in assign.json. 

There are some great examples as well as guidance on blueprint and how parameters work that can be found here.

This entry was posted in Governance & Compliance and tagged , . Bookmark the permalink.

2 Responses to Deploy Azure Security Center Blueprint

  1. Pingback: Azure Security Center ARM Template - Microsoft Azure Security RandomnessMicrosoft Azure Security Randomness

  2. Pingback: Essential tips for building a large Azure blueprint

Leave a Reply