Azure Blueprints deployment permissions when linking template specs in another subscription - azure

I am setting up Blueprints using linked template specs that are deployed in a common subscription. The Blueprints are published to a management group so I can deploy the same set of resources to multiple subscriptions. Blueprints with out using the linked template specs are working fine but when trying to assign a blueprint that uses linked template specs to a subscription that is different from the subscription that the template specs are deployed to fails due to permissions issues accessing the template specs. What permissions and what user needs to be set on the template spec resource group so the Blueprint can access the template specs?
As a note this is using system assigned identity in the blueprint assignment.

When you use a system assigned MSI that MSI is given permissions to the sub the assignment is assigned to... so if your templateSpecs are in a different sub you won't be able to used a system assigned identity unless the templateSpecs are replicated to the sub for assignment. Not ideal...
If you use a userAssigned identity on the BP assignment then you can make sure that identity has perms to the templateSpecs beforehand.

Related

Deploy Azure Blueprint to management group using terraform "azurerm management group template deployment" command

I want to assign an azure blueprint to management group scope.
Since "azurerm_blueprint_assignment" command doesn't support mg level blueprint assignment. Reference : https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/blueprint_assignment
I'm considering to test assigning a blueprint using "azurerm_management_group_template_deployment" command.
As stated here https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_template_deployment , terraform supports ARM Template deployment to management scope.
Does anyone tried this method?
If so, I would like to take opinions about whether is it a convenient way of deploying blueprints?
A few highlight as follows;
What could be possible risks and drawbacks?
Is it be possible to provide blueprint parameters individually and retrieve the parameters?
Thanks in advance,

roleAssignment with current user id

I'm using Azure AD app registration principles to deploy resources via Azure Resource Manager to deploy via Pipelines.
During the deployment I need to set some permissions to the deployment user to ensure it has enough permission to - for example - upload files.
As I'm using different principles, and I'm not managing those in the code, I would like to know if there is a way to reference the "current user-principals - ID" during the deployment.
Something like:
deployment().properties.xx
or
environment()
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-deployment
https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/roleassignments?tabs=bicep
Otherwise, I would need to inject this information via parameter, I think. I could get that information by script - or there is a variable even present from azure dev ops.
Any ideas, help appreciated. Thanks.
Currently, it's not possible to get the objectId of the user deploying the template... we do have a backlog item for it.

How can I change the display name of a managed identity?

I created an Azure Policy which automatically performs actions on created resources. This in turn created a managed identity for these operations. Everything works great.
The necessary permissions for the managed identity are automatically assigned to the scope (subscription in my case). However, if you only see the permissions, you have no way of knowing what this managed identity is and why it exists. My idea would be to change the display name. Unfortunately, I don't see how.
How can I change the display name (in red) of the application? Is there a different way to make it more clear to others why this assignment exists on the given scope?
I tried changing the name via Azure CLI, but seem to have no permissions, even though I own the directory. I can change the name of other enterprise applications.
az ad sp update --id 4bf9bdf0-5a67-45a7-b580-566d63b4a652 --set appDisplayName="AzurePolicy"
Insufficient privileges to complete the operation.
My current best guess for a workaround answer would be to create a custom role which should only be used by my policy definition. I can then give it exactly the permissions it requires - and I can give the role a name. However, I would prefer a solution with less management involved, since it would also require me to create all policies instead of reusing existing ones.
Update:
As of August 2021, you can use user-assigned managed identities for Azure Policy, which can have a good name (and tags) to make things much more transparent. The name of a system-assigned managed identity is still cryptic and cannot be changed.

How to create an Azure AKS service through ARM Template

I am working on Azure Kubernetes service. I am creating AKS through portal successfully. But, I need to do it through the ARM Templates.
How to create AKS with help of ARM Templates?
For this, I followed link
But, here am receiving an issue like:
Code : InvalidTemplate
Message : Deployment template validation failed: 'The template
resource
'AKSsubnet/Microsoft.Authorization/36985XXX-XXXX-XXXX-XXXX-5fb6b7ebXXXX'
for type
'Microsoft.Network/virtualNetworks/subnets/providers/roleAssignments'
at line '53' and column '9' has incorrect segment lengths. A
nested resource type must have identical number of segments as its resource name. A root resource type must have segment length
one greater than its resource name. Please see https://aka.ms/arm-template/#resources for usage details.'.
How to create AKS with help of ARM Templates?
One of the most direct methods, navigate to creating AKS page in the portal, fill the attributes, click Download a template for automation, then you will get the template.
You could test the template in the Custom deployment, it will work fine.
Old thread but here is why the AKS Advanced Networking ARM Template is not working for you.
One of the steps in the deployment assigns the SP as a contributor to the newly created AKS subnets so that the SP can work its advanced networking magic.
In order to assign a role in a RG one needs to have Owner permissions on that RG.
I suspect you have provided the incorrectly formatted string in the "name" field of the resource. It should follow the pattern like this- "{resource-name}/Microsoft.Authorization/{role-assign-GUID}"
More on this here- https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#resource

Run an arbitrary Azure provider operation

In the Azure CLI resource manager, we can list providers and their operations.
azure provider list
azure provider operations show Microsoft.Web/sites/*
How do we run one of the listed operations. For instance, how would we run this:
Operation : Microsoft.Web/sites/sourcecontrols/web/Read
OperationName : Get Web App's source control configuration
ProviderNamespace : Microsoft Web Apps
ResourceName : Web App Source Control
Description : Get Web App's source control configuration settings.
The purpose of azure provider operations show is to display operations that are supported by the various providers so that you can use them to create custom Role Based Access Control (RBAC) roles. They are not actual commands or endpoints that can be executed.
To create a custom RBAC role, you first create a JSON file describing the role and operations allowed by the role, then pass the file to azure role create.
More details here.. https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-manage-access-azure-cli/#create-a-custom-role

Resources