I am working on IaC in Azure. I need to create a user group via ARM template. Is it possible to accomplish this task in this manner?
Unless something has change recently, no. You can use the MS Graph API. You can set up PowerShell Scripts to run. Etc. And if you need this as part of the pipeline, there is likely a plug in on marketplace, if keyed on pipeline.
But I am trying to understand the need for creating a new group as part of the IaC. Is this because you need it configurable for different types of installs through pipelines? In general, I don't mix security with infrastructure unless I am making a product for others to install, so just trying to make sure you are not heading down a bad road.Do you mean resource groups instead?
Related
I am trying to automate VMs onboarding process for Azure Update Management. I am wondering if it possible, I didnt find solution which I can use to full onboard VM to Update Management, from A-Z. I mean I need MMA agent installation (i have script prepared, for installing mma vm extension with workspace ID and Key). Problem is that thare I didn't find a way to perform rest of the steps. Did anyone try to do this, I know that Ms give the runbook form this but I am not sure if its working as expected, link here --> https://learn.microsoft.com/en-us/azure/automation/update-management/enable-from-runbook
You can automate it by configuring UM to automatically enable for all existing and future VMs using this method - Enable Machine in the workspace
But keep in mind that using this method doesn't allow you to have the control an enterprise customer would want.
We don't have an out of the box method to configure from the VM, onboarding it to UM in an automated manner. Based on how it is designed, the only way out of the box is from the portal, or runbook as described in docs.
Programatically to work around this (and I'm thinking out loud here) you could update the saved search query - MicrosoftDefaultComputerGroup in the workspace with the UUID of the VM and that would automate onboarding it to the feature. I don't have a working example to share but I think the approach is sound and can be included in the workflow to onboard it.
I have a specific requirement for ARM templates and Azure API Management, so this question is different than other conditional ARM deployment questions.
Some background:
My APIM instance is deployed using ARM templates, however custom domains need to be setup but cannot be part of it. This is because my customer stores their certificates in a different system.
This means the custom domains are setup separately (manually) for the APIM instance, right after the instance was created by the ARM template.
The ARM template also applies the global policy and creates the products. I use a linked template setup.
The issue arises when we want to update something on the APIM instance, like extending the global policy or adding a product. Then the ARM template will also update the instance, but should leave the custom domain section untouched. According to the documentation, using 'incremental' mode leaves resources not in the ARM template untouched. So I thought to solve it by just leaving out the 'hostnameConfigurations' section in the ARM template. However it seems the ARM template doesn't ignore it, but interprets it as empty and effectively removing the custom domains from the APIM instance!
This doesn't seem like normal behavior, but I have to live with it. To solve this I have a couple of options.
One of them is extracting the global policies and products from the generic APIM ARM template, so I can skip the APIM instance part when updating. This would mean I have to run multiple separate ARM templates on creating the resources.
The solution I'd like to go for, is to conditionally deploy the ARM template creating the APIM instance, to only creating. I want to skip this linked template when the resource already exists.
I though I could do this by getting a reference to the APIM instance, but according to the documentation "The reference function derives its value from a runtime state, and therefore can't be used in the variables section.".
Question: Is it possible to conditionally deploy a linked ARM template, based on the fact whether a resource already exists or not?
The answer is no. You cannot really do that. Unless you are investigating different hacky ways. You can call Azure function to decide if the resource exist. You can use an output from the deployment to decide if the resource exist. But straight up there is nothing that can help you. only different hacks.
I'm currently building out a number of virtual machines in azure using a template that we've built out. I would like to be able to pull the name of the user who chose to deploy this template so that we can verify a number of things exist on the server for them (i.e. userid). Is there anyway to do this? Any help would be appreciated.
No, this is not possible using arm templates (unless using some pretty horrible\unreliable\outside of arm template hacks).
You could probably work around that by creating a parameter where user inputs his details, but even that the second part of your plan will fail. You cannot really do checks on the OS level configurations from the template.
ARM templates aren't meant to actually check things, and while some interactions are possible, they are very limited (like listKeys).
My company developed an Azure Resource Manager-based solution that deploys a set of resources (essentially a Storage, SQL DB and Web App), and it is already implemented as our provisioning process for new customers.
However, we are now studying the best way to perform updates, and one of the hypotheses we are considering is having a specific template that updates the binaries of this application.
The idea is to have a separate template, that only has the web app, an app host and a MSDeploy resource that gets the latest version of our package and reuploads it to that web app.
The only problem I'm seeing with this solution is the ability to handle any changes in configuration that are necessary with newer version of the binaries - we do not want users to have to re-input any parameters they placed for the original deploy (done via a Deploy To Azure button), so, any configurations will have to be performed within the application - the plan is for it to use the Microsoft.WindowsAzure.Management.WebSites library.
The major limitation with using Microsoft.WindowsAzure.Management.WebSites is that you are restricted to authenticating with either a certificate or a service principal. Ideally we would like to find a way for the updates to not need any authentication other than the one you provide when you are deploying the update.
Is there any recommendation of best practices to follow for this kind of scenario?
Thank you.
Link to the equivalent discussion on TechNet
It is possible to update only via ARM templates.
For example connection strings can be added automatically to the application settings even when creating the dependent resources themselves.
Ex. Account storage connection string.
Only first time creation of your web sites will take a bit more time, something like 30 sec.
ARM will not destroy your WebApps if they exist already. it will update only.
If there are no changes, then the deployment is very fast.
If your changes require a new Appsettings parameter, you can enter it in ARM , check in to your repository.
and next deployment will pick up and update the WebApp.
So no need for anyone to log-in and update.
Our final decision was to give up on using ARM exclusively. The Service Principal solution, through the SDK, would allow us to use a Web Job or a Site Extension to perform (automatic or prompted) updates that included configuration changes. However, it would require "too many" privileges - why would a customer trust an application that can, at will, create new resources or update existing ones to increase his Azure bill?
The decision was made to utilize Powershell only for updates - if the customer can see the scripts and authenticate himself, this is not a concern. Sadly, this increases update complexity, but we found it to be a necessary evil.
Azure resource manager power shell or JSON template to create Virtual machine in existing Virtual network and Storage account.
You can of course use either.
Json Template is basically what Azure Resource Manager (ARM) uses anway. Bonus: you can run your ARM templates from PowerShell :)
The question you want to ask is:
Will I be doing this repeatedly?
If so, ARM is the natural answer. You create a resource in a file that you can version control and use to repeated deployments.
If it's only a one-time thing, then PowerShell or Azure Command Line Tools are more than enough.
At first steps JSON templates may confuse you, because files are large (hundreds of lines). But templates are really readable and you can easy configure your architecture. Also there is a chance to make a syntax mistake or to violate existing restrictions - try to use smart editor.
For example, VS Code Editor.
PowerShell and multi-platform tool Azure CLI help you make the same requests to subscriptions but contain helpers, hints and validators which would help you easy set correct options.