Deploying Management Group Level Custom RBAC Role Using ARM Templates

Although custom RBAC roles can be deployed using subscription-level ARM templates, they are actually tenant level resources. When you deploy a custom RBAC role using a subscription-level template for the first time, it will work, but if you deploy the same custom role again to another subscription within the same tenant, the deployment will fail because the role already exists. To make the role available in additional subscriptions, you must modify the assignment scope of the role definition, making it available to other subscriptions. Recently, Microsoft has made custom RBAC roles available on Management Groups level. This greatly simplified the

Continue reading

PowerShell Script to Deploy Subscription Level ARM Templates

Introduction In my previous post, I demonstrated how to deploy Azure Policy definitions that require input parameters via ARM templates. as I mentioned in that post, at the time of writing, the tooling has not been updated to allow subscription level ARM template deployments. The only possible way to deploy such template right now is via the ARM REST API. I have a requirement to deploy subscription level templates in VSTS pipelines. since I can’t use the native AzureRM PowerShell module or the Azure Resource Group Deployment VSTS task, I had to create a PowerShell script that can be used

Continue reading

Using ARM Templates to Deploying Azure Policy Definitions That Requires Input Parameters

Recently, Kristian Nese from Microsoft published a sample subscription level ARM template that deploys Azure Policy definition and assignment on his GitHub repo. For me, this is good timing since I was just about to start a piece of work designing a collection of custom policy definitions. My end goal is deploying the custom definitions and assignments to multiple environment using VSTS CI/CD pipelines. After spending few days on this task, I finally got it working. During this process, I faced several challenges: At the time of writing, AzureRM PowerShell module and VSTS ARM deployment task has not been updated

Continue reading

Generating Unique GUIDs in Azure Resource Manager Templates

If you have worked on ARM templates, you have probably already faced challenges when you need to use GUIDs within the templates. Currently there are several ways to generate GUID that  I can find on the Internet: Generating GUIDs in PowerShell and then pass them into the ARM templates Using a nested template to generate GUID – https://github.com/davidjrh/azurerm-newguid Using an Azure Function app – https://geeks.ms/davidjrh/2017/08/01/providing-a-guid-function-in-azure-resource-manager-templates-with-azure-functions/ Few weeks ago, I was working on an ARM template, where I need to generate 100+ Azure Automation runbook job schedules. For each job schedule, the ‘name’ property is a GUID, which needed to be

Continue reading

Deploying ARM Templates with Artifacts Located in a Private GitHub Repository

Background I have spent the last few days authoring an Azure Resource Manager (ARM) template. The template is stored in a private GitHub repository. It contains several nested templates, one of which deploys an Azure Automation account with several runbooks. For the nested templates and automation runbooks, the location must be a URI. Therefore the nested templates and the Azure Automation runbooks that I wish to deploy in the ARM templates must be located in location that is accessible by Azure Resource Manager. There are many good examples in the Azure Quickstart Template GitHub repository, for example, in the oms-all-deploy

Continue reading
%d bloggers like this: