Azure – Setup Azure Blueprints

Challenge: Separate subscriptions for multiple disciplines under the same Azure Active Directory Tenancy.

Required : Each subscription to have the same role assignments

Solution : Azure Blueprints to define a repeatable set of Azure resources

How ?

Azure Blueprints provides

  • Role & Policy Assignments
  • ARM templates
  • And Resource Groups

Reference guides

Getting Started Azure Blueprints (PREVIEW)

Creating Blueprint Guide – Focused on Roles

Create a blue print, if your new, start with a sample predefined Blueprint.

For this example I have selected Resource Groups with RBAC (Role-based Access Control)

Create blueprint> Enter Name, Description and Definition Location

Next : Artifacts

Click Save Draft


How to Publish Blueprint

Click Blueprints > Blueprint Definitions > Select the version to publish


Click Publish blueprint.

Enter version and change notes > Click Publish

Azure – Content Trust in ACR and Roles

Security and Authentication method – Content Trust

You need a container registry to start with


Content trust in Azure Container Registry

“Azure Container Registry implements Docker’s content trust model, enabling pushing and pulling of signed images.”
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-content-trust

Signing Role

ACRImageSigner     ( role is used for signing permissions)

AcrPush     ( role is used for ACR push)

For a list if built in roles and descriptions see here

Container registry roles see here


Azure CLI command to assign the ACRImageSigner role

az role assignment create –scope <registry ID> –role AcrImageSigner –assignee <user name>

ACR Tasks

Automate Container Image builds and ACR tasks info. An example use, for automating the build cycle. How “By executing az login with a service principal, your CI/CD solution could then issue az acr build commands to kick off image builds.”

Manage Resource Groups CLI

Azure CLI manage resource groups available here