When working in an enterprise Azure environment, Infrastructure as a Code is pretty much a given. But not everyone that uses resources in your tenant needs to be familiar with the code. Something that I have often missed, was a simple and approachable way to allow people to deploy ARM templates by just setting the parameters. That is now possible with Azure ARM Template specs.
Note: At the time of writing, Template specs are in preview. Consider that functionality might still change and you will not get full Microsoft support before using it in production.
What are Template specs
With Template specs, you get that place in the portal where you can store ARM templates. One of the use cases for Template specs is that they are accessible for Linked templates without the pain of SAS tokens or public templates.
But the focus of this post: You can make the templates available for members of your organization. This way they can deploy the templates in a way that looks a lot like creating default Azure Resources. There is no access to the code and no knowledge of it necessary.
So why would you want that?
In my opinion you can find great use for this in enterprise environments. Especially if you work with Landing zones. You can supply preconfigured resources that already are compliant with your security policies. It is also possible to create more complex resource combinations within one template, so one deployment is enough.
Example: Storage account with private endpoint
Let’s take a look at a storage account. Maybe in our environment, we want the storage accounts to always be used through a private endpoint. Instead of telling the teams that they need to configure that, we can supply an already configured resource. Let’s walk through how we can make it available in the portal.
The ARM template
To keep the scope of this post to the Azure ARM Template specs, I have pre-created the ARM template. Well actually, I have created a Bicep template and used it to generate the ARM Template! Read more about Bicep in my previous post.
You can find the complete repository with the bicep files here, or only the final ARM template here.
Create the Template spec
There are a few ways to deploy the Template to a template spec. You can do so through the Portal, PowerShell, Az CLI or with an ARM template. If you want to use PowerShell or the Az CLI, you can find out how by following the Microsoft Docs.
In this post, I will show how we can use the portal.
Open portal.azure.com and find Template specs with the search bar at the top.
You can create a template spec in two ways: By importing an existing ARM template or by creating a new one in the portal. We will create a new one and copy and paste our existing code. Choose + Create Template Spec.
This opens the wizard to create a new resource. You can fill in a Name, a (new) resource group name, location and description. Underneath that, you get to fill in the version of this spec.
Tip: The name is the first thing people will see in a list of templates, try to make it descriptive
For versioning, you are free to use any system you want. I do recommend to take some time to consider a versioning strategy.
While you are free to do it any way you want, it could be a good idea to avoid letters for example. If you stick with numbers and dots, it will make it easier to automate versioning in a later stage.
There are still a lot of options available. You could do anything from just a whole number counting up, to complete semantic versioning. Find more info here.
For this example, let’s use semantic versioning and start with 1.0.0
Click Next: Edit template
This is where you can copy and paste the template. You can take it directly from the GitHub repository I mentioned.
When you have copy and pasted it into the field, add Tags if needed and then click Review + Create.
After validation is done, click Create.
Your template spec will be available pretty much instantly.
Click the name of the template spec to find the resources and the menu’s with actions you can take. Let’s consider a few of them.
Access Control (IAM)
On the left you can find the default option to set access control. Here you can give an Azure AD account or group read access to the template. This person will be able to deploy the template, but not change it.
This opens a wizard to deploy the Template spec to a resource group in Azure.
Create new Version
You have the option to create new versions of the spec. If you click Create new version, you will get a similar menu as you walked through when creating the Spec, so you can make your changes. Both versions will still be kept and available, but the newest one is always the default. You are able to delete older versions if that fits your needs better.
Deploying the template spec
So let’s see what the experience is like for someone with only read permissions.
Note: If you want to follow along, you can just use your regular account. The experience is pretty similar.
I have created a test account and gave it contributor permissions to an example resource group and read permissions to the Template spec. In the resource group there is already a Virtual network where the Storage account can get linked to.
Note: For this demo I have given the account permissions directly on the template spec. In production environment, I would recommend setting permissions on a resource group level.
When the user is logged in, all template spec can be reached by searching Template Specs in the search bar at the top.
The portal looks exactly the same, but when you try to change something other then Deploy, the user will get an error.
To deploy the template, click Deploy. A wizard opens.
This wizard will contain all the parameters that have been defined in the template. When a default value is provided in the ARM template, it is filled in. The little i‘s show the description that was given in the ARM template.
Fill in all the parameters and click review + create.
When validation passes, click Create. The deployment will start. The result will be all the resources that are needed for a storage account with a private endpoint.
So these are the basics for Azure ARM Template specs. I think this is a very useful solution to give employees a relatively simple way to deploy more complicated resources.
While I always like to use the portal to get to know a resource, this process would of course be a lot nicer when it is automated. In a future blog post I will show how you can use a CICD pipeline to automate your Azure Template Spec deployment.
Pingback:La semaine dernière sur Microsoft Azure : semaine du 3 mai - Webhosting Review