Cloud Governance, Bringing Order To Your Cloud Chaos – Podcast

Recently I was a guest on the “Day Two Cloud” podcast hosted by fellow Microsoft MVP/Pluralsight author Ned Bellavance.

We talked about how native Azure governance & management tools Azure Policy, Tagging, and Blueprints can be used to bring order to your cloud environments. Listen now here:

Check it out here:

https://packetpushers.net/podcast/day-two-cloud-033-cloud-governance-bringing-order-to-your-cloud-chaos

Read More

Walk-through: use Azure Policy modify effect to require tags

In my day to day I do cloud foundations work helping companies with their Azure governance and management. On projects we will develop a tagging strategy. A tagging strategy is only good if it is actually used.  One way to ensure that tags are used is by using Azure Policy to require tags on resource groups or resources.

In the past I have used the deny effect in an Azure Policy to require tags upon resource creation. I basically use the template as previously blogged about here: http://www.buchatech.com/2019/03/requiring-many-tags-on-resource-groups-via-azure-policy. This policy works but can be a problem because the error that is given when denied during deployment is not clear about what tags are required. Also, folks think it is a pain and slows down the provisioning process.

I set out to require tags using a different method. The idea was to use the effect append vs deny so that resources without the proper tags would be flagged as non-compliant and the policy would add the required tags with generic values. Someone from the cloud team could then go put in the proper values for the tags bringing the resources into compliance. Th end result was that the effect append does work remediating with a single tag but falls down when trying to remediate using multiple tags.

I discovered that this behavior was intended and that the append effect only supports one remediation action (i.e. one tag). On 9-20-19 Microsoft updated the modify effect so that Modify can handle multiple ‘operations’ – where each operation specifies what needs to be remediated.

Now let’s walk through using the modify effect in an Azure Policy to add multiple tags on a resource group.

You will need to start off by coding your Azure Policy definition template. There are three important parts you need to ensure you have in template. You need to have modify effect for the proper effect, roleDefinitionIds as this is the role that will be used by the managed identity set as contributor, and operations to tell Azure policy what to do when remediation out of compliance resources.

"effect": "modify",

and

"roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"

and

 "operations": [
            {
            "operation": "addOrReplace",

Here is a screenshot of the template.

You can get the full Azure Policy definition ARM Template on my GitHub here:

Required Tags Azure Policy Modify Effect.json

Add the ARM template as a new policy definition in the Azure portal.

See the following screenshot to complete your Azure policy definition.

Click for larger image

You will then see your new Azure policy definition.

Next, you need to assign the Azure policy definition. To do this click on Assignments.

See the following screenshot to complete your Azure policy assignment.

Click for larger image

Note that this policy assignment will create a managed identity so that the policy has the ability to edit tags on existing resources.

The assignment will now be created but the evaluation has not happened so the compliance state will be set to not started as shown in the following screenshot.

Read More

Speaking at MMS 2019

In a week I will be speaking at MMS 2019! I will be presenting 3 sessions and co-hosting 2 panels. If you are attending MMS check out my sessions and the panels. Here is the rundown:

Sessions:

Monday, May 6 • 1:00pm – 2:45pm
Deploying Infrastructure as Code with Azure and Terraform – With fellow Microsoft MVP Ned Bellavance
https://sched.co/N6cC

Tuesday, May 7 • 8:00am – 9:45am
Improving your on-prem and cloud security with Azure Security Center – With fellow Microsoft MVP Ned Bellavance
https://sched.co/N6c9

Thursday, May 9 • 1:00pm – 2:45pm
Mastering Azure with Visual Studio Code – With fellow Microsoft MVP Peter De Tender.
https://sched.co/N6d4

Panels:

Tuesday, May 7 • 3:00pm – 4:45pm
Azure Governance and Management Panel
https://sched.co/N6gD

This panel includes an all-star group from Microsoft including:

Tim Benjamin
Principal Group PM Manager, Microsoft

Michael Greene
Principal Program Manager, Microsoft

Jim Britt
Senior Program Manager, Microsoft

and

Eamon O’Reilly
Principal Program Manager, Microsoft

Thursday, May 9 • 3:00pm – 4:45pm
Azure Stack Panel Discussion – (400)
https://sched.co/N6hE

This panel consists of a bunch of Microsoft MVP rockstars and Microsoft staff including:

Ned Bellavance
Founder / Microsoft MVP, Ned in the Cloud LLC

Thomas Maurer
Senior Cloud Advocate, Microsoft

Kristopher Turner
Sr. Cloud Architect/Microsoft MVP, NTT Data Services

Bert Wolters
Principal Consultant, Class-IT

Here is the MMS website:
https://mmsmoa.com

Read More