Deployment Scopes for ARM Templates
Stephen Tulp
APAC Tech Strategist & Distinguished Technologist | Microsoft Azure MVP - Azure Infra as Code
Previously when deploying ARM templates into Azure, the scope in which the deployment could be targeted at was only the Resource Group, over time the Subscription scope was introduced and now we also have the Management Group and Tenant Scopes too.
Resource Group Scope
The original scope for ARM templates, any resources deployed at this scope are deployed into the Resource Group defined in the command. This is what most people are used to when they deploy into Azure.
New-AzResourceGroupDeployment -ResourceGroupName "test-rg" -TemplateFile ".\template.json" -TemplateParameterFile ".\template.parameters.json"
Subscription Scope
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-subscription
Subscription level deployments are for resources that are directly applied to the Subscription and aren't targeted at a Subscription.
- Resource Groups
- Policy Definitions and Assignments
- Azure RBAC Permissions @ the Subscription scope
- Azure RBAC Custom Roles
- Subscription Level resources like Budgets, Tags and Remediation activities
Deployments at the Azure Subscription scope used the New-AzDeployment PowerShell commands, these commands are being deprecated and will be replaced with the New-AzSubscription PowerShell commands.
New-AzSubscriptionDeployment -Location "Australia East" -TemplateFile ".\template.json" -TemplateParameterFile ".\template.parameters.json"
Management Group Scope
Deployments at the management group enables the following resources to be deployed.
- Policy Definitions and Assignments
- Azure RBAC Permissions @ the Management Group scope
- Azure RBAC Custom Roles
These deployments use the New-AzManagementGroupDeployment PowerShell commands.
New-AzManagementGroupDeployment -ManagementGroupId "root-mg" -Location "Australia East" -TemplateFile ".\template.json" -TemplateParameterFile ".\template.parameters.json"
Tenant Scope
The tenant level scope allows deployment at the top-level tenant level, there are only a few resources that can be deployed at this stage including:
- Azure RBAC Custom Roles
- Create Management Groups
These deployments use the New-AzTenantDeployment PowerShell commmands
New-AzTenantDeployment -Location "Australia East" -TemplateFile ".\template.json" -TemplateParameterFile ".\template.parameters.json"
So what does this all mean? We now have the ability to combine scopes and deploy fully automated Landing Zone environments with all the associated scaffolding, governance and security constructs that are needed to produce an Azure environment.
Recently I was involved in an engagement for a large global organisation that had the main business requirement for starting their Azure journey.
" Codify, automate and orchestrate the deployment of Azure landing zones incorporating governance, security and policies across multiple environments"
Based on the dynamic nature of how subscriptions will be created there could be 150 to 200 subscriptions within the environment so creating a repeatable for solution for this was important. To achieve this, the following tiered approach was taken based on the different deployment options we have outlined above.
Tier 0 - Tenant Deployment
- Create the Management Group Structure
Tier 1 - Management Group Deployment
- Create Azure Policies @ the Management Group level
- Create Azure RBAC permissions @ the Management group level
Tier 2 - Subscription Deployment
- Create Azure Subscriptions
- Create Azure Subscription tags
- Create Azure Budget
- Create Azure Policies @ the Subscription level
- Create RBAC permissions @ the Subscription level
- Enable Azure Security Center
- Enable Azure Activity & Subscriptions logs
- Create core Resource Groups
Tier 3 - Resource Group Deployment
- Create Azure Networking resources, including Virtual network & Subnets, Network Security Groups, User Defined Routes and ExpressRoute.
- Create Operational and Logging resources, including Storage accounts, Log Analytics, Azure Automation, Azure Key Vaults.
Next time we will go through the different tiers and associated Landing Zones constructs.