The past couple of weeks i have seen new features being released for Azure Blueprints. In this short post i will write about the updates in Definition location and Lock assignment.
New to Azure Blueprints?
Azure Blueprints allows you to define a repeatable set of Azure resources that follows your organizations standards, patterns and requirements. This allows for a more rapidly deployment of new environments while making it easy to keep your compliance at desired level.
Azure Blueprints is a package or container used to achieve an organizational standard and patterns for implementation of Azure Cloud Services. To achieve this, we use Artifacts.
Artifacts available today are:
- Role Assignments
- Policy Assignments
- Resource Groups
- ARM Templates
The public preview of blueprints was released during Ignite in September last year, and its still in preview.
Read more about the basics of Azure Blueprints here
This is where in your hierarchy you place the Blueprint, and we think of it as a hierarchy because after creation the assignments of the blue print can be done at current level or below in the hierarchy. Until now the option for definition location has been Management groups. With the new released support for subscription level you can now start use Blueprints even if you have not adopted Management groups yet.
Note you need contributor permissions to be able to save your definition to a subscription.
If you are new to management groups, I recommend you take a look at it since it’s a great way to control and apply your governance across multiple subscriptions.
Read more about Management groups here
Definition location for Blueprints
During assignment of a Blueprint we are given the option to lock the assignment.
Up until recently we only had Lock or Don’t lock. If we chose to lock the assignment all resources were locked and could not be modified or removed. Not even by a subscription owner.
Now we have the option to set the assignment to:
- Don’t Lock – The resources are not protected by blueprints and can be deleted and modified.
- Read Only – The resources can´t be changed in any way and can´t be deleted.
- Do Not Delete – This is a new option that gives us the flexibility to lock our resources from deletion but still gives us the option to change the resources.
Lock assignment during assignment of Blueprint
Removing lock states
If you need to modify or remove your lock assignments, you can either:
- Change the assignment lock to Don´t Lock
- Delete the blueprint assignment.
Note that there is a cache so changes might take up to 30 minutes before they become active.
You can read more about resource locking here
With the “Do not Delete” i think we will see a better use of the Lock assignment and we will have the flexibility to make changes on our resources without the possibility to delete them. And with Definition location set to subscription we can start using the Blueprints without Management groups and i can see that this might be a useful in environments where Management groups have not been introduced.
Good luck with your blueprinting!
You can reach me at Tobias.Vuorenmaa@xenit.se if you have any questions.