Skip to content
This repository has been archived by the owner on Oct 5, 2023. It is now read-only.

Deploy with Azure Pipelines

github-actions edited this page Jul 10, 2023 · 1 revision

1. We recommend configuring the following parameters:

  • Change the value of parPolicyPseudoRootMgmtGroup to the management group where you wish to deploy the policies and the initiatives; this will also be the "scope" of the respective policy / initiative assignments. This is usually the so called "pseudo root management group", e.g. in ALZ terminology, this would be the so called "Intermediate Root Management Group" (directly beneath the "Tenant Root Group").
  • Change the value of ALZMonitorResourceGroupName to the name of the resource group where the activity logs, resource health alerts, actions groups and alert processing rules are placed in.
  • Change the value of ALZMonitorResourceGroupTags to specify the tags to be added to said resource group.
  • Change the value of ALZMonitorResourceGroupLocation to specify the location for said resource group.
  • Change the value of ALZMonitorActionGroupEmail (specific to the Service Health initiative) to the email address where notifications of the alerts are sent to.

These changes must be made in each of the following parameter files:

2. Example Parameter file:

Note that the parameter file shown below has been truncated for brevity, compared to the samples included.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "parPolicyPseudoRootMgmtGroup": {
            "value": "Contoso"
        },
        "parPolicyAssignmentParameters": {
            "value": {
                "ALZMonitorResourceGroupName": {
                    "value": "rg-alz-monitor"
                },
                "ALZMonitorResourceGroupTags": {
                    "value": {
                        "Environment": "Production",
                        "Project": "ALZ Monitor"
                    }
                },
                "ALZMonitorResourceGroupLocation": {
                    "value": "eastus"
                }
            }
        },
        "parPolicyAssignmentParametersServiceHealth": {
            "value": {
                "ALZMonitorActionGroupEmail": {
                    "value": "[email protected]"
                }
            }
        }
    }
}

3. Configure and run the pipeline

First configure your Azure DevOps project with a pipeline hosted in GitHub as described here. The pipeline should be configured to use the sample-pipeline.yml file.

Also in your Azure DevOps project, configure a service connection to your Azure subscription as described here. The service connection should target the intermediate root management group for ALZ aligned deployments or the management group where you wish to deploy the policies and the initiatives for ALZ unaligned deployments.

ALZ aligned

  • Modify the following values in sample-pipeline.yml:
    • Change Location: "norwayeast", to your preferred Azure region
    • Change ManagementGroupPrefix: "alz", to the pseudo root management group id parenting the identity, management and connectivity management groups.
    • Change identityManagementGroup: "alz-platform-identity", to the management group for identity in your ALZ implementation.
    • Change managementManagementGroup: "alz-platform-management", to the management group for management in your ALZ implementation.
    • Change connectivityManagementGroup: "alz-platform-connectivity", to the management group for connectivity in your ALZ implementation.
    • Change LZManagementGroup: "alz-landing-zone", to the management group for Landing Zones in your ALZ implementation.
  • Go to Azure DevOps Pipelines and run the pipeline you just created.

IMPORTANT: Above-mentioned "ManagementGroupPrefix" variable value, being the so called "pseudo root management group id", should coincide with the value of the "parPolicyPseudoRootMgmtGroup" parameter, as set previously within the parameter files.

ALZ unaligned

For ease of deployment and maintenance we have kept the same variables. If, for example, you combined Identity, Management and Connectivity into one management group you should configure the variables identityManagementGroup, managementManagementGroup and connectivityManagementGroup with the same management group.

  • Modify the following values in sample-pipeline.yml:
    • Change Location: "norwayeast", to your preferred Azure region
    • Change ManagementGroupPrefix: "alz", to the pseudo root management group parenting the identity, management and connectivity management groups.
    • Change identityManagementGroup: "alz-platform-identity", to the management group for the Identity initiative. The same management group may be repeated.
    • Change managementManagementGroup: "alz-platform-management", to the management group for Management. The same management group may be repeated.
    • Change connectivityManagementGroup: "alz-platform-connectivity", to the management group for Connectivity. The same management group may be repeated.
    • Change LZManagementGroup: "alz-landing-zone", to the management group for Landing Zones. The same management group may be repeated.
  • Go to Azure DevOps Pipelines and run the pipeline you just created.

IMPORTANT: Above-mentioned "ManagementGroupPrefix" variable value, being the so called "pseudo root management group id", should coincide with the value of the "parPolicyPseudoRootMgmtGroup" parameter, as set previously within the parameter files.

Single management group

For ease of deployment and maintenance we have kept the same variables. Configure the variables ManagementGroupPrefix, identityManagementGroup, managementManagementGroup, connectivityManagementGroup and LZManagementGroup with the pseudo root management group.

  • Modify the following values in sample-pipeline.yml:
    • Change Location: "norwayeast", to your preferred Azure region
    • Change ManagementGroupPrefix: "alz", to the pseudo root management group.
    • Change identityManagementGroup: "alz-platform-identity", to the pseudo root management group.
    • Change managementManagementGroup: "alz-platform-management", to the pseudo root management group.
    • Change connectivityManagementGroup: "alz-platform-connectivity", to the pseudo root management group.
    • Change LZManagementGroup: "alz-landing-zone", to the pseudo root management group.
  • Go to Azure DevOps Pipelines and run the pipeline you just created.

IMPORTANT: Above-mentioned "ManagementGroupPrefix" variable value, being the so called "pseudo root management group id", should coincide with the value of the "parPolicyPseudoRootMgmtGroup" parameter, as set previously within the parameter files.

Next steps