This demo project deploys Azure resources and bootstraps Azure DevOps projects to illustrate end-to-end RBAC, including best practices and pitfalls. It follows principles from Microsoft's Cloud Adoption Framework (CAF).
| Status | Description |
|---|---|
| Deployment Azure Resources and Azure DevOps | |
| Detect Configuration Drift (scheduled nightly) |
When developing a governance model for your organization, it is important to remember that Azure Resource Management (ARM) is only one way to manage resources.
When introducing automation via CI/CD pipelines, be aware that the Role Based Access Control (RBAC) model must be applied at multiple layers. This code sample deploys many of these layers and show how they can be configured together in a unified governance model.
-
- Use Case, Requirements
- Azure AD Groups and Role Based Access Controls (RBAC)
- Securing environments - Production vs Non-production
- Multi-tiered Governance - Access Controls
-
- Prerequisites
- Azure Resource Manager (ARM) - Service Principal
- Azure AD - Tenant, Service Principal
- Azure DevOps - Organization, Personal Access Token (PAT)
- Setup and Install
- Deploy
- Prerequisites
When run Terraform will create the following resources. Note: random suffix used to ensure globally unique names, e.g. u6t7 but are omitted here for clarity.
| Group Name | ARM Role | Azure DevOps Role |
|---|---|---|
infra |
Contributor | Contributor |
fruits |
Contributor | Contributor |
veggies |
Contributor | Contributor |
infra-admins |
Owner | Project Administrators |
fruits-admins |
Owner | Project Administrators |
veggies-admins |
Owner | Project Administrators |
The project structure illustrates different governance models and their trade-offs.
- "fruits" and "veggies" when isolated means less governance management - at the cost of less collaboration.
- "supermarket" model prioritizes collaboration via shared Azure Boards - but requires more governance management, especially for repositories and pipelines.
| Project | Boards | Repos | Pipelines |
|---|---|---|---|
project-fruits |
Yes | Yes | Yes |
project-veggies |
Yes | Yes | Yes |
collaboration |
Yes | No | No |
central-it |
No | Yes | Yes |
supermarket |
Yes | Yes | Yes |
Preview of the Azure DevOps organization created by this code sample. Icons by Smashicons not included.
- Service Connection using Contributor Service Principal
- Service Connection using Key Vault read-only Service Principal for Pipeline Secrets Integration
Note: At time of this writing there is no REST API (v6 )for Key Vault Integration. Therefore it must be configured manually.
N.B. Each resource group is intended to be a logical and security boundary, i.e. "environment". In practice per Cloud Adoption Framework, these boundaries should be Azure Subscriptions, not Resource Groups.
fruits-dev-rgfruits-prod-rgveggies-dev-rgveggies-prod-rginfra-shared-rg
Each "environment" has
- Azure Storage Account
- Azure Key Vault
- Service Principal - Contributor for automation
- Service Principal - Read-Only for Key Vault (used for Integration with Azure Pipelines Secrets)
This demo was created with ♥ by the FastTrack engineer Julie Ng and based on experience with Azure customers new to CI/CD and DevOps. After regularly breaking and fixing the demo in onboarding sessions, it was automated.
Learn more about FastTrack for Azure →
If you want to contribute, please first read the Microsoft Code of Conduct →
The easiest way to contribute is to provide feedback.
-
Report Bugs
If you find issues, please open a GitHub issue → -
Feature Requests
Feel free to make suggestions by opening a GitHub issue → -
Ask a Question
Please also open a GitHub issue →
This project affects real Azure resources and leverages CI/CD to safeguard them. Therefore please read through all the sections below carefully for highest success of your contribution being accepted.
-
Please use Conventional Commits so we can automate the Change Log. Thank you.
-
To get started, fork this repository. Please make your changes in your fork in a feature branch, ideally beginning with
feat/*orfix/*Large Pull Requests can be a challenge to merge. Consider separating changes are you would into smaller bits like features and create separate pull requests for each.
-
Only Pull Requests with passing CI builds can be accepted for merging.
When you are ready and checked you have met all code requirements described above, you can open a pull request. When you do so, a CI build should be automatically started. If you're having difficulty, please feel free to reach out for help by opening an issue or via Twitter @jng5.
This project is published under the MIT license. See LICENSE.md for details.