Help your imagination - visualizing ARM templates with ARMVIZ

ARM templates are a great tool when you want to automate provisioning of your environment. They're customizable, somehow flexible, easy to store and modify. What they lack - as many text tools - is a touch of abstraction. Most people are sightseers - that's why it's always a good thing to see what you're doing.

I'll paint this!

ARMVIZ is a free and OSS tool, which will visualize and help to validate your ARM template on a very high level. By saying "high level" I mean, that it helps to understand the structure of a template and basic dependencies rather than underlying relations when it comes to provision resources.

The very first visualization you'll see in ARMVIZ

Working with ARMVIZ

Currently there're two possibilities to work with ARMVIZ - either you open a template stored on your disk or write a new one inside the editor. The former helps to validate whether you have all components inside a template and all dependencies work well, the latter is actually a slightly better option when it comes to write JSON than Visual Studio(especially when VS goes mad while validating a JSON schema).

ARMVIZ suggests possible values but it won't limit them to the ones available for a field

When dependencies are removed from a VM, we can clearly see, that there're some problems with our template

Summary

In current shape ARMVIZ has very limited capabilities and can act only as a quick support when you have a very complicated ARM template. On the other hand, the possibility to write and see it increases your productivity and really helps when you're struggling to understand what is related to what and why.

 

Policies in Azure Resource Manager for better conventions management

Conventions are a really good idea in general - they prevent you from handling the whole mess which appears sooner or later. While it's pretty obvious when working with your codebase(we have plenty of different tools), it's still not so popular when you're managing your resources in the cloud. This post is going to encourage you to use them and present possible use cases.

Why not roles?

In Azure you can also find a term RBAC, which stands for role-bases access control. While you can find it useful to assign e.g. admin role only for those few people "who know, what they're doing", it's still more user-centric. You can imagine a situation, when you have different teams working on different projects. Different people have different opinions and experience and their choices are dictated by their current point of view. 

Now imagine giving them access to the production environment(I'm aware of the fact that normally access restricted - let's pretend we forgot about this rule). You can select who can do anything on production. What you cannot do is to restrain him or her from provisioning a G5 VM for 5k Euros per month. This is where policies come to play.

Creating and assigning a policy

You have multiple options when it comes to selecting a tool to manage your policies. In fact, you can choose either a REST API, Powershell or Azure CLI. For me the easiest way to work with policies was to use Powershell cmdlets, I strongly encourage you to select tool which suits you the most. 

To make a policy effective you have to perform 2 steps - create it and assign it to the resource group. This is another great feature - you can have your policies predefined and attach them to different resource groups as you wish. It's super easy to automate also if you wish.

To create aand assign policy you can use following command:

/
$policy = New-AzureRmPolicyDefinition -Name regionPolicyDefinition -Description "Allow only one region" -Policy '{    
  "if" : {
    "not" : {
      "field" : "location",
      "in" : ["northeurope"]
    }
  },
  "then" : {
    "effect" : "deny"
  }
}'

New-AzureRmPolicyAssignment -Name regionPolicyAssignment -PolicyDefinition $policy -Scope /subscriptions/{SubscriptionId}/resourceGroups/{ResourceGroup}

I used examples from this page and modified them slightly. What this code does can be shortened to "create a policy in subscription & assign it to the resource group". Now let's try to create any kind of resource in this resource group, which is not in the North Europe region. It seems it's not so easy now:

When you go to the details of this error, you'll see something similar to following:

/
{
  "error": {
    "code": "RequestDisallowedByPolicy",
    "message": "The resource action 'Microsoft.Network/virtualNetworks/write' is disallowed by one or more policies. Policy identifier(s): '[{\"policyDefintionId\":\"/subscriptions/{SubscriptionId}/providers/Microsoft.Authorization/policyDefinitions/regionPolicyDefinition/\",\"policyAssignmentId\":\"/subscriptions/{SubscriptionId}/resourceGroups/FunctionApp//providers/Microsoft.Authorization/policyAssignments/regionPolicyAssignment/\"}]'."
  }
}

Managing policies

When you take a look at the documentation of policies, you'll see other options available for policies like viewing already created ones or removing them. I strongly encourage you to read them - there're many different properties, which can be set like the size of VM, storage SKU or even ensuring that storage blob is encrypted. It's a really powerful tool and using it wisely can really ease operations and management.