While my intent of this blog is to introduce a new template preview feature in the Azure portal, I want to first highlight a few of the best articles about Azure Resource Manager (ARM) templates. After the quick list of links, then I will break into this new preview feature for templates in the portal that you will want to try right away that is in preview right now. But if you already know all about templates, just skip the links and go right to the section below 🙂
ARM Template Resource Links
There are many, many pages and resources on this. I first posted quite a few others on my Azure IaaS Ops Guide post under the section titled "Azure Resource Manager (ARM) and Role Based Access Control (RBAC)". But from those and others discovered, here are some of the best ones I've found to be helpful as reference for myself and my customers.
- First things first, you must understand ARM - aka.ms/Azure/ARM
- within that link, there is a section to explain Template Deployment
- Next, before you start making a bunch of templates, you should read Patterns for Designing Resource Manager Templates
- Now you understand how to plan for them, next read Authoring Azure Resource Manager Templatea and then Resource Manager Template Walkthrough
- To polish it all off, read Best Practices for Azure Resource Manager Templates
- Here is a very nicely done MVP Blog on....
- To get the whole enchilda from all the experts at Microsoft, download World Class ARM Templates - Considerations and Proven Practices
- Don't want to read, but watch videos instead? Watch Channel 9
- Get tons of template on GitHub and Azure QuickStart Templates
Now for the new Template Preview Feature in the Azure Portal
In Azure deployments, many people want to have, and should have, some sort of governance. And with that a Service Catalog providing users with resources to deploy. Then those abilities can be controlled and constrained through various policies. Now, with the Azure Templates preview in the Azure portal, we can combine this with:
- Azure Resource Manager Policies - controlling what Azure Resources one can use or not
- See Use Policies to manage resources and control access
- For examples, I have a post at aka.ms/Azure/Policies
- Resource Based Access Control - controlling who has rights to Azure resources
- Read more at aka.ms/Azure/RBAC
- As always, as best practice for RBAC would be to grant rights based on groups versus user accounts. Think in terms of what teams may need to use these template e.g. App/Dev/Test teams.
How to find it FAST in the portal
- Go to http://portal.azure.com and login to your subscription
- Trust me, just press and hold G and then tap B and then type the word templates
- Click the star to the right to add this to your menu on the left, and then click on templates to open this new preview feature
Now what can we do?
Click Add Template and give it a name and a description and then click OK. Note: you cannot have spaces in the name.
Now you will be in the ARM Template blade
So next we can go do this the hard way, or the easy way. The hard way would be to start typing away in the window above. But to do that, you would have to know precisely how to construct these. But a better way, is to start with some templates in the links above, or else export one from something else you have already built. See aka.ms/azure/export to learn how to do the latter.
Once you have a sample template you want to use, delete the content in the ARM Template blade and then paste the new template in there. Click OK and then Add.
Now you will see your template. If you click on the three dots to the right, then the other options appear
Deploy is what is sounds like. You will deploy this Azure Resource(s) into your subscription.
Edit - oops you goofed, and you want to change or alter the JSON you started with.
Delete - bye bye template
Share - now THIS is where the magic happens! And where RBAC takes control.
Once you click on Shares, then you'll click on Roles at the top. As with most roles available, you can start with Owner, Contributor, or Reader. To simply allow someone to deploy this would only need Read. But if you want someone to edit these templates, then they would need Contributor.
After you have a bunch of templates in this window, you can also always select any one of them and use either the context menu or the top of the blade as shown below.
The beauty of these permissions, is that if a user has no rights to any or all of the templates, they don't see them. So a user can only see the templates that they have a minimum of Read rights too as designated by RBAC.