Azure Blueprints Support

[lawrenae]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I'd like to add Azure Blueprints (REST API) resources. Below I have a mock up of how I think this can/could/should work, but feedback most welcome.

I currently do not have an opinion on how any "external files", such as the arm and policy files, should be stored (single file only? folder?, other?). the mock only expressly supports single files, ATM.

Thoughts?

New or Affected Resource(s)

• azurerm_blueprint_template
• azurerm_blueprint_assignment

Potential Terraform Configuration

# Defaults
#  - lock_resources = true
# Notes
#  - always publishes a new version
# Outputs
#  - ${azurerm_blueprint_template.thing.latest_version}
#  - ${azurerm_blueprint_template.thing.versions}

resource "azurerm_blueprint_template" "thing" {
    management_groups = [
        "production",
        "test",
        "dev"
    ]

    lock_resources = false
    name = "some_blueprint"
    version_prefix = "blah_"

    parameters = [
        {
            name = "contributors"
            type = "array"
            displayName = "storage account type."
            description = "something"
        }
    ]

    resource_groups = [
        {
            name        = "some_rg"
            description = "some description"
            dependsOn   = "other_rg"
        },
        {
            name        = "other_rg"
            description = "other description"
        }
    ]

    role_assignments = [
        {
            roleDefinitionId = "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
            principalIds     = "[parameters('contributors')]"
            dependsOn        = "other_rg"
        }
    ]

    policy {
        content = "${file("policy.json")}"
    }

    arm_template {
        content = "${file("arm_template.json")}"
    }
}

data "azurerm_blueprint_template" "thing" {
    blueprint = "${azurerm_blueprint_template.thing.id}"
}

resource "azurerm_blueprint_assignment" "name" {
    parameters = {
        "contributors" = ["email1@microsoft.com", "email2@microsoft.com"],
    }

    subscriptions = [
        "subscriptionId",
        "subscriptionId"
    ]
    # - OR -
    management_group = "production" #Assigns to all subscriptions immediately under this

}

References

• #0000

[grayzu]

@lawrenae Thanks for opening the issue / suggestion.

Out of curiosity, what do you see yourself using a blueprints resource for? In other words, would you use it like the ARM template resource where you would fall back to it when resources do not exist to accomplish what you are looking to do? Or are there features / functionality that Blueprints provide that do not exist in Terraform?

Understanding what you are trying to accomplish can help us better prioritize this work.

[lawrenae]

@grayzu It's an awesome question. It's caused quite a bit of debate inside my organization, but in short, I dont think there is anything that I cant also just do with terraform. We intend to have subscription creation automated anyway, so why not do "blueprint things" at the same time?

Thanks much

[grayzu]

Thanks @lawrenae. When you say that you intend to have subscription automation anyway, does that equal blueprints or do you have other ways to accomplish this? I am assuming that subscription automation means that when a subscription is created, be it form TF or UI or other, it will have a set of things configured. Correct?

[lawrenae]

Yes, thats correct -- a basic set of things configured for each and every subscription. We're already down the path of a push button system that creates subscriptions (az cli today, hopefully TF tomorrow), so doing the rest of the configuration via TF at the same time is an obvious choice

[kikokikok]

Hi All,
We have for big corporation similar use-cases where we would like to integrate part of the deployment of our security/compliance tooling through TF + Blueprints.
Are you considering the development of Blueprint anytime soon or should we implement it on our side and maybe contribute back ?

Thank you

[richeney]

It would be great for partners and central IT teams - define and assign Blueprints for core managed services. Looking to do this with CSP Providers so that their CSP Resellers could then assign the Blueprint and configure the parameters in the portal.

There is also a locking aspect to Blueprints that makes it very robust - you can set it so that even the subscription Owner cannot remove the resources whilst the Blueprint is assigned. It has real teeth.

[mikemcowie]

Having this type of resource available with terraform is enormous in the sense that terraform (in my view) needs to work with (rather than against) the provider's native tools.

Whether it should be part of the azurerm provider, or a separate high-level provider more focused on account/subscription management - open question I guess.

[J0F3]

Hi,

@tombuildsstuff What is the current plan for that?

I have a similar use-case as @kikokikok describes above. So I would really love to see that in the aruzrerm provider. Especially for the assign/deploy part. Furthermore I think the Azure Blueprint has definitely some functionality which Terraform has not, like the special resource locking for example.

Azure Blueprints are also a great way to provide foundational artifacts or infra setups by Cloud architects which DevOps team can reuse and then also further extent with Terraform as need. So, in my opinion, supporting Azuer Blueprints in Terraform would make Terraform even more useful for managing Azure infrastructure than it would compete the use of Terraform with Azure.

Thx,
Jonas

[jackofallops]

I'd be happy to take a look at creating the resources. Is there a process established on how to go about pulling in the preview APIs to the vendored SDK to support it? They exist in V31.0.0 already.
Edit: nvm - Tom helped

[github2alfred]

I have similar use cases, where we use multi cloud providers so terraform is a must, but we also need azure blueprint on Azure, therefor it will be great to have terraform to be able to deploy az blueprint.
terima kasih.

[jackofallops]

Still working on this in what I laughingly call my "free time" - I've hit an issue with a panic I can't figure out, and the inability to connect a debugger is making it hard to unpick.

[ArcturusZhang]

Hi guys, I am currently working on the resources of blueprint, including blueprint_definition, blueprint_artifact and blueprint_assignment.

[richeney]

Will the definition / artifact be able to pull in a repo containing a collection of JSON files to define the blueprints?

[ArcturusZhang]

Will the definition / artifact be able to pull in a repo containing a collection of JSON files to define the blueprints?

Well, the parameters and resource_groups in azurerm_blueprint_definition will be implemented in JSON string similar with the resource azurerm_template_deployment aka ARM template, which should supports to import a file from external source. But I am not quite sure whether this approach will support source files from github repo.

[wsf11]

@ArcturusZhang Is there any progress on this feature? Thanks a lot for working on it

[ArcturusZhang]

@ArcturusZhang Is there any progress on this feature? Thanks a lot for working on it

Hi @wsf11 I have finished some codes, and submitted a PR for assignment. But we have some situation about how this will be implemented. We will continue our work on this RP and to make it finally come out. Thanks!

[sheffski]

Hi,
Great to hear this is being thought about.
I'm rebuilding a more governed azure setup along side our existing evolved mess.
The blueprints are really good as can add the policies/initiative artifacts so dev's follow the corporate policies. The terraform bit is a vital artifact when building the hub&spoke compliant "shared infrastructure" back to our on-prem services.
Since we used TF for our AWS estate, and Nutanix on-prem stuff it helps with the tooling simplification program we are going through to try to save money.
Blueprints & TF are a beast if we get them working in harmony :)

[Chirag1233]

@ArcturusZhang any update my organisation wants to use this. do you have a preview version which I can use and try it ?

[gpjonesii]

Looks like @jackofallops of Hashicorp unilaterally shut this one down with zero path forward.
#6034

[jackofallops]

Looks like @jackofallops of Hashicorp unilaterally shut this one down with zero path forward.
#6034

Hi @gpjonesii
We're working with Microsoft behind the scenes to get something workable. We're hoping to be able to provide some coverage for the service soon.

Ste

[katbyte]

@lawrenae @gpjonesii @Chirag1233 @sheffski @richeney @J0F3 @kikokikok we've released partial blueprints support in #6930

[jackofallops]

I'm going to close this issue for now. If further capability is required and possible/appropriate we'll open new issues / PR's accordingly.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!