Skip to content

Latest commit

 

History

History
145 lines (125 loc) · 8.64 KB

template-spec.md

File metadata and controls

145 lines (125 loc) · 8.64 KB

Mission Landing Zone - Deployment Guide using a Template Spec

Home | Design | Add-Ons | Resources

Table of Contents

This guide provides the steps to create a template spec to deploy Mission Landing Zone (MLZ). The template spec deployment option may used in Azure Commercial, Azure Government, Azure Government Secret, and Azure Government Top Secret. For simplicity, this guide uses Cloud Shell to create the template spec, negating the need to download and install software on your workstation.

For more information on Template Specs, go to the References section.

Deploy using a Template Spec

Prerequisites

The following prerequisites are required on the target Azure subscription(s):

Create the Template Spec

Use the following steps to create the Template Spec resource using CloudShell:

  1. Download the following files to your local workstation:

    1. src/bicep/mlz.json
    2. src/bicep/form/mlz.portal.json

  2. If applicable, transfer the files to a workstation in the target network.

  3. Login to the Azure Portal.

  4. Create a storage account for CloudShell using the following settings:

    1. Basics
      • Subscription: select the appropriate subscription. Ideally, select the subscription that will be used for the Hub resources.
      • Resource group: click the "Create new" link and input a name that follows your naming convention and alludes to the purpose of it, e.g. rg-cloudShell-dev-east.
      • Storage account name: input a globally unique name between 3 and 24 characters following your naming convention. The value can contain only lowercase letters and numbers.
      • Region: select the appropriate location. Ideally, select the location that will be used for the MLZ resources.
      • Primary service: select the "Azure Files" option.
      • Performance: select the "Standard: Recommended for general purpose file share and cost sensitive applications, such as HDD file shares" option.
      • Redundancy: leave the "Geo-redundant storage (GRS)" option selected.
    2. Advanced
      • Require secure transfer for REST API operations: leave check box checked.
      • Allow enabling anonymous access on individual containers: leave check box unchecked.
      • Enable storage account key access: uncheck the check box.
      • Default to Microsoft Entra authorization in the Azure portal: check the check box.
      • Minimum TLS version: leave the default option, Version 1.2.
      • Permitted scope for copy operations (preview): select the "From storage accounts that have a private endpoint to the same virtual network" option.
      • Enable hierarchical namespace: leave the check box unchecked.
      • Allow cross-tenant replication: leave the check box unchecked.
      • Access tier: select the "Cool: Optimized for infrequently accessed data and backup scenarios" option.
    3. Networking
      • Network access: select the "Enable public access from all networks" option.
      • Routing preference: leave the "Microsoft network routing" option selected.
    4. Data Protection
      • Enable point-in-time restore for containers: leave the check box unchecked.
      • Enable soft delete for blobs: uncheck the check box.
      • Enable soft delete for containers: uncheck the check box.
      • Enable soft delete for file shares: uncheck the check box.
      • Enable versioning for blobs: leave the check box unchecked.
      • Enable blob change feed: leave the check box unchecked.
      • Enable version-level immutability support: leave the check box unchecked.
    5. Encryption
      • Encryption type: leave the "Microsoft-managed keys (MMK)" option selected.
      • Enable support for customer-managed keys: select the "All service types (blobs, files, tables, and queues)" option.
      • Enable infrastructure encryption: check the check box.
    6. Tags: the key / value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups. Please refer to Microsoft's best practices for resource tagging.
    7. Review + Create: review and validate the selected values before creating the deployment.

  5. Setup a file share on the storage account using the following settings:

    1. Basics
      • Name: input a value for the file share name. Ideally, this should be your username.
      • Access tier: select the "Cool" option.
    2. Backup
      • Enable backup: uncheck the check box.
    3. Review + create: review and validate the selected values before creating the deployment.

  6. Click the CloudShell button from the top Portal menu to setup the service:

    1. Welcome to Azure Cloud Shell
      1. Click on the desired command line tool.
    2. Getting started
      1. Select the "Mount storage account" option.
      2. Select the subscription that will be used for the Hub resources.
      3. Leave the check box uncheck for the "Use an existing private virtual network".
      4. Click the Apply button
    3. Mount storage account
      1. Choose the "Select existing storage account" option.
      2. Click the Next button
    4. Select storage account
      1. Subscription: select the subscription used for the storage account.
      2. Resource group: select the resource group used for the storage account.
      3. Storage account name: select the storage account created in the previous step.
      4. File share: select the file share created in the previous step.
      5. Click the Select button

  7. Upload the files to your file share.

    1. Click the "Manage files" menu option.
    2. Click the "Upload" option.
    3. Select the JSON files
    4. Click the Open button

  8. Deploy the template spec using CloudShell.

    1. Check your directory to ensure the JSON files are present: ls
    2. Copy one of the following commands below and paste it into CloudShell. The command must be updated with the values for your environment before it is executed.
    # PowerShell
New-AzTemplateSpec `
   -ResourceGroupName '<resource group name>' `
   -Name '<template spec name>' `
   -Version '1.0' `
   -Location '<location>' `
   -TemplateFile 'mlz.json' `
   -UIFormDefinitionFile 'mlz.portal.json' `
   -Force
    # Azure CLI
az ts create \
   --resource-group '<resource group name>' \
   --name '<template spec name>' \
   --version '1.0' \
   --location '<location>' \
   --template-file 'mlz.json' \
   --ui-form-definition 'mlz.portal.json' \
   --yes

Parameter Explanations

  • ResourceGroupName | resource-group: the name of the resource group to host the template spec resource.
  • Name | name: the name for the template spec resource using your naming convention for Azure, e.g. ts-mlz-dev-east.
  • Version | version: the version number of the mlz code that will be stored in the template spec, e.g. 1.0.
  • Location | location: the Azure location for the template spec resource.
  • TemplateFile | template-file: the file path to the ARM template in the Azure Files share used by CloudShell.
  • UIFormDefinitionFile | ui-form-definition: the file path to the ARM template in the Azure Files share used by CloudShell.
  • Force | yes: this switch ensures the template spec is forcibly updated without confirmation if the resource and version already exist.

Deploy MLZ

  1. Open the template spec resource in the Azure Portal.
  2. Click the Deploy button from the top menu.
  3. Use the deployment guide for the Azure Portal deployment option to complete the MLZ deployment.

References