In this challenge you will be manually creating a CICD pipeline which will allow you to operate the Azure platform using AzOps and GitHub Actions.
This PowerShell module is rooted in the principle that everything in Azure is a resource and to operate at-scale, it should be managed declaratively to determine target goal state of the overall platform. Guidance for this challenge is located here.
- Read all points in this challenge and using the concept of least privilige, identify the RBAC role and scope you must assign for the idenitity you will be using for AzOps. Do not proceed before discussing your solution with your coach.
- Transform your Azure into code. Configure AzOps and initiate the first Pull workflow.
- Validate AzOps by making sure that the Azure hierarchy that got created using ARM templates as part of the ALZ setup, such as management groups, subscription organization as well as policy definitions, policy assignments and role assignments are hydrated and organized into Git.
- Using GitHub, create a new Policy Assignment and validate the assignment thru the Azure Portal. Do not update the Azure Policy assignment to Enforce!
- Using GitHub, create a new Role Assignment on the "Sandbox" management group which grants members of the AAD group "Contoso Sandbox Contributors" contributor access at the management group level and validate the assignment thru the Azure Portal.
In this challenge you will be using Policy-As-Code to modify a policy definition which is blocking you from creating the Azure Bastion Subnet.
- In your hub network, try to create the Azure Bastion Subnet. Azure Policy should block the operation. Read carefully the output of the error message.
- Using GitHub (or VS Code but not the Azure Portal) modify the policy which is enforcing the use of Network Security Groups. You are not allowed to change the policy effect. A deny is a deny. Hint: Find and read the Policy definition.
- You should be now be able to create the Azure Bastion Subnet (you don't need to deploy Azure Bastion).