Deploy with Azure Pipelines
Updating from the preview version is not supported. If you deployed the preview version, please follow the steps in Moving from preview to GA before proceeding.
To begin, either download the appropriate parameter file for the version of AMBA-ALZ you are deploying or clone/fork the repository.
- alzArm.param.json for the latest release.
- alzArm.param.json for the main branch.
The following instructions apply universally, regardless of your alignment with ALZ or if you have a single management group.
Modify the values of the following parameters at the beginning of the parameter file as per the instructions below:
It is highly recommended to configure at least one notification option (email, ARM Role, Logic App, etc.) to ensure you receive alerts. Proceeding without any notification settings is not advised.Set the value of
enterpriseScaleCompanyPrefixto the management group where you intend to deploy the policies and initiatives. Typically, this is the “pseudo root management group.” In ALZ terminology, this refers to the “Intermediate Root Management Group” located directly beneath the “Tenant Root Group.”Set the
bringYourownUserAssignedManagedIdentityparameter to Yes if you have an existing user-assigned managed identity with the Monitoring Reader role assigned at the pseudo root management group level. Otherwise, leave it set to No to create a new managed identity with the appropriate permissions during the deployment process.Update the
bringYourownUserAssignedManagedIdentityResourceIdparameter. IfbringYourownUserAssignedManagedIdentityis set to Yes, provide the resource ID of your user-assigned managed identity. If it is set to No, leave this parameter blank.Set the
userAssignedManagedIdentityNameparameter to a preferred name. This parameter is only used ifbringYourownUserAssignedManagedIdentityis set to No.Update the
managementSubscriptionIdparameter. IfbringYourownUserAssignedManagedIdentityis set to No, provide the subscription ID of the management subscription. Otherwise, leave it blank.Set the
ALZMonitorResourceGroupNameparameter to the name of the resource group where activity logs, resource health alerts, action groups, and alert processing rules will be deployed.Update the
ALZMonitorResourceGroupTagsparameter to specify the tags to be added to the resource group.Set the
ALZMonitorResourceGroupLocationparameter to specify the location of the resource group.Update the
ALZMonitorActionGroupEmailparameter with the email address(es) for alert notifications (including Service Health alerts). Leave it blank if no email notification is required.Set the
ALZLogicappResourceIdparameter to the Logic App resource ID to be used for alert actions (including Service Health alerts). Leave it blank if no Logic App is used.Update the
ALZLogicappCallbackUrlparameter with the callback URL of the Logic App to be used for alert actions (including Service Health alerts). Leave it blank if no Logic App is used. To retrieve the callback URL, use the Get-AzLogicAppTriggerCallbackUrl PowerShell command or navigate to the Logic App in the Azure portal, go to Logic App Designer, expand the trigger activity (When an HTTP request is received), and copy the URL using the copy icon.
Update the value of
_ALZArmRoleId_to specify the Azure Resource Manager Role(s) that should receive notifications for the alerts, including Service Health alerts. If no notifications are required for any Azure Resource Manager Role, leave this value blank.Update the value of
ALZEventHubResourceIdto specify the Event Hubs that will be used for alert actions, including Service Health alerts. If no Event Hubs are to be used, leave this value blank.Update the
ALZEventHubResourceIdparameter with the resource ID of the Event Hubs to be used for alert actions, including Service Health alerts. Leave it blank if no Event Hubs are used.Update the
ALZWebhookServiceUriparameter with the URI(s) of the Webhooks to be used for alert actions, including Service Health alerts. Leave it blank if no Webhooks are used.Update the
ALZFunctionResourceIdparameter with the resource ID of the Function App to be used for alert actions, including Service Health alerts. Leave it blank if no Function App is used.Update the
ALZFunctionTriggerUrlparameter with the trigger URL of the Function App to be used for alert actions, including Service Health alerts. Leave it blank if no Function App is used. To retrieve the Function App trigger URL with the corresponding code, navigate to the HTTP-triggered functions in the Azure portal, go to Code + Test, select Get function URL from the top menu, and copy the value in the URL field using the copy icon.
You can use multiple email addresses, ARM Roles, Webhooks, or Event Hubs (though using multiple Event Hubs is not recommended as per ALZ guidance). If you set multiple entries, ensure they are entered as a single string with values separated by commas. For example:
"ALZMonitorActionGroupEmail": { "value": [ "action1@contoso.com", "action2@contoso.com" ] }, "ALZArmRoleId": { "value": [ "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "b24988ac-6180-42a0-ab88-20f7382dd24c" ] }, "ALZWebhookServiceUri": { "value": [ "https://webookURI1.webook.com", "http://webookURI2.webook.com" ] }To disable initiative assignments, set the value of any of the following parameters to “No”:
enableAMBAConnectivity,enableAMBAIdentity,enableAMBALandingZone,enableAMBAManagement, orenableAMBAServiceHealth.
- Set the
platformManagementGroupparameter to the management group ID designated for Platform. - Set the
IdentityManagementGroupparameter to the management group ID designated for Identity. - Set the
managementManagementGroupparameter to the management group ID designated for Management. - Set the
connectivityManagementGroupparameter to the management group ID designated for Connectivity. - Set the
LandingZoneManagementGroupparameter to the management group ID designated for Landing Zones.
- Set the
platformManagementGroupparameter to the management group ID designated for Platform. This ID may be used multiple times. - Set the
IdentityManagementGroupparameter to the management group ID designated for Identity. This ID may be used multiple times. - Set the
managementManagementGroupparameter to the management group ID designated for Management. This ID may be used multiple times. - Set the
connectivityManagementGroupparameter to the management group ID designated for Connectivity. This ID may be used multiple times. - Set the
LandingZoneManagementGroupparameter to the management group ID designated for Landing Zones. This ID may be used multiple times.
For streamlined deployment and maintenance, we have retained the same variable names. For instance, if you have consolidated Identity, Management, and Connectivity into a single management group, configure the variablesidentityManagementGroup,managementManagementGroup,connectivityManagementGroup, andLZManagementGroupwith the same management group ID.
- Set the value of
platformManagementGroupto the pseudo root management group ID, also known as the “Intermediate Root Management Group”. - Set the value of
IdentityManagementGroupto the pseudo root management group ID, also known as the “Intermediate Root Management Group”. - Set the value of
managementManagementGroupto the pseudo root management group ID, also known as the “Intermediate Root Management Group”. - Set the value of
connectivityManagementGroupto the pseudo root management group ID, also known as the “Intermediate Root Management Group”. - Set the value of
LandingZoneManagementGroupto the pseudo root management group ID, also known as the “Intermediate Root Management Group”.
For streamlined deployment and maintenance, we have retained the same variable names. Configure the variablesenterpriseScaleCompanyPrefix,identityManagementGroup,managementManagementGroup,connectivityManagementGroup, andLZManagementGroupwith the pseudo root management group ID.
The parameter file below is a shortened version for demonstration purposes. Full examples are available in the provided samples.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"enterpriseScaleCompanyPrefix": {
"value": "contoso"
},
"platformManagementGroup": {
"value": "contoso-platform"
},
"IdentityManagementGroup": {
"value": "contoso-identity"
},
"managementManagementGroup": {
"value": "contoso-management"
},
"connectivityManagementGroup": {
"value": "contoso-connectivity"
},
"LandingZoneManagementGroup": {
"value": "contoso-landingzones"
},
"enableAMBAConnectivity": {
"value": "Yes"
},
"enableAMBAIdentity": {
"value": "Yes"
},
"enableAMBAManagement": {
"value": "Yes"
},
"enableAMBAServiceHealth": {
"value": "Yes"
},
"enableAMBANotificationAssets": {
"value": "Yes"
},
"enableAMBAHybridVM": {
"value": "Yes"
},
"enableAMBAKeyManagement": {
"value": "Yes"
},
"enableAMBALoadBalancing": {
"value": "Yes"
},
"enableAMBANetworkChanges": {
"value": "Yes"
},
"enableAMBARecoveryServices": {
"value": "Yes"
},
"enableAMBAStorage": {
"value": "Yes"
},
"enableAMBAVM": {
"value": "Yes"
},
"enableAMBAWeb": {
"value": "Yes"
},
"telemetryOptOut": {
"value": "No"
},
"bringYourOwnUserAssignedManagedIdentity": {
"value": "No"
},
"bringYourOwnUserAssignedManagedIdentityResourceId": {
"value": ""
},
"userAssignedManagedIdentityName": {
"value": "id-amba-prod-001"
},
"managementSubscriptionId": {
"value": ""
},
"ALZMonitorResourceGroupName": {
"value": "rg-amba-monitoring-001"
},
"ALZMonitorResourceGroupLocation": {
"value": "eastus"
},
"ALZMonitorResourceGroupTags": {
"value": {
"Project": "amba-monitoring"
}
},
"ALZMonitorDisableTagName": {
"value": "MonitorDisable"
},
"ALZMonitorDisableTagValues": {
"value": [
"true",
"Test",
"Dev",
"Sandbox"
]
},
.
.
.
.
}
}
To begin, configure your Azure DevOps project to use a pipeline hosted on GitHub by following the instructions here. Ensure the pipeline is set up to use the sample-pipeline.yml file.
If you have customized the policies as described in How to modify individual policies, ensure that the inlineScript in the pipeline file points to your repository and branch. For example:
inlineScript: | az deployment mg create --name "amba-GeneralDeployment" --template-uri https://raw.githubusercontent.com/___YourGithubFork___/azure-monitor-baseline-alerts/___MainOrBranchname___/patterns/alz/alzArm.json --location $(location) --management-group-id $(ManagementGroupPrefix) --parameters .\patterns\alz\alzArm.param.json
Additionally, configure a service connection to your Azure subscription in your Azure DevOps project by following the instructions in the Connect to Azure by using an Azure Resource Manager service connection guide. Ensure that the service connection targets the intermediate root management group for ALZ-aligned deployments or the specific management group where you intend to deploy the policies and initiatives for ALZ-unaligned deployments.
- Update the following values in sample-pipeline.yml:
- Change Location: “norwayeast” to your preferred Azure region.
- Change ManagementGroupPrefix: “alz” to the pseudo root management group.
- Navigate to Azure Pipelines and run the created pipeline.
Ensure that the
ManagementGroupPrefixvariable matches theparPolicyPseudoRootMgmtGroupparameter value set in the parameter files. This alignment is crucial for the correct deployment of policies.The
Locationvariable specifies the deployment region. It is not required to deploy to multiple regions since the policy definitions and assignments are scoped to a management group and are not region-specific.
To remediate non-compliant policies, proceed with Policy remediation.