Azure Key Vault recover keys, secrets and certificates

Enable Soft-delete for Key Vault to be able to recover from disaster, recover keys, secrets, certificates or the whole Key Vault on accedental deletion.

Dca4x9OXUAADmh8Last week we had an incident in which we had deleted the wrong secret from our Azure Key Vault. After some research we found that it could have been recovered if we had used the Soft-delete in Key Vault. However, we did not know about this option and could not recover the item.

Continue reading “Azure Key Vault recover keys, secrets and certificates”

ARM template cross resource group deployment

Sometimes you need to deploy to different resource groups in one deployment. Till now you had to split-up you ARM template. With new API versions you can now deploy to multiple resource groups in one deployment:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "StorageAccountName1": {
            "type": "string"
        },
        "StorageAccountName2": {
            "type": "string"
        }
    },
    "variables": {},
    "resources": [
        {
            "apiVersion": "2017-05-10",
            "name": "nestedTemplate",
            "type": "Microsoft.Resources/deployments",
            "resourceGroup": "crossResourceGroupDeployment",
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {},
                    "variables": {},
                    "resources": [
                        {
                            "type": "Microsoft.Storage/storageAccounts",
                            "name": "[parameters('StorageAccountName2')]",
                            "apiVersion": "2015-06-15",
                            "location": "West US",
                            "properties": {
                                "accountType": "Standard_LRS"
                            }
                        }
                    ]
                },
                "parameters": {}
            }
        },
        {
            "type": "Microsoft.Storage/storageAccounts",
            "name": "[parameters('StorageAccountName1')]",
            "apiVersion": "2015-06-15",
            "location": "West US",
            "properties": {
                "accountType": "Standard_LRS"
            }
        }
    ]
}

You can find this source code in Ryan Jones GitHub.

Remove locks from Azure resources

Remove locks from azure resources to be able to change or delete them

In my previous blog post Lock Azure resources to prevent accidental deletion, I showed how to add a lock to a resource with an ARM template to protect it from accidental deletion. When you want to delete the resource, you first need to remove the lock. A lock cannot be removed with an ARM template. To remove the lock you can use:

  • Powershell
  • Rest API
  • Portal

Continue reading “Remove locks from Azure resources”

Lock Azure resources to prevent accidental deletion

How a lock can prevent user from accidental deletion of a resource.

In some cases you want to protect critical resources from accidental deletion. Some examples are a storage account with source data for processing, a Key Vault with disk encryption keys, or another key component in your infrastructure. When losing some resources that are key in your infrastructure, recovery can be dramatic. Resource Manager locks will enable you to protect these critical resources from deletion.

Resource Manager locks
Resource Manager locks apply to the management function of the locked resources. The locks do not have any impact the normal functions of the resource. You have two possible types of locks on a resource:

Locking down a resource can save your contributors from accidently delete a critical resources. An ‘oeps… I deleted the wrong resources’ moment should be a thing of the past.

CannotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Continue reading “Lock Azure resources to prevent accidental deletion”

Fixing ARM deployment errors for Linux disk encryption

When running ARM templates to deploy Linux with disk encryption on Azure I encountered a few errors. The errors where coming when I rerun the same template multiple times. In this post I explain the errors and how I fixed them.

Error: … is not a valid versioned Key Vault Secret URL
Continue reading “Fixing ARM deployment errors for Linux disk encryption”

Infrastructure as Code VSTS

Your team is in the process of developing a new application feature, and the infrastructure has to be adapted. The first step is to change a file in your source control system that describes your infrastructure. When the changed definition file is saved in your source control system, it triggers a new build and release. Your new infrastructure is deployed to your test environment, and the whole process to get the new infrastructure deployed took minutes while you only changed a definition file and you did not touch the infrastructure itself.
Continue reading “Infrastructure as Code VSTS”

VSTS task clean resource group

cleanresourcegroupWhen testing deployment of resources in release pipelines, the resource groups need to be cleaned after you are done testing the deployment of the resources. In many scenarios you do not want or have no rights to remove the resource group it self. For removing the resources in the resource group you can use the VSTS task clean resources. This tasks removes all resources in a resource group.demo

Keep your ARM deployment secrets in the Key Vault

Keep your deployment secret secure in the key vault when using ARM templates to deploy into Azure

When creating new resource in Azure that have secrets like passwords or ssl certificates you can securely save them in the Key Vault and get them from the Key Vault when you deploy. Only the people who need access to the secrets can read and write them to the Key Vault. In a infrastructure as code scenario the secrets are supplied when deploying your templates to Azure. The code it self will be free of secrets.
Continue reading “Keep your ARM deployment secrets in the Key Vault”

Conditional parts in ARM Templates

When creating reusable ARM templates you have a number of options on how to manage conditional parts in your templates. The smallest conditions can be done by parameters, medium differences can be done by  t-shirt sizes and large differences by linked templates. In this blog post I’ll show how to use implement conditions by linked templates.
Continue reading “Conditional parts in ARM Templates”

Deploy a Marketplace Linux VM with disk encryption using ARM templates

Protect your data at rest with disk encryption on Linux VMs and deploying them as Infrastructure as Code.

disk-encryption-vm-on-azure
VM with disk encryption

Continue reading “Deploy a Marketplace Linux VM with disk encryption using ARM templates”