Infrastructure as Code (IaC): Getting Started with Azure ARM Templates

You've likely heard about Infrastructure as Code (IaC). It's a powerful approach that allows us to manage and provision cloud resources using code and automation, like VMs, Databases, and Firewalls. One of the most popular tools for IaC is called Terraform by HashiCorp.

Other providers that fall into this category include CloudFormation by AWS and ARM Templates by Azure. Today, I'm diving deep into how you can get started with IaC using Microsoft Azure ARM Templates, with a particular focus on security.

What are ARM Templates?

At its core, Azure ARM (Azure Resource Manager) Templates are JSON files, but let's not oversimplify them. These files act as a master plan or, if you will, the DNA of your Azure cloud resources.

When we talk about Azure ARM Templates, again, we're diving into the realm of Infrastructure as Code (IaC). If you're new to IaC, think of it as writing code to manage and provision your infrastructures, similar to how you'd script software applications. So, instead of manually clicking through the Azure portal to set up a database, virtual machine, or any other service, you'd write a template in JSON format that describes your desired state, and Azure would make it happen.

But why are we so gung-ho about IaC? Here are some of its benefits:

1. Consistency: Gone are the days of "it works on my machine." With IaC, everyone on the team uses the same blueprint. This means fewer errors and more predictable deployments.
2. Speed: Need to set up a new environment? Just run your template, and voila! It's like cooking with a microwave instead of an oven.
3. Documentation: Your infrastructure is documented by default. No need for separate, outdated documentation that nobody reads (or updates).
4. Version Control: Just like your application code, your infrastructure can be version-controlled. This means better tracking of changes, easier rollbacks, and more accountability.
5. Cost Efficiency: With IaC, you can easily spin up and tear down environments, ensuring you only pay for what you use. Plus, automation reduces the need for manual oversight, saving precious time and money.
6. Security: This one's a biggie. With IaC, you can ensure that security best practices are baked in from the outset. No more ad-hoc configurations or "I forgot to set that" moments.

In essence, Azure ARM Templates embody IaC for the Azure platform, allowing you to harness all the above benefits while optimizing your cloud infrastructure. It's a powerful tool in your tech arsenal, bridging the gap between development, operations, and security.

Setting up Your Environment

Before diving into the code, let's set up our environment:

1. Azure Account: Make sure you have an active Azure account. If not, head over to the Azure portal and sign up.
2. Azure CLI: Install the Azure Command-Line Interface (CLI). This tool will be our best friend as we work with ARM templates.

# Install Azure CLI on macOS
brew update && brew install azure-cli

# On Linux
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

# On Windows, download the installer from the Azure website.        

1. Code Editor: You can use any code editor you prefer, but Visual Studio Code with the Azure Resource Manager Tools extension is a solid choice.

Creating Your First ARM Template

Here's a basic example of an ARM template that deploys a secure storage account:

To download this basic ARM Template refer to my Github repo below:

Here is a line-by-line description of this ARM Template:

• $schema: This is the URL of the JSON schema that describes the version of the template language. It's like telling Azure, "Hey, this is the rulebook I'm following."
• contentVersion: This defines the version of the template. Typically in the format "Major.Minor.Patch". It helps in versioning your templates.
• resources: The star of the show! This array contains definitions for all resources you want to deploy or manage. In our template, we're managing a storage account.type: Specifies the type of resource to deploy. In this case, it's a storage account.apiVersion: The Azure API version we're using to create this resource.name: The name of our storage account. Here, it's "securestoraccount".location: Specifies where our resource will live. The dynamic content [resourceGroup().location] fetches the location from the resource group we're deploying to.sku: This is about defining the performance tier and replication model of our storage. "Standard_LRS" means we're using standard performance and locally redundant storage.kind: Specifies the type of storage account. "StorageV2" is the latest general-purpose storage account type.properties: This is where the magic happens. We're defining specific settings and configurations for our storage account here.supportsHttpsTrafficOnly: We're setting this to true to ensure only HTTPS traffic is allowed for enhanced security.encryption: All about keeping our data safe! Here, we're setting encryption settings for our storage account.services: Specifies which storage services should be encrypted.file: We're enabling encryption for file storage.blob: Blob storage is also getting the encryption treatment.keySource: Specifies where the encryption key comes from. In this case, it's from Azure's built-in storage service.networkAcls: Network Access Control Lists (ACLs) help us control who can access our storage account.defaultAction: We're setting the default action to "Deny", so by default, nobody has access.bypass: But, we're making an exception for Azure services by setting "bypass" to "AzureServices."

In this template, we're deploying a storage account with the following security features:

• HTTPS Only: We enforce HTTPS traffic to ensure data in transit is encrypted.
• Encryption: Both file and blob storage are encrypted.
• Network ACLs: By default, all incoming traffic is denied, but Azure services are allowed.

Deploying the ARM Template

To deploy the template, use the Azure CLI:

az group create --name MyResourceGroup --location eastus

az deployment group create --resource-group MyResourceGroup --template-file /path_to_template/template.json        

Security Best Practices

1. Least Privilege: Only grant permissions that are strictly necessary. Use Azure's built-in roles whenever possible.
2. Parameterize Secrets: Never hard-code secrets in your ARM templates. Instead, use parameters and Azure Key Vault.
3. Audit Regularly: Use Azure Policy and Blueprints to audit and enforce your security requirements.

For Microsoft-approved ARM Templates, check out this Github repo:

Infrastructure as Code (IaC) with Azure ARM Templates is not just a nifty tool for DevOps; it's a game-changer for security professionals. Codifying our infrastructure can ensure that security is baked in from the start, and that's something we should be striving for.

Please visit my site, Compliiant.io, and share with your colleagues and friends. Cybersecurity Services as a Subscription with Compliiant.io means you only pay for the services you need and when you need them. Pause or cancel at any time without penalties or contracts.