Power Automate – deploy Azure resources

Power Automate?is a versatile cloud-based automation and workflow platform. In this demonstration, Power Automate is utilized to streamline the process of handling user requests by sending them to an approval group. Upon approval, it deploys Azure resources according to pre-defined ARM templates. This automation not only simplifies the deployment process but also ensures compliance with governance and regulatory standards.

By integrating Power Automate, you can achieve seamless automation and integration, which aligns with FinOps practices. This approach helps reduce costs, maintain security, and prevent cloud sprawl, thereby optimizing your cloud infrastructure management.

?

Prerequisite:

Decide on you method of authentication for the Azure deployments. The option is to either use OAuth or a Service Principal. I will be using a service principal with the IAM role of contributor on the subscription for Azure resource deployments.

Deployment Plan

This deployment plan outlines the following steps:

Configuration of ARM-based Templates:

Set up various ARM-based templates to manage your Azure resource deployments.

Deployment of Storage Account Container:

Deploy a storage account container to serve as the centralized storage location for all your ARM templates.

Configuration of Power Automate Workflow:

Trigger Activation:

An email or Teams trigger activated by the requestor wanting to deploy an Azure resource.

Approval Process:

The approval group will receive an email and Teams message for approval or rejection.

Request Validation:

Validate the request against an existing ARM template.

Resource Deployment:

Deploy the Azure resource based on the pre-defined ARM template.

Notification:

Notify the requestor that the requested Azure resource has been successfully deployed.

Step 1 - ARM Template

Prepare your Azure resource ARM templates.

The quick start ARM templates can be found?here.

Or go directly to the quickstarts menu at https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts , select and download the .json file for your resource.

Step 2 - Storage Account

Customize and save your ARM template into a storage account container,

Copy the blob URL for use later in the Power Automate Flow

For testing purposes - change the access level on the container to?Blob (anonymous read access for blobs only)

?

Step 3 - Power Automate

Open the Power Automate home page at https://make.powerautomate.com/

Select?Create,

Select?Instant cloud flow,

On the splash screen, click the Next button to build a blank Flow,

Select Add a trigger,

Search for “email”

Select When a new email arrives (v3) under Office 365 Outlook

You might be requested to Sign in to your Office 365 Outlook,

Under advanced parameters, select?From?and?Subject Filter,

Populate the From field with an Azure deployment security group name,

Add a?Subject Filter,*

*this is the subject to be used by the requestor

(optional) assign importance,

Select which?Folder?into which all these email types will be delivered,

Add an action,

Let’s create the approval email process:

Search for and select “start and wait for an approval”

You might be prompted to create a new connection for approvals. Select Create new,

In the?Start and wait for an approval window,

Select the?Approve/Reject – First to respond

The?Assigned To?field is the approval distribution group email address,

In the Title field, add a custom title,

In the Details field, add a custom details field,

Add an action,

Search and select a?Condition

In the condition, search dynamic content for?outcome > Add,

In the next section, type in?Approve?(case sensitive with trimming)

Go to True and select?Add an action,

Search for?validate azure resource

Select the?validate a template deployment?under Azure Resource Manager

You might now be prompted for an authentication type,

Select whether to use OAuth or a Service Principal.

(I prefer using a Service Principal for automation) > Create new

Validate a template deployment:

Select the subscription and resource group,

Select a custom deployment name (make sure to trim the name), (you will use this name again when provisioning your Create or update a template deployment)

Add an advanced parameter value = Template URI

Template URI – paste the blob URL copied earlier

Add an action to the?Validate a template deployment,

Add a?condition,

Search dynamic content for “provisioningstate”

Select?“is equal to” “Succeeded”?(be aware of syntax and trim),

Add an action under True

Do a search for and select?“create or update a template deployment”

Update the following details:

Select the target subscription and resource group,

Specify the same deployment name used in your?“Validate a template deployment”

Populate the URI with the same blob url,

Deployment mode –?Incremental,

Wait for Deployment –?No

Add an action,

Do a search for?“read a template deployment”

Select?Read a template deployment,

In the?Read a template deployment,

Populate the subscription and resource group,

Deployment Name > add the dynamic content “Name”

Wait for deployment >?Yes

Add an action under

Search for “send an email (v2)”

Select?Send an email (v2)

*This is the email that will be sent back to the original requester detailing the deployment.

Populate To with the requestors email address,

Subject: populate with dynamic content “Subject”

Body: Create message and add dynamic content > search for “body” and under?Read a template deployment,

Select?body/properties/provisioningState

This completes the Flow build.

Save your Flow and create a backup copy.

Wait about 10 minutes for the Flow backend to provision before testing.

Testing

Flow

Go to your Flow name > Edit > select Test on your Flow,

Test Flow

Select Manual > Test

Create and send a new email:

Addressed?To?the approver group,

With the exact same subject filter defined in the?When a new email arrives (V3)

The requestor email will be delivered to the approvers group on 2 mediums:

Email distribution email address, upon which a reply Approve | Reject is required.

Complete the comments section,

Click on?Submit,

Microsoft Teams:

Under your Team's Activity Feed you will receive a request? Approvals with a?Reject | Approve?button

A reply email will be sent to the requester indicating whether the request has been approved or rejected,

Your ARM template will now be validated

The requested will receive an email verifying the successful Azure resource deployment

— I hope you found this blog useful in automating your zero-touch Azure resource deployments —

?