Subtitle: Enhancing Visibility and Accountability in Azure Environments through Azure Automation and Event Grid
Introduction
As a Cloud Security Architect, a fundamental aspect of designing and implementing cloud solutions involves ensuring security, compliance, and governance. In Microsoft Azure, resources like virtual machines (VMs) are often created and managed by multiple users, necessitating resource ownership tracking for effective management and accountability.
Azure offers various monitoring and management tools, such as Azure Policy and Azure Monitor, to help enforce and audit compliance. However, Azure lacks an integrated method for automatically tagging VMs with the creator’s username during creation.
In this article, we will delve into a solution for addressing this challenge using Azure Automation and Event Grid, enhancing visibility and governance in your Azure environment.
Problem Statement
Tagging is an essential feature for working with Azure resources, as it enables organiSations to categoriSe and manage resources based on their metadata. Although Azure supports resource tagging natively, it does not provide a built-in mechanism for capturing the creator’s username and automatically associating it with a VM as a tag upon creation.
This limitation may impede resource governance, as resource ownership becomes less transparent, and identifying responsible parties for a specific VM can be challenging, particularly in environments with numerous users and resources.
Solution Overview
To address this limitation, we will develop a solution employing Azure Automation and Azure Event Grid. Azure Automation allows you to automate repetitive tasks and manage resources using runbooks, while Azure Event Grid enables you to build event-driven solutions by reacting to events within your Azure resources.
Our solution will create an Azure Automation runbook with a PowerShell script triggered by VM creation events. When a VM is created, the runbook will extract the creator’s username (caller) from the event data and update the VM’s tags accordingly.
Implementation Steps
Here’s a step-by-step guide on implementing this solution:
Step 1: Create an Azure Automation Account
- Sign in to the Azure Portal.
- Navigate to the “Create a resource” option and search for “Automation”
- Click “Create” and fill in the required information for your new Automation account.
- After the account is created, navigate to the “Modules” under “Shared Resources” and import the below PowerShell modules (if they don’t exist already)
- Az.Accounts
- Az.Compute
- Az.Resources
Step 2: Create the PowerShell Runbook
- In your Azure Automation account, navigate to the “Runbooks” section under “Process Automation”
- Click “Create a runbook” and select “PowerShell” as the runbook type.
- Name the runbook and provide a description.
- Chose “5.1” as your runtime version and click on Create.
- Once your runbook is created, open it and and click on “Edit” and add the below script:
param(
[Parameter(Mandatory = $true)]
[object] $WebhookData
)
# Authenticate to Azure
$connection = Get-AutomationConnection -Name ‘AzureRunAsConnection’
Connect-AzAccount -ServicePrincipal -Tenant $connection.TenantID -ApplicationId $connection.ApplicationID -CertificateThumbprint $connection.CertificateThumbprint
# Parse the webhook data
$eventData = (ConvertFrom-Json -InputObject $WebhookData.RequestBody)
$vmResourceId = $eventData.data.resourceUri
$caller = $eventData.data.claims.name
# Get the VM and update the tags
$vm = Get-AzResource -ResourceId $vmResourceId -ExpandProperties
$vm.Tags.Add(“CreatedBy”, $caller)
Set-AzResource -ResourceId $vmResourceId -Tags $vm.Tags -Force
6. Click “Save” and “Publish”
7. Click “Webhook” from the top menu, then click “Create new webhook.”
8.Give the webhook a name and set the expiration date. Copy the webhook URL, as you will not be able to retrieve it later.
9.Configure the webhook with the required parameters and click “Create.”
Step 3: Configure the Event Grid Subscription
- In the Azure Portal, navigate to the “Event Grid Subscriptions” service.
- Click “+ Event Subscription” and fill in the required information.
- For the “Event Schema,” make sure to choose “Event Grid Schema.”
- In the “Topic Details” select your Azure Subscriptions and Resource Group depending on the scope you want to apply. Provide a System Topic Name
- In the “Event Types” section, select the events that you want to trigger the automation runbook.
- In the “Endpoint Details” section, for the “Endpoint Type,” select “Web Hook.”
- For the “Subscriber Endpoint,” paste the webhook URL you copied earlier when creating the webhook for your Azure Automation Runbook.
- Apply any necessary filters, such as limiting the events to specific resources, by using the “Filters” section.
- Create the Event Grid subscription.
Conclusion
With this solution in place, you can now automatically capture VM creation events and update the VM’s tags with the creator’s username. This enhanced resource ownership visibility will improve resource governance and management in your Azure environment. Additionally, it promotes accountability among users and enables organizations to track and audit VM-related activities more efficiently.
While Azure does not provide a native solution for this specific use case, leveraging Azure Automation and Event Grid allows you to address this limitation and implement a robust, event-driven solution. As a Cloud Solution Architect, it is crucial to continually explore and utilize Azure’s vast array of services and capabilities to design and implement effective solutions tailored to your organization’s needs.
Remember that this solution can also be adapted to cater to other use cases and requirements, such as tracking the creator’s username for different resource types or incorporating additional tags based on custom logic. The possibilities are endless, and the flexibility offered by Azure Automation and Event Grid enables you to craft tailored solutions that align with your organisation’s governance and compliance requirements.