Create enterprise applications for external access using Terraform

3rd party services such as threat management tools for Azure can add incredible value but to access services, they need a secure way of connecting to the platform. Enterprise Application give full IAM (Identity and Access Management) control and can be used to provide granular access to services. During deployment I found a need to automate the following elements: Registration of application within Azure with customized API permissions Creation of Enterprise application (Service Principal) linked to application Creation of client secret with no expiry date Creation of custom RBAC Assign app to subscriptions using custom RBAC role To make sure this process was repeatable easily and at scale the following Terraform elements were used. Continue reading

Deploy VM from Azure Marketplace image using Terraform

During code deployment via terraform to Azure, it’s useful to be able to reference marketplace-based images to support the deployment of 3rd party services. This brief guide will cover how to find an image and then how to use that data to deploy, in this case, an AlertLogic Linux VM. Windows images can be found in the same manner. For the purpose of this example, I will deploy Alert Logic Professional - BYOL. Continue reading

Azure to Azure Migration

Due to mergers, acquisitions or sale it’s likely that companies develop a need to migrate key services from platform to platform. Although it is currently possible to migrate resources between subscriptions it is not possible to migrate across tenants natively. The below covers the steps required to migrate tenant to tenant using MigAZ a community tool availble from GitHub (covering ARM to ARM migration) https://github.com/Azure/migAz Pre-reqs Windows 8 or higer Latest PowerShell AzureRM module Install-Module -Name AzureRM -AllowClobber Import-Module -Name AzureRM Separate “Owner” role accounts for both tenants The resource being migrated should be powered off & any active connections removed Disk encryption using ADE v1. Continue reading

Removing ADE v1.1

Azure Disk Encryption leverages BitLocker to provide full disk encryption on Azure virtual machines running Windows. This solution is integrated with Azure Key Vault to manage disk encryption keys and secrets in your key vault subscription. There are two versions of extension schema for Azure Disk Encryption (ADE): v2.2 - A newer recommended schema that does not use Azure Active Directory (AAD) properties. v1.1 - An older schema that requires Azure Active Directory (AAD) properties. Continue reading

Configuring a Routable Domain

Clients wishing to migrate to Office365 will usually utilise Azure Active Directory Connect to form part of the migration, this will synchronise Active Directory to Azure to be used throughout the Office365 suite. Previously it was best practise to append domain names with .local or similar as routable domains were not previously required. Synchronising users with non-routable suffix’s will fail generating alerts and the users will not be synchronised. Prior to migration its possible to highlight the risk using Microsoft’s IDFix tool found here. Continue reading