Skip to content
/ azure-sandbox Public
forked from jhlwscom/azure-sandbox-subscription

Our Azure sandbox subscription infrastructure

1 star 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

madetech/azure-sandbox

BranchesTags
 
 

Repository files navigation

azure-sandbox-subscription

An example Azure self-cleaning Azure sandbox subscription

features

  • Require tagging of all resources with an "Expires" tag. Any resources not tagged Expires = False will be cleaned up.
    • You'll be able to see non-complaint resources in the policy compliance blade, by default the resources for the tf backend are non-compliant, so use these as an example, then tag them so they don't expire.
    • Tags are inherited from parent resource group, so just need to adjust in the one place if resources are needed longer.
  • Require tagging of all resources with a "CreatedOn" tag, so you can quickly see how old resources are in case they escape the purge.
  • Automatically tag resources with who created/updated them, so you know who owns what.
    • This is suprisingly difficult on Azure, and requires a chunk of manual work, see ResourceTagger function

pre-requisites

  1. Create a new [subscription]https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade "Link to subscription management blade" for your sandbox. I'd call it sandbox.

Make a note of the subscription id, you'll need this later

  1. Create a service principle for Terraform to manage resources in this subscription. WARNING: This service principle will have complete admin priviliges in the subscription, keep it safe.
    • Using azure cli:
az ad sp create-for-rbac --name terraform --role Owner --scopes /subscriptions/<subscription_id>
  1. Create a resource group, storage account and container for your terraform state
  • Using cli:
az group create -l uksouth -n rg-tfstate-sandbox
az storage account create -n sttfstatesandbox -g rg-tfstate-sandbox -l uksouth --sku Standard_ZRS
az storage container create -n tfstate-sandbox --account-name sttfstatesandbox
  • Using terraform:
cd terraform-backend
terraform apply
  1. Update main.tf with the correct storage account name etc for the backend:
  backend "azurerm" {
    resource_group_name  = "rg-tfstate-sandbox"
    storage_account_name = "sttfstatesandbox"
    container_name       = "tfstate-sandbox"
    key                  = "tfstate-sandbox.tfstate"
  }

references

Policy management reused from:

https://github.com/globalbao/azure-policy-as-code

Cleanup script reused from:

https://github.com/FBoucher/AzSubscriptionCleaner

About

Our Azure sandbox subscription infrastructure

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • HCL 59.3%
  • Smarty 33.5%
  • PowerShell 7.0%
  • Shell 0.2%