|
| 1 | +--- |
| 2 | +title: Sample - Canada Federal PBMM blueprint - Deploy steps |
| 3 | +description: Deploy steps of theCanada Federal PBMM blueprint samples. |
| 4 | +services: blueprints |
| 5 | +author: DCtheGeek |
| 6 | +ms.author: dacoulte |
| 7 | +ms.date: 09/05/2019 |
| 8 | +ms.topic: conceptual |
| 9 | +ms.service: blueprints |
| 10 | +manager: carmonm |
| 11 | +--- |
| 12 | +# Deploy the Canada Federal PBMM blueprint samples |
| 13 | + |
| 14 | +To deploy the Canada Federal PBMM blueprint samples, the following steps must be taken: |
| 15 | + |
| 16 | +> [!div class="checklist"] |
| 17 | +> - Create a new blueprint from the sample |
| 18 | +> - Mark your copy of the sample as **Published** |
| 19 | +> - Assign your copy of the blueprint to an existing subscription |
| 20 | +
|
| 21 | +If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free) |
| 22 | +before you begin. |
| 23 | + |
| 24 | +## Create blueprint from sample |
| 25 | + |
| 26 | +First, implement the blueprint sample by creating a new blueprint in your environment using the |
| 27 | +sample as a starter. |
| 28 | + |
| 29 | +1. Select **All services** and search for and select **Policy** in the left pane. On the **Policy** |
| 30 | + page, select **Blueprints**. |
| 31 | + |
| 32 | +1. From the **Getting started** page on the left, select the **Create** button under _Create a |
| 33 | + blueprint_. |
| 34 | + |
| 35 | +1. Find the **Canada Federal PBMM** blueprint sample under _Other Samples_ and select **Use this |
| 36 | + sample**. |
| 37 | + |
| 38 | +1. Enter the _Basics_ of the blueprint sample: |
| 39 | + |
| 40 | + - **Blueprint name**: Provide a name for your copy of the blueprint sample. |
| 41 | + - **Definition location**: Use the ellipsis and select the management group to save your copy of |
| 42 | + the sample to. |
| 43 | + |
| 44 | +1. Select the _Artifacts_ tab at the top of the page or **Next: Artifacts** at the bottom of the |
| 45 | + page. |
| 46 | + |
| 47 | +1. Review the list of artifacts that make up the blueprint sample. Many of the artifacts have |
| 48 | + parameters that we'll define later. Select **Save Draft** when you've finished reviewing the |
| 49 | + blueprint sample. |
| 50 | + |
| 51 | +## Publish the sample copy |
| 52 | + |
| 53 | +Your copy of the blueprint sample has now been created in your environment. It's created in |
| 54 | +**Draft** mode and must be **Published** before it can be assigned and deployed. The copy of the |
| 55 | +blueprint sample can be customized to your environment and needs, but that modification may move |
| 56 | +it away from the standard. |
| 57 | + |
| 58 | +1. Select **All services** and search for and select **Policy** in the left pane. On the **Policy** |
| 59 | + page, select **Blueprints**. |
| 60 | + |
| 61 | +1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the |
| 62 | + blueprint sample and then select it. |
| 63 | + |
| 64 | +1. Select **Publish blueprint** at the top of the page. In the new page on the right, provide a |
| 65 | + **Version** for your copy of the blueprint sample. This property is useful for if you make a |
| 66 | + modification later. Provide **Change notes** such as "First version published from the Canada |
| 67 | + Federal PBMM blueprint sample." Then select **Publish** at the bottom of the page. |
| 68 | + |
| 69 | +## Assign the sample copy |
| 70 | + |
| 71 | +Once the copy of the blueprint sample has been successfully **Published**, it can be assigned to a |
| 72 | +subscription within the management group it was saved to. This step is where parameters are |
| 73 | +provided to make each deployment of the copy of the blueprint sample unique. |
| 74 | + |
| 75 | +1. Select **All services** and search for and select **Policy** in the left pane. On the **Policy** |
| 76 | + page, select **Blueprints**. |
| 77 | + |
| 78 | +1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the |
| 79 | + blueprint sample and then select it. |
| 80 | + |
| 81 | +1. Select **Assign blueprint** at the top of the blueprint definition page. |
| 82 | + |
| 83 | +1. Provide the parameter values for the blueprint assignment: |
| 84 | + |
| 85 | + - Basics |
| 86 | + |
| 87 | + - **Subscriptions**: Select one or more of the subscriptions that are in the management group |
| 88 | + you saved your copy of the blueprint sample to. If you select more than one subscription, an |
| 89 | + assignment will be created for each using the parameters entered. |
| 90 | + - **Assignment name**: The name is pre-populated for you based on the name of the blueprint. |
| 91 | + Change as needed or leave as is. |
| 92 | + - **Location**: Select a region for the managed identity to be created in. Azure Blueprint uses |
| 93 | + this managed identity to deploy all artifacts in the assigned blueprint. To learn more, see |
| 94 | + [managed identities for Azure resources](../../../../active-directory/managed-identities-azure-resources/overview.md). |
| 95 | + - **Blueprint definition version**: Pick a **Published** version of your copy of the blueprint |
| 96 | + sample. |
| 97 | + |
| 98 | + - Lock Assignment |
| 99 | + |
| 100 | + Select the blueprint lock setting for your environment. For more information, see [blueprints resource locking](../../concepts/resource-locking.md). |
| 101 | + |
| 102 | + - Managed Identity |
| 103 | + |
| 104 | + Leave the default _system assigned_ managed identity option. |
| 105 | + |
| 106 | + - Artifact parameters |
| 107 | + |
| 108 | + The parameters defined in this section apply to the artifact under which it's defined. These |
| 109 | + parameters are [dynamic parameters](../../concepts/parameters.md#dynamic-parameters) since |
| 110 | + they're defined during the assignment of the blueprint. For a full list or artifact parameters |
| 111 | + and their descriptions, see [Artifact parameters table](#artifact-parameters-table). |
| 112 | + |
| 113 | +1. Once all parameters have been entered, select **Assign** at the bottom of the page. The blueprint |
| 114 | + assignment is created and artifact deployment begins. Deployment takes roughly an hour. To check |
| 115 | + on the status of deployment, open the blueprint assignment. |
| 116 | + |
| 117 | +> [!WARNING] |
| 118 | +> The Azure Blueprints service and the built-in blueprint samples are **free of cost**. Azure |
| 119 | +> resources are [priced by product](https://azure.microsoft.com/pricing/). Use the [pricing calculator](https://azure.microsoft.com/pricing/calculator/) |
| 120 | +> to estimate the cost of running resources deployed by this blueprint sample. |
| 121 | +
|
| 122 | +## Artifact parameters table |
| 123 | + |
| 124 | +The following table provides a list of the blueprint artifact parameters: |
| 125 | + |
| 126 | +Artifact name|Artifact type|Parameter name|Description| |
| 127 | +|-|-|-|-| |
| 128 | +|\[Preview\]: Deploy Log Analytics Agent for Linux VMs |Policy assignment |Log Analytics workspace for Linux VMs |For more information, see [Create a Log Analytics workspace in the Azure portal](../../../../azure-monitor/learn/quick-create-workspace.md). | |
| 129 | +|\[Preview\]: Deploy Log Analytics Agent for Linux VMs |Policy assignment |Optional: List of VM images that have supported Linux OS to add to scope |An empty array may be used to indicate no optional parameters: `[]` | |
| 130 | +|\[Preview\]: Deploy Log Analytics Agent for Windows VMs |Policy assignment |Optional: List of VM images that have supported Windows OS to add to scope |An empty array may be used to indicate no optional parameters: `[]` | |
| 131 | +|\[Preview\]: Deploy Log Analytics Agent for Windows VMs |Policy assignment |Log Analytics workspace for Windows VMs |For more information, see [Create a Log Analytics workspace in the Azure portal](../../../../azure-monitor/learn/quick-create-workspace.md). | |
| 132 | +|\[Preview\]: Audit Canada Federal PBMM controls and deploy specific VM Extensions to support audit requirements |Policy assignment |Log Analytics workspace ID that VMs should be configured for |This is the ID (GUID) of the Log Analytics workspace that the VMs should be configured for. | |
| 133 | +|\[Preview\]: Audit Canada Federal PBMM controls and deploy specific VM Extensions to support audit requirements |Policy assignment |List of resource types that should have diagnostic logs enabled |List of resource types to audit if diagnostic log setting isn't enabled. Acceptable values can be found at [Azure Monitor diagnostic logs schemas](../../../../azure-monitor/platform/diagnostic-logs-schema.md#supported-log-categories-per-resource-type). | |
| 134 | +|\[Preview\]: Audit Canada Federal PBMM controls and deploy specific VM Extensions to support audit requirements |Policy assignment |Administrators group |Group. Example: `Administrator; myUser1; myUser2` | |
| 135 | +|\[Preview\]: Audit Canada Federal PBMM controls and deploy specific VM Extensions to support audit requirements |Policy assignment |List of users that should be included in Windows VM Administrators group |A semicolon-separated list of members that should be included in the Administrators local group. Example: `Administrator; myUser1; myUser2` | |
| 136 | +|Deploy Advanced Threat Protection on Storage Accounts |Policy assignment |Effect |Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md). | |
| 137 | +|Deploy Auditing on SQL servers |Policy assignment |The value in days of the retention period (0 indicates unlimited retention) |Retention days (optional, _180_ days if unspecified) | |
| 138 | +|Deploy Auditing on SQL servers |Policy assignment |Resource group name for storage account for SQL server auditing |Auditing writes database events to an audit log in your Azure Storage account (a storage account is created in each region where a SQL Server is created that is shared by all servers in that region). Important - for proper operation of Auditing don't delete or rename the resource group or the storage accounts. | |
| 139 | +|Deploy diagnostic settings for Network Security Groups |Policy assignment |Storage account prefix for network security group diagnostics |This prefix is combined with the network security group location to form the created storage account name. | |
| 140 | +|Deploy diagnostic settings for Network Security Groups |Policy assignment |Resource group name for storage account for network security group diagnostics (must exist) |The resource group that the storage account is created in. This resource group must already exist. | |
| 141 | + |
| 142 | +## Next steps |
| 143 | + |
| 144 | +Now that you've reviewed the steps to deploy the Canada Federal PBMM sample, visit the following |
| 145 | +articles to learn about the overview and control mapping: |
| 146 | + |
| 147 | +> [!div class="nextstepaction"] |
| 148 | +> [Canada Federal PBMM blueprints - Overview](./index.md) |
| 149 | +> [Canada Federal PBMM blueprints - Control mapping](./control-mapping.md) |
| 150 | +
|
| 151 | +Addition articles about blueprints and how to use them: |
| 152 | + |
| 153 | +- Learn about the [blueprint lifecycle](../../concepts/lifecycle.md). |
| 154 | +- Understand how to use [static and dynamic parameters](../../concepts/parameters.md). |
| 155 | +- Learn to customize the [blueprint sequencing order](../../concepts/sequencing-order.md). |
| 156 | +- Find out how to make use of [blueprint resource locking](../../concepts/resource-locking.md). |
| 157 | +- Learn how to [update existing assignments](../../how-to/update-existing-assignments.md). |
0 commit comments