|
| 1 | +--- |
| 2 | +title: IRS 1075 blueprint sample - Deploy steps |
| 3 | +description: Deploy steps for the IRS 1075 (Rev.11-2016) blueprint sample including blueprint artifact parameter details. |
| 4 | +ms.date: 11/20/2019 |
| 5 | +ms.topic: sample |
| 6 | +--- |
| 7 | +# Deploy the IRS 1075 blueprint sample |
| 8 | + |
| 9 | +To deploy the Azure Blueprints IRS 1075 (Rev.11-2016) blueprint sample, the following steps must |
| 10 | +be taken: |
| 11 | + |
| 12 | +> [!div class="checklist"] |
| 13 | +> - Create a new blueprint from the sample |
| 14 | +> - Mark your copy of the sample as **Published** |
| 15 | +> - Assign your copy of the blueprint to an existing subscription |
| 16 | +
|
| 17 | +If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free) |
| 18 | +before you begin. |
| 19 | + |
| 20 | +## Create blueprint from sample |
| 21 | + |
| 22 | +First, implement the blueprint sample by creating a new blueprint in your environment using the |
| 23 | +sample as a starter. |
| 24 | + |
| 25 | +1. Select **All services** in the left pane. Search for and select **Blueprints**. |
| 26 | + |
| 27 | +1. From the **Getting started** page on the left, select the **Create** button under _Create a |
| 28 | + blueprint_. |
| 29 | + |
| 30 | +1. Find the **IRS 1075 (Rev.11-2016)** blueprint sample under _Other Samples_ and select **Use |
| 31 | + this sample**. |
| 32 | + |
| 33 | +1. Enter the _Basics_ of the blueprint sample: |
| 34 | + |
| 35 | + - **Blueprint name**: Provide a name for your copy of the IRS 1075 (Rev.11-2016) blueprint |
| 36 | + sample. |
| 37 | + - **Definition location**: Use the ellipsis and select the management group to save your copy of |
| 38 | + the sample to. |
| 39 | + |
| 40 | +1. Select the _Artifacts_ tab at the top of the page or **Next: Artifacts** at the bottom of the |
| 41 | + page. |
| 42 | + |
| 43 | +1. Review the list of artifacts that make up the blueprint sample. Many of the artifacts have |
| 44 | + parameters that we'll define later. Select **Save Draft** when you've finished reviewing the |
| 45 | + blueprint sample. |
| 46 | + |
| 47 | +## Publish the sample copy |
| 48 | + |
| 49 | +Your copy of the blueprint sample has now been created in your environment. It's created in |
| 50 | +**Draft** mode and must be **Published** before it can be assigned and deployed. The copy of the |
| 51 | +blueprint sample can be customized to your environment and needs, but that modification may move |
| 52 | +it away from alignment with NIST SP 800-53 controls. |
| 53 | + |
| 54 | +1. Select **All services** in the left pane. Search for and select **Blueprints**. |
| 55 | + |
| 56 | +1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the |
| 57 | + blueprint sample and then select it. |
| 58 | + |
| 59 | +1. Select **Publish blueprint** at the top of the page. In the new page on the right, provide a |
| 60 | + **Version** for your copy of the blueprint sample. This property is useful for if you make a |
| 61 | + modification later. Provide **Change notes** such as "First version published from the NIST SP |
| 62 | + 800-53 R4 blueprint sample." Then select **Publish** at the bottom of the page. |
| 63 | + |
| 64 | +## Assign the sample copy |
| 65 | + |
| 66 | +Once the copy of the blueprint sample has been successfully **Published**, it can be assigned to a |
| 67 | +subscription within the management group it was saved to. This step is where parameters are |
| 68 | +provided to make each deployment of the copy of the blueprint sample unique. |
| 69 | + |
| 70 | +1. Select **All services** in the left pane. Search for and select **Blueprints**. |
| 71 | + |
| 72 | +1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the |
| 73 | + blueprint sample and then select it. |
| 74 | + |
| 75 | +1. Select **Assign blueprint** at the top of the blueprint definition page. |
| 76 | + |
| 77 | +1. Provide the parameter values for the blueprint assignment: |
| 78 | + |
| 79 | + - Basics |
| 80 | + |
| 81 | + - **Subscriptions**: Select one or more of the subscriptions that are in the management group |
| 82 | + you saved your copy of the blueprint sample to. If you select more than one subscription, an |
| 83 | + assignment will be created for each using the parameters entered. |
| 84 | + - **Assignment name**: The name is pre-populated for you based on the name of the blueprint. |
| 85 | + Change as needed or leave as is. |
| 86 | + - **Location**: Select a region for the managed identity to be created in. Azure Blueprint uses |
| 87 | + this managed identity to deploy all artifacts in the assigned blueprint. To learn more, see |
| 88 | + [managed identities for Azure resources](../../../../active-directory/managed-identities-azure-resources/overview.md). |
| 89 | + - **Blueprint definition version**: Pick a **Published** version of your copy of the blueprint |
| 90 | + sample. |
| 91 | + |
| 92 | + - Lock Assignment |
| 93 | + |
| 94 | + Select the blueprint lock setting for your environment. For more information, see [blueprints resource locking](../../concepts/resource-locking.md). |
| 95 | + |
| 96 | + - Managed Identity |
| 97 | + |
| 98 | + Leave the default _system assigned_ managed identity option. |
| 99 | + |
| 100 | + - Artifact parameters |
| 101 | + |
| 102 | + The parameters defined in this section apply to the artifact under which it's defined. These |
| 103 | + parameters are [dynamic parameters](../../concepts/parameters.md#dynamic-parameters) since |
| 104 | + they're defined during the assignment of the blueprint. For a full list or artifact parameters |
| 105 | + and their descriptions, see [Artifact parameters table](#artifact-parameters-table). |
| 106 | + |
| 107 | +1. Once all parameters have been entered, select **Assign** at the bottom of the page. The blueprint |
| 108 | + assignment is created and artifact deployment begins. Deployment takes roughly an hour. To check |
| 109 | + on the status of deployment, open the blueprint assignment. |
| 110 | + |
| 111 | +> [!WARNING] |
| 112 | +> The Azure Blueprints service and the built-in blueprint samples are **free of cost**. Azure |
| 113 | +> resources are [priced by product](https://azure.microsoft.com/pricing/). Use the [pricing calculator](https://azure.microsoft.com/pricing/calculator/) |
| 114 | +> to estimate the cost of running resources deployed by this blueprint sample. |
| 115 | +
|
| 116 | +## Artifact parameters table |
| 117 | + |
| 118 | +The following table provides a list of the blueprint artifact parameters: |
| 119 | + |
| 120 | +|Artifact name|Artifact type|Parameter name|Description| |
| 121 | +|-|-|-|-| |
| 122 | +|Audit IRS 1075 (Rev.11-2016) controls and deploy specific VM Extensions to support audit requirements|Policy assignment|Log Analytics workspace ID that VMs should be configured for|This is the ID (GUID) of the Log Analytics workspace that the VMs should be configured for.| |
| 123 | +|Audit IRS 1075 (Rev.11-2016) controls and deploy specific VM Extensions to support audit requirements|Policy assignment|List of resource types that should have diagnostic logs enabled|List of resource types to audit if diagnostic log setting is not enabled. Acceptable values can be found at [Azure Monitor diagnostic logs schemas](../../../../azure-monitor/platform/diagnostic-logs-schema.md#supported-log-categories-per-resource-type).| |
| 124 | +|Audit IRS 1075 (Rev.11-2016) controls and deploy specific VM Extensions to support audit requirements|Policy assignment|List of users that should be excluded from Windows VM Administrators group|A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2| |
| 125 | +|Audit IRS 1075 (Rev.11-2016) controls and deploy specific VM Extensions to support audit requirements|Policy assignment|List of users that should be included in Windows VM Administrators group|A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2| |
| 126 | +|Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)|Policy assignment|Log Analytics workspace for Linux VM Scale Sets (VMSS)|If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.| |
| 127 | +|Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)|Policy assignment|Optional: List of VM images that have supported Linux OS to add to scope|An empty array may be used to indicate no optional parameters: \[\]| |
| 128 | +|Deploy Log Analytics Agent for Linux VMs|Policy assignment|Log Analytics workspace for Linux VMs|If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.| |
| 129 | +|Deploy Log Analytics Agent for Linux VMs|Policy assignment|Optional: List of VM images that have supported Linux OS to add to scope|An empty array may be used to indicate no optional parameters: \[\]| |
| 130 | +|Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)|Policy assignment|Log Analytics workspace for Windows VM Scale Sets (VMSS)|If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.| |
| 131 | +|Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)|Policy assignment|Optional: List of VM images that have supported Windows OS to add to scope|An empty array may be used to indicate no optional parameters: \[\]| |
| 132 | +|Deploy Log Analytics Agent for Windows VMs|Policy assignment|Log Analytics workspace for Windows VMs|If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.| |
| 133 | +|Deploy Log Analytics Agent for Windows VMs|Policy assignment|Optional: List of VM images that have supported Windows OS to add to scope|An empty array may be used to indicate no optional parameters: \[\]| |
| 134 | +|Deploy Advanced Threat Protection on Storage Accounts|Policy assignment|Effect|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md)| |
| 135 | +|Deploy Auditing on SQL servers|Policy assignment|The value in days of the retention period (0 indicates unlimited retention)|Retention days (optional, 180 days if unspecified)| |
| 136 | +|Deploy Auditing on SQL servers|Policy assignment|Resource group name for storage account for SQL server auditing|Auditing writes database events to an audit log in your Azure Storage account (a storage account will be created in each region where a SQL Server is created that will be shared by all servers in that region). Important - for proper operation of Auditing do not delete or rename the resource group or the storage accounts.| |
| 137 | +|Deploy diagnostic settings for Network Security Groups|Policy assignment|Storage account prefix for network security group diagnostics|This prefix will be combined with the network security group location to form the created storage account name.| |
| 138 | +|Deploy diagnostic settings for Network Security Groups|Policy assignment|Resource group name for storage account for network security group diagnostics (must exist)|The resource group that the storage account will be created in. This resource group must already exist.| |
| 139 | + |
| 140 | +## Next steps |
| 141 | + |
| 142 | +Now that you've reviewed the steps to deploy the IRS 1075 (Rev.11-2016) blueprint sample, visit |
| 143 | +the following articles to learn about the blueprint and control mapping: |
| 144 | + |
| 145 | +> [!div class="nextstepaction"] |
| 146 | +> [IRS 1075 (Rev.11-2016) blueprint - Overview](./index.md) |
| 147 | +> [IRS 1075 (Rev.11-2016) blueprint - Control mapping](./control-mapping.md) |
| 148 | +
|
| 149 | +Additional articles about blueprints and how to use them: |
| 150 | + |
| 151 | +- Learn about the [blueprint lifecycle](../../concepts/lifecycle.md). |
| 152 | +- Understand how to use [static and dynamic parameters](../../concepts/parameters.md). |
| 153 | +- Learn to customize the [blueprint sequencing order](../../concepts/sequencing-order.md). |
| 154 | +- Find out how to make use of [blueprint resource locking](../../concepts/resource-locking.md). |
| 155 | +- Learn how to [update existing assignments](../../how-to/update-existing-assignments.md). |
0 commit comments