Paul K space : EA Subscription Vending - An Iterative Affair

Created by Paul Kelleher, last modified on Sept 02, 2023

Summary

Table of Contents
Error rendering macro 'toc' : Dangling meta character '*' near index 0 *MVP* ^

If you’re a business that has access to a Microsoft Enterprise Agreement, you won’t be surprised that transitioning to an enterprise at scale, you need to innovate and embrace empowerment of your engineers

When you operate at scale every cost-saving; every time-saving endeavor; - every service desk ticket not raised - turn into a real difference for the business

We only have to look back 150 years to see the benefits and progress that Industrialisation deliver -

Measuring using the traditional scale of the day, horsepower, it’s safe to assume that creating automated and well thought-out self-service platform will ensure that you never have to employ any horses again… and finally we will take back the planet!

tl;dr

Objectives

  • to familiarise the reader with operating under an EA Agreement

  • Education through hands-on manual and automated delivery

  • Deliver documentation and example code for a rapid lighthouse delivery into a customer solutions

  • Demonstrate moving from a manual process, through to scripting and full IaC delivery

  • Demonstrate extending capability of the de project

  • Demonstrate extensibility of the user interfaces to the process

Session Format

This topic - end to end - is quite the beast

I’ll be delivering a number of Iterations to ensure that the user has the right amount of information to read, understand, fact-check and engineer not only the solution to the EA Vending Automation issue, nut to also appreciate the nuance and extensibility of the technical solutions covered

If you take the time to walk through and see how I layer up my deliveries, that you also see that investing time now can help you build a set iof tools - or take away part of the solution to make your lidfe easier,…. you too could haev the time to REALLY procrastinate over every detail… automate FTW -and remeber… the best engineer, is at heart, a lazy engineer….

Iteration 1

Iterations 2 & 3

Iteration 4 and MVP review

available now!

Not yet available

Not yet available

Benefits

  • Ensuring that all sandbox requests for Azure environments are created in a more flexible tenancy for sandbox playgrounds:

  • This will allow for better subscription management, such as:

    • Service Principles could be granted with less security implications if this is set in Dev/Test tenant.

    • Budget controls can be added to reduce our costs.

    • Automatic nuking of environments during set schedules.

Acceptance Criteria

Mirroring a client engagement, it is important to define acceptance criteria that, in conjunction with technical peer review will feed into an evolving a “definition of done“ that encompasses all major customer requirements, appropriate review and tweaking of the solution

for indication and progress, a traffic light system(blue star) indicates where we are and until delivered quick icons can help see progress here

(blue star)

(blue star). (blue star)

not started to in progress (to be reviewed)

(blue star) (tick)

going well to complete (reviewed - OK)

(blue star) (error)

not going well to failed (reviewed - FAIL)

(blue star) (blue star)

completed and accepted or rejected

Functionality, Features, Usability and Automation

Criteria

Breakdown

(blue star)

1

end-to-emd working

end-to-end process works as intended a handover to IT Support

Review

Criteria

Breakdown

(blue star)

1

Peer Review:. Design

The design should be review3d with Azure peers, ensuring that

  • consensus in the problem description. requirements & general technology

  • capture, alignment and dissemination of initial acceptance criteria

2

Peer Review: End to End

the solution should be

3

Peer Review Required

4

Peer Review Recommends

Compliance

Criteria

Breakdown

(blue star)

1

Compliance: Code Quality

2

Compliance: Scanning

Documentation

Criteria

Breakdown

(blue star)

1

Confluence tl;dr

Integration

Criteria

Breakdown

(blue star)

1

Integration

Definition of Done

TBXC

Design

Requirements Definiton

  1. Amend the existing method for creating new sandboxes in Azure to use the Squad Zero tenancy id for any new requests.

  2. Transformation action to migrate all existing Contini's in the Contino tenancy to Squad Zero tenancy where Service Principles can be granted more conveniently than on the production Contino tenant.

Solution Overview and Breakdown

  1. Amend the existing method for creating new sandboxes in Azure to use the Squad Zero tenancy id for any new requests.

High Level Design

create the resources and mechanism's such that we can

  • process one to N configurations containing required and optional parameters

  • Validate and extract pertinent data from config files

  • Validate the config

  • Ensure required values supplied

  • Ensure optional values containing data are used if defined

  • Ensure optional values, if omitted by the user, use a default calculated value

  • Process the configuration and for each section defined

Always process the general section for user details

We now have an extensible templated solution that can be added to with additional requirements

If defined subscription: section

  • we need to add a subscription under the WA account and tenant

    • EA accounts required

    • Tenant access required

If defined service_principal: section

If defined automation: section

Components - High Level

storage, management and processing

  • Landing Zones are traditionally delivered IaC using GitHub and GitHub actions to store and then automate delivery of code

  • Configurations need to be defined, standardised and then ingested into deployment

    • Customer requests can nbe submitted and simple to manage as a file per request, so simple yaml config filers can be used as they ar easy to create, populate and read - while allowing simple access using yamldecode() in workflows

configuration deployment

  • mechanisms for managing many files to process each time terrafomr runs

  • validation and approval of requests

  • gatekeeper, backout, deletton as well as housekeeping shoudl be considered

  • cross tenant acdess for service principals

resources and services

  • we read and write from GitHub

  • we access Azure a a. god SP

  • any request will always need access for the requesting user - so will need access to dev tenant

Components - Technology Selection

  • Azure

    • New DEV tenant

      • Local admin account

      • Local EA management account

  • Microsoft Enterprise EA Billing Setup

    • Enterprise Billing admin account

    • Enterprise Billing account

    • Enterprize Billing account Creator role

  • Microsoft Partner account

    • Billing account admin access

  • Azure

    • Admin access to HOME Tenant

    • Automation resources

  • GitHub

  • Confluence

Detailed Design

INterface/WebUI

Processing config files

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

Deployment :AAD Tenant Guest Access

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

Section Processing: Subscriptions

Section Processing: Service Principal

Section Processing: GitHub Repo

Post Processing: Outout

Planning

iteration 1 - a simple start

with access to an EA Account, you want to 

  • add a new Tenant 
  • add a new local admin account for EA Management
  • create the EA Account setup
  • validate
    • create the guest AD account for the user
    • add a new subscription
    • add a new consumption budget to the subscription
    • assign the subscription to UK management group

in this simple configuration, your users will be provided a new account to the tenant and login to access their subscription

Azure

Perparing your account with permissions

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

az login
Creating a new Azure Tenant

There is currently no public API, so I would recommend following the Microsoft Learn documentation via https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant

az login -t YourTenantName.onmicrosoft.com --use-device-code
Creating a new Admin user under the your new tenant

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

az

Enterprise Billing

Enrolling the Tenant to your EA AGreement via the partner portal

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

az

Azure Subscription Resources Creation

Create Resources

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

  • Create a new Guest user 


  • Create a new subscription named Dev/Test - SQUAD0 - user.name with MS-AZR-0148P, enrolment account 320292




  • Create and assign a new 60 GBP budget




  • Assign the Subscription to UK management group






summary




#!/bin/bash




iteration 2 - adding cross-tenant complexity
Building on the initial simple config where 
as an Administrator  in the new Tenant, we can create a new EA Subscription either via portal or simple CLI, while using the Azure Billing Enrolment Account
originally we use a single tenant, but to add to the complexity:
  • use the new Squad0 Tenant as an additional dev/test tenant 
  • Authenticate via the original home tenant as a Guest User invited into the Development Tenant 
Summary


#!/bin/bash


iteration 3 - graduating to IaC - Service Principals
Now that we have 
  • 2 tenants - one home and one dev/test
  • ability to create subscriptions 
we essentially have a way for an admin user to create subscriptions - or to script that automation via az-cli
now we have the process and permissions, we will switch from using a manual user, in favor of a service principal
  • Configure  the Home Tenant
    • under your home tenant, create an app registration
    • create an Enterprise App Service Principal


### Define app registration name, etc.
appregname=myappregtest1
clientid=$(az ad app create --display-name $appregname --query appId --output tsv)
objectid=$(az ad app show --id $clientid --query objectId --output tsv)

default_scope=$(az ad app show --id $clientid | jq '.oauth2Permissions[0].isEnabled = false' | jq -r '.oauth2Permissions')
az ad app update --id $clientid --set oauth2Permissions="$default_scope"
az ad app update --id $clientid --set oauth2Permissions="[]"

az rest -m post -u https://graph.microsoft.com/v1.0/applications  --headers 'Content-Type=application/json' --body '{"displayName": "xxx"}'

### Use --query to obtain the client app id
clientid=$(az rest -m post -u https://graph.microsoft.com/v1.0/applications  --headers 'Content-Type=application/json' --body '{"displayName": "myappregtest1"}' --query appId --output tsv)


  • Configure the Development Tenant
    • App Registration
    • Service Principal
    • Assign Subscription Owner role to the SP


as above


  • Billing API 
    • identify Billing Account number
    • Obtain Enrolment Account Number 
    • Obtain  Enrolment Account Role Identifier
    • Obtain Enrolment Account Subscription Creator role
      • Add Enrolment Account Role to Service Principal 
      • Add Enrolment Account Subscription Creator Role to Service Principal
  • Verify Role Assignments by logging in as the Service Principal and creating a subscription


az rest -m GET -u "https://management.azure.com/providers/Microsoft.Billing/enrollmentAccounts?api-version=2018-03-01-preview"
az role assignment create --role Owner --assignee-object-id <userObjectId> --scope /providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>

RERQUEST_BODY=$(cat <<EOF
{
  "properties": {
    "principalId": "99a1a759-30dd-42c2-828c-db398826bb67",
    "principalTenantId": "7ca289b9-c32d-4f01-8566-7ff93261d76f",
    "roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/7898901/enrollmentAccounts/225314/billingRoleDefinitions/a0bcee42-bf30-4d1b-926a-48d21664ef71"
  }
}
EOF
)

az rest -m POST -u "PUT https://management.azure.com/providers/Microsoft.Billing/billingAccounts/{billingAccountName}/enrollmentAccounts/{enrollmentAccountName}/billingRoleAssignments/{billingRoleAssignmentName}?api-version=2019-10-01-preview" --body "${REQUEST_BODY}""


Summary


#!/bin/bash


iteration 4 - Hands-off non-interactive
We now have 
  • Understanding of each process step to add a new user and then provide them a subscription in the new tenant - accessed via their Home Tenant Login
  • Understanding of how to auth across tenants
  • The requirements of each stage
  • Service Principals with permissions to operate autonomously
We can start to build the process in terraform - taking each manual or scripted stage and identify what terraform resources we will need to read and create. For each step of the process, you can verify your code as you work - doing terraform plan after each new resource is added to the terraform
  • create boilerplate terraform files
    • .gitignore
    • terraform standard files
      • provider.tf
      • variables.tf
      • main.tf
      • output.tf
Summary


#!/bin/bash
az rest --method GET --url https://graph.microsoft.com/v1.0/users
az rest --method GET --url https://graph.microsoft.com/v1.0/users | jq '.value | .[]| select(.userPrincipalName == "paul.kelleher@contino.io")'`cccc


Welcome to MVP world - population you!
iteration 5 - Feature Development
Summary
iteration 6 -WebUI
info
Summary












Conclusions




















Lorem Ipsum












References




















Lorem Ipsum
To be removed before publication
Click here to expand...


@startmindmap
* Structure
** Simple
***: **Description**
    with access to an EA Account, you want to 
    - add a new Tenant 
    - add a new local admin account for EA Management
    - create the EA Account setup
    - validate
    - add a new subscription in the tenant via portal
    - add a new subscription in the tenant via CLI
    in this simple configuration, your users wioll be provided a new account to the tenant and login to access their subscription
;
*** Process
**** Azure Tenant
***** New Tenant
***** New local EA USer
**** EA Subscription
***** Add Tenant
***** Setup Billing
****** Setup Departments
****** Setup Enrolment Acct
******* verify EA Account
** advanced
***: **Description**
Building on the initial simple config where 

as an Administrator  in the new Tenant, we can create a new EA Subscription either via portal or simple CLI, while using the Azure Billing Enrolment Account

originally we use a single tenant, but to add to the complexity:
use the new Squad0 Tenant as an additional dev/test tenant 
Authenticate via the original home tenant as a Guest User invicted into the Development Tenant 
;
*** Process
**** Home Tenant
***** AD Read Get User Account
**** Dev TEnant
***** ADRead: Check User
***** ADWrite: create guest account via invite
****** enable auto-accept
** HAnd-Off
*** Description
*** Process 
** IaC
*** Description
*** Process Analyss
**** Users
**** Resources
*** Paramaterising
** Feature Development
** CI/CD
*** Traditional Workflows
** Variables
*** passing input data
*** unpacking json data
**** Validate
***** create local config file
*** read inputs and select workflow
**** processing scripts
***** webhook
** Interfaces


@endmindmap



planning digram







                    


                                        

                        

                            
Attachments:

                        


                        

                                                            
                                EnterpriseAgreementWide.jpg (image/jpeg)
                                

                                                            
                                1_diGMSCZ_fPTd9_bnP-t0pg.png (image/png)
                                

                                                            
                                Banner_Tips-to-consider-for-a-Microsoft-EA-Negotiation.jpg (image/jpeg)
                                

                                                            
                                EnterpriseAgreementWid.png (image/png)
                                

                                                            
                                bbb3.png (image/png)
                                

                                                            
                                ccc.png (image/png)
                                

                                                            
                                ccc.png (image/png)
                                

                                                            
                                EnterpriseAgreementWi4.png (image/png)
                                

                                                            
                                1520621436729.jpeg (image/jpeg)
                                

                                                            
                                Structure.png (image/png)
                                

                                                            
                                Online-Learning-Sessions.png (image/png)
                                

                                                            
                                Online-Learning-Sessions2.png (image/png)
                                

                                                            
                                planet.gif (image/gif)
                                

                                                            
                                ezgif-2-8de9bc3af6.gif (image/gif)
                                

                                                            
                                ezgif-2-f9305d816f.gif (image/gif)
                                

                                                            
                                Contino EA Subs LZ - LZ Vending AAD.png (image/png)
                                

                                                            
                                tr-Iteration1.png (image/png)
                                

                                                            
                                tr2-Iteration1.png (image/png)
                                

                                                            
                                Azure Sidebar Logo Block.png (image/png)
                                

                                                            
                                ezgif-5-1e84872386.png (image/png)
                                

                                                            
                                open-link.png (image/png)
                                

                                                            
                                EA Subscription User Actions Flow - User Guides High Level.png (image/png)
                                

                                                            
                                EA Vending Flows - multifile-procxessing.png (image/png)
                                

                                                            
                                EA Vending Flows - webui Worflow (1).png (image/png)
                                

                                                            
                                EA Vending Flows - Page 6.png (image/png)
                                

                                                            
                                EA Vending Flows - Create Config Workflow (1).png (image/png)
                                

                                                            
                                az-blue-llarge.png (image/png)
                                

                                                            
                                az-grey-llarge.png (image/png)
                                

                                                            
                                az-grey-llarge.png (image/png)
                                

                                                            
                                az-blue-llarge.png (image/png)