Skip to content

Azure/azure-marketplace-management-extras

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

78 Commits

.github/workflows

.github/workflows

 
 

.vscode

.vscode

 
 

applications

applications

 
 

azure

azure

 
 

images

images

 
 

.gitignore

.gitignore

 
 

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

SECURITY.md

SECURITY.md

 
 

SUPPORT.md

SUPPORT.md

 
 

Repository files navigation

Overview

This repository contains two Azure Function applications designed to help Managed Application solution owners in Partner Centre monitor and manage their deployed apps.

The first app, Notification Endpoint, captures events triggered during customer deployment and saves managed app information into an Azure storage table, allowing solution owners to build analytics and alerts on top of this data. For further information about each function, please refer to the README file located in the applications directory.

The second app, Policy States Collector, automates monitoring of Azure policies for compliance by querying the latest state of Azure policies in managed applications, filtering and sending the data to the Policy Monitor table in the Log Analytics Workspace for real-time monitoring. The app also includes a Scheduled Query Rule Alert that monitors non-compliant policies and triggers an Action Group for notification when an issue is detected.

Please note that these applications are an extra tool for publishers and is not required for using Managed Applications. Additionally, there are starter applications and can be customized according to your needs. The solution is part of Azure Marketplace Managed Application samples

Repository content

Within this repository, you can find the following directories:

  • .github/workflows: automated workflows to deploy infrastructure and code.
  • applications: code and documentation describing each application in more details.
  • azure: infrastructure templates that deploy the Azure components needed to support applications.
  • images: images for README.

Get it up and running

This project is a starting point to monitor your Managed Application offer created in Partner center, assuming that you have already created your offer. Use the guidance below.

⚠️ Please make sure you deploy the Notification Endpoint before you publish your managed app offer. Otherwise, you will need to republish the offer again with configuration of the Notification Endpoint URL.

Prerequisites

The deployment of the azure function requires a series of actions to set up the environment, including the creation of a Marketplace Managed Application service principal, an Azure service principal, configuring the necessary GitHub secrets and variables, and deploying the code.

Create the Azure Service Principal

Follow these steps to create a Service Principal with the Owner role scoped to the target Platform subscription. This Service Principal will be used by a GitHub-owned runner to authenticate to Azure and deploy the Azure function infrastructure.

  • Log in to the required Azure Active Directory Tenant using the Azure CLI on your local device or via Azure Cloud Shell:
    az login --tenant [Tenant ID]
  • Select the target Platform subscription, inserting the Subscription ID where indicated:
    az account set --subscription [Subscription ID]
  • Create the Service Principal, providing an identifying name where indicated:
    az ad sp create-for-rbac --name [SP Name] --query "{ client_id: appId, client_secret: password, tenant_id: tenant }"
  • Capture the values of client_id, client_secret and tenant_id for later use. It is recommended that you do not persist this information to disk or share the client secret for security reasons.
  • Grant the Service Principal "Owner" role on the target Platform subscription:
    az role assignment create --assignee [SP Client ID] --role "Owner" --scope /subscriptions/[Subscription ID]

Configure the Managed Application service principal

This Service Principal will be used by Azure function applications (NotificationHandler and PolicyStates) to authenticate against customers' deployments and fetch needed Managed app information.

  • Create another Service principal by using instructions from previous step Create Azure Service Principal section without the last step (granting the Service Principal owner role).

  • Link this Service principal in Partner center by going to Partner center and then Navigate to your offer > your managed plan > Plan overview > Technical configuration

  • In Authorizations section click on Add authorizations. Use Object ID from previous step and choose the Owner role

Managed SP config

Create secrets and variables

For each of the secrets defined in the table below, follow these steps to add each secret and variables the corresponding value.

  • Navigate to your github repo > Settings > Secrets and variables > New repository secret

  • Add the secret name and value, taking care to use the exact secret name provided as this is explicitly referenced in the GitHub workflow.

Secret Name Example Value Description
SUBSCRIPTION_ID 3edb65d1-d7a8-409b-a320-3c01ac6825f9 Subscription ID where infra will be deployed.
CLIENT_ID 9505fb9a-96e6-46d1-ac9b-2f74ee57f6d6 Client ID from the Create the Azure Service Principaln
CLIENT_SECRET [secure string] Client Secret from the Create the Azure Service Principal
TENANT_ID f7d23806-d8ac-4576-814f-0ee931ffeab3 Azure AD Tenant ID from the Create the Azure Service Principal
SP_CLIENT_ID 9505fb9a-96e6-46d1-ac9b-2f74ee57f6d6 Manage app Client ID from the Configure the Managed Application service principal
SP_CLIENT_SECRET [secure string] Managed app Client Secret from the Configure the Managed Application service principal

  • Navigate to Settings > Secrets and variables > variables > New repository variables

  • Add the varible name and value, taking care to use the exact secret name provided as this is explicitly referenced in the GitHub workflow.

Varible Name Example Value Description
APP_NAME marketplace Azure function name
LOCATION northeurope Location of infra resources
RESOURCE_GROUP_NAME marketplace-manage-applications RG name
STORAGE_ACCOUNT_TABLE_NAME applications name of Table for storing Manage app details in Azure storage
SUBSCRIPTION_NAME [string] Subscription name where infra will be deployed
EMAIL_ADDRESS [string] Email address for the alert notification when policies become non-compliant
RECEIVERS_NAME [string] The receiver's name to who the alert is sent

Run the workflows

Follow these steps to run workflows which will deploy the infrastructure and code. Managed SP config

  • Navigate to Actions -> Infrastructure deployment
  • Click Run workflow
  • Ensure the desired branch is selected, e.g. main
  • Click the Run workflow button
  • Copy function name from logs in Show function name step after the Infrastructure deployment workflow is finished

  • Navigate to Code deployment workflow to run the second one. Paste the function name in the input

Once the function is deployed, you can configure the Managed Application to use the Notification Endpoint URL. You can do this by following these steps:

  • Open the Managed Application in Partner center
  • Navigate to your offer > your managed plan > Plan overview > Technical configuration
  • Enter the Notification Endpoint URL, which is the URL of the Azure Function that you created. Save the changes.

  • Publish / republish your plan

Confirm Azure function applications are running successfully

Once all Workflows have completed, navigate to Resource group marketplace-manage-applications. Select Azure function and click on Functions. You should see NotificationHandler and PolicyStates. Each functions has logs that can indicate the status. You can find them in Monitor section.

When you deployed the Manage application, you should be able to find its details in the Azure storage table.
You can also see policy states in Log Analytics by using PolicyComplianceStates_CL query. Only note they will be visible after some time after function gets triggered. If policies become non-complaint, you should get the email notification.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

8 stars

Watchers

6 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages