soyroberto/bicex
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
Β | Β | |||
Β | Β | |||
Β | Β | |||
Β | Β | |||
Repository files navigation
Azure VM Deployment with Bicep This repository demonstrates a production-ready pattern for deploying secure Azure Virtual Machines using Bicep (Infrastructure as Code). The solution emphasizes security, automation, and maintainability through secure secret management and Just-in-Time (JIT) access. π Complete Tutorial: Read the full implementation guide at https://allthingscloud.net/handson-deploying-a-secure-sql-server-vm-on-azure-with-infrastructure-as-code-and-just-in-time-access Solution Overview This deployment pattern significantly reduces the attack surface while maintaining operational efficiency by leveraging: Bicep for infrastructure as code Azure Key Vault for secure secret management Just-in-Time (JIT) VM access for reduced exposure Automated deployment pipelines Deployment Metrics Initial Setup: ~2 hours (repository creation to successful VM connection) Subsequent Deployments: <15 minutes Automation Level: 95% automated (only JIT request requires manual action) Repository Structure text βββ bicep/ # Bicep infrastructure templates β βββ main.bicep # Main deployment template β βββ modules/ # Reusable Bicep modules (if applicable) βββ .github/workflows/ # CI/CD pipeline definitions β βββ deploy.yml # Deployment pipeline βββ README.md # This documentation Azure Resources Deployed The deployment creates the following resources: Virtual Machine Network Interface (NIC) Public IP Address OS Disk Network Security Group (reference) Virtual Network (reference) Security Controls RBAC (Role-Based Access Control): Least privilege access management Azure Key Vault: Secure storage of secrets and credentials Just-in-Time VM Access: Time-limited access to reduce exposure Getting Started Prerequisites Azure subscription Azure CLI installed GitHub repository (for pipeline deployment) Deployment Options Option 1: Manual Deployment with Azure CLI bash # Login to Azure az login # Deploy the Bicep template az deployment group create \ --resource-group <your-resource-group> \ --template-file bicep/main.bicep \ --parameters @bicep/parameters.json Option 2: Automated Deployment via GitHub Actions Configure the following GitHub Secrets: AZURE_CREDENTIALS: Service principal credentials AZURE_SUBSCRIPTION: Subscription ID AZURE_RG: Target resource group Push to the main branch to trigger deployment Just-in-Time Access Workflow Deploy infrastructure using Bicep templates Request JIT access through Azure Portal or CLI Connect to VM during approved access window Access automatically expires after configured duration Best Practices Implemented β Infrastructure as Code with Bicep β Secrets management with Key Vault β Reduced attack surface with JIT access β Automated deployment pipelines β Modular, maintainable code structure