Getting Started
In recent discussions, the BIO law has been a hot topic. BIO stands for 'Baseline Informatiebeveiliging,' which translates to Baseline Information Security in English. This is a crucial policy framework that all entities within the Public Sector, including the government, municipalities, and other government organizations, must adhere to.
During these discussions, we stumbled upon an invaluable resource: the Azure BIO-Compliancy repository on GitHub. This repository is a goldmine, providing a foundational framework that has significantly influenced my ongoing work. The collective effort from all the contributors to this repository is truly commendable. It's an excellent piece of work that offers a solid starting point for anyone looking to comply with BIO requirements.
However, it's important to note that the current repository mainly consists of ARM (Azure Resource Manager) templates. This is understandable, considering the convenience of the "Deploy to Azure" button frequently used on GitHub. But for more sophisticated and tailored deployment needs, converting these templates into BICEP files could be highly beneficial. BICEP, being a more modern infrastructure as code (IaC) language for Azure, offers greater simplicity and readability, making it a potentially better choice for complex deployment scenarios.
So, let's take a deeper dive into this topic!
The deployment codes in YAML
Here, we have a YAML script for deploying at the Subscription level. This script is part of a Azure pipeline, designed to automate and simplify the deployment process. The script uses Azure CLI to create deployments. It has the flexibility to handle both Dutch and English policies, on which I will circle back later on, and to deploy either at the subscription or management group level is a key feature.
Deployment at Subscription level
- task: AzureCLI@2
displayName: 'Deploy Bicep at Subscription Level'
inputs:
azureSubscription: "AzureConnection"
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
az deployment sub create --name '$(Build.BuildNumber)' --location {{ parameters.Location }} \
--template-file "CICD/Department/${{ parameters.Department }}/${{ parameters.TemplateFile }}" \
--parameters IsDutch={{ parameters.IsDutch }} IsManagementGroup={{ parameters.IsManagementGroup }}This YAML script below targets the Management Group level. Like its counterpart, it automates deployments but at a broader scope, managing resources across multiple subscriptions. This is particularly useful for larger organizations that require a consolidated approach to Azure resource management.
Deployment at Management Group level
- task: AzureCLI@2
displayName: 'Deploy Bicep at Management Group Level'
inputs:
azureSubscription: "AzureConnection"
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
az deployment mg create --name '$(Build.BuildNumber)' --location {{ parameters.Location }} \
--management-group-id "{{ parameters.ManagementGroupName }}" \
--template-file "CICD/Department/${{ parameters.Department }}/${{ parameters.TemplateFile }}" \
--parameters IsDutch={{ parameters.IsDutch }} IsManagementGroup={{ parameters.IsManagementGroup }}The Policies in Bicep
The main.bicep at the Subscription level sets the target scope to subscription. This script decides whether to apply Dutch or English BIO policies based on the 'IsDutch' parameter. It dynamically invokes the relevant BIO module, ensuring the policies are appropriately aligned with the selected language.
main.bicep at Subscription level
param IsDutch bool
param SubscriptionName string
targetScope = 'subscription'
resource Subscription 'Microsoft.Subscription/aliases@2021-10-01' existing = {
name: SubscriptionName
scope: tenant()
}
module BioEnSub '/BIO-EN-Subscription-Module.bicep' = if (!IsDutch) {
name: 'BioEnSub'
params: {}
}
module BioNlSub '/BIO-NL-Subscription-Module.bicep' = if (IsDutch) {
name: 'BioNlSub'
params: {}
}Similar to the subscription-level script, this main.bicep file is set for Management Group level deployments. It tailors the deployment of BIO policies based on language preferences across a broader range of resources. You might be wondering why this isn't one single main.bicep file together with the Subcription-level code, and this is unfortunatly due to the static and precompiler settings of the much needed targetScope property. This also influences the amount of Modules, going from one possible dynamic Module to split into 4 single files, each with their specific scope and language.
main.bicep at Management Group level
param IsDutch bool
param ManagementGroupName string
targetScope = 'managementGroup'
resource ManagementGroup 'Microsoft.Management/managementGroups@2021-04-01' existing = {
name: ManagementGroupName
scope: tenant()
}
module BioEnMngtGrp '/BIO-EN-ManagementGroup-Module.bicep' = if (!IsDutch) {
name: 'BioEnMngtGrp'
params: {}
}
module BioNlMngtGrp '/BIO-NL-ManagementGroup-Module.bicep' = if (IsDutch) {
name: 'BioNlMngtGrp'
params: {}
}Due to the large size of the BICEP modules (approximately 9,000 lines), these are hosted on a dedicated GitHub Repo rather than in the blog post itself. They are convertions and translations of the already present ARM templates for the BIO-Compliancy, but more sophisticated due to their BICEP nature.
What's next?
I recently invested in an office space that's still under construction. This new location is destined to become a hub for community activities, including events, collaboration days, and workspaces. While this venture demands significant financial resources, it also involves managing various aspects of the building process. So, keep an eye out for next month's blog as it will be a suprise for all of us!