Link Search Menu Expand Document

Azure Environment

Azure Environment

The user account provisioned through the environment will have access to an isolated resource group per user, defined under O’Reilly’s global subscriptions. Note that the temporary user account is active for 60-minutes then deactivated. Please see the Azure Sandbox example (through direct link only) on learning.oreilly.com and an example source.

Lab Set-up

  1. Base imageID to configure in index.json:
    "imageid": "orm-azure"
  1. index.json should be configured to auto-execute the set-env.sh script.
    "intro": {
        "text": "intro.md",
        "courseData": "background.sh",
        "code": "set-env.sh",
        },
  1. The set-env.sh script should include:
    chmod +x /opt/get-azure
    for i in {1..20}; 
    do 
        /opt/get-azure && . ~/.azureenv && break || sleep 1; 
    done

The environment includes Azure credentials in the file ~/.azure-resp, and there is a helper script /opt/get-azure that configures the following environment variables:

  • Username: Active Directory user’s principal name. Follows the pattern user-*<random_characters>@oreilly-katacoda-cloudtraining.com.
  • Password: Active Directory user’s password.
  • Resource: Each user has one resource group associated under a common subscription (Azure subscription 1). The resource group has the same name as the active directory user. For example, if the user is user-zzzpzxkshdzs@oreilly-cloudlabs.com, the resource group is user-zzzpzxkshdzs. This resource group name can also be referenced using the $resource variable.

The user is assigned the role CloudLabsOwner, for their associated resource group. This role is a custom role based on the built-in Owner role but with notActions:

    "notActions": [
               "Microsoft.Authorization/policyAssignments/write",
               "Microsoft.Authorization/policyAssignments/delete",
               "Microsoft.Authorization/policyAssignments/exempt/action",
               "Microsoft.Authorization/policyExemptions/read",
               "Microsoft.Authorization/policyExemptions/write",
               "Microsoft.Authorization/policyExemptions/delete",
               "Microsoft.Authorization/roleAssignments/read",
               "Microsoft.Authorization/roleAssignments/write",
               "Microsoft.Authorization/roleAssignments/delete",
               "Microsoft.Authorization/roleDefinitions/read",
               "Microsoft.Authorization/roleDefinitions/write",
               "Microsoft.Authorization/roleDefinitions/delete"
           ], These actions are disabled to prevent the users from manipulating internal policies and to restrict resource providers and manage costs.

Notes:

  • The resource group region is limited to the East US, West US, and North Central US regions only.
  • The get-azure script already performs the az login in the background, so there is no need to include this command in the lab.

Pre-Installed Tools

  • Azure CLI
  • jmespath
  • databricks-cli
  • Extensions:
    • ad
    • aem
    • arcdata
    • authV2
    • azure-devops
    • azure-iot
    • baremetal-infrastructure
    • communication
    • connectedk8s
    • connectedmachine
    • costmanagement
    • customlocation
    • databox
    • databricks
    • datafactory
    • desktopvirtualization
    • dev-spaces
    • express-route-cross-connection
    • front-door
    • healthcareapis
    • hpc-cache
    • image-copy-extension
    • k8s-configuration
    • k8s-extension
    • kusto
    • managementpartner
    • ml
    • monitor-control-service
    • peering
    • rdbms-connect
    • redisenterprise
    • resource-graph
    • sap-hana
    • sentinel
    • spring
    • spring-cloud
    • ssh
    • stack-hci
    • storagesync
    • support
    • timeseriesinsights
    • vm-repair
    • vmware
    • webpubsub

Resource Providers

For full list of resource providers currently allowed/disallowed for labs, please refer to the Azure Service Details page.