Big Red Button – Azure VM On‑Demand (WCD Bank)

This repo gives WCD Bank a one‑click (or near one‑click) way to deploy a temporary contractor VM inside the bank’s Azure tenant, with least‑privilege access to only what’s required.

You can trigger it in three ways:

1. Deploy to Azure button (Portal UI) – after you push this repo to GitHub, replace the RAW URL below with your repo’s main.bicep URL.

   

2. GitHub Actions – Manual trigger (workflow_dispatch) – click Run workflow in the Actions tab and fill the inputs.

3. Local Terraform – run from your machine or Azure Cloud Shell.

---

What gets deployed

• Resource Group, VNet/Subnet, NSG
• Optional Public IP (or use Bastion; default is no public IP)
• A Windows or Linux VM (choose via input)
• System‑assigned Managed Identity
• RBAC: Assign the contractor just the VM login role + optional Reader on RG

Default security posture is conservative: no public IP and RDP/SSH via Bastion or Privileged Access Workstation. If you must expose, restrict with your office IP/CIDR.

---

Quick start – GitHub Actions

1. Create an Azure Service Principal with Contributor on the target subscription (or mgmt group if you scope differently) and save its JSON as the repository secret AZURE_CREDENTIALS.

   Example JSON structure for the secret:

   {
     "clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
     "clientSecret": "YOUR-SP-SECRET",
     "subscriptionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
     "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
     "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
     "resourceManagerEndpointUrl": "https://management.azure.com/",
     "activeDirectoryGraphResourceId": "https://graph.windows.net/",
     "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
     "galleryEndpointUrl": "https://gallery.azure.com/",
     "managementEndpointUrl": "https://management.core.windows.net/"
   }

2. (Optional) Add repo secrets for defaults:

   • TF_VAR_admin_username
   • TF_VAR_admin_password (Windows) or TF_VAR_ssh_public_key (Linux)
   • TF_VAR_contractor_upn
   • TF_VAR_allowed_ip (e.g., 203.0.113.10/32)

3. Go to Actions → Deploy Contractor VM, click Run workflow, set inputs, and go.

---

Quick start – Local Terraform (Cloud Shell works too)

cd infra/terraform
terraform init
terraform plan -var='prefix=wcd' -var='location=australiaeast' -var='vm_os=windows' -var='admin_username=contractor' -var='admin_password=ChangeMe!234' -var='create_public_ip=false'
terraform apply -auto-approve -var='prefix=wcd' -var='location=australiaeast' -var='vm_os=windows' -var='admin_username=contractor' -var='admin_password=ChangeMe!234' -var='create_public_ip=false'

Outputs will include the Resource Group, VM ID, and a Portal URL you can click.

---

RBAC “some but not all”

• The workflow assigns the user at VM scope:
  • Virtual Machine User Login (default) or Virtual Machine Administrator Login if you choose so
• Optionally adds Reader on the Resource Group for inventory visibility.
• Put your contractor in Entra ID with UPN like first.last@yourtenant.onmicrosoft.com and pass that as contractor_upn.

---

Cost & hygiene

• Default sizes: Standard_B2ms (Windows) or Standard_B1ms (Linux). Adjust per policy.
• Enable Spending cap on trial subs, use Auto-shutdown on the VM, and tag all resources:
  • env=contractor, owner=devops, expiry=YYYY-MM-DD

---

“Deploy to Azure” button

After you push this repo, replace REPLACE_WITH_URL_ENCODED_RAW_BICEP_OR_ARM_URL with the URL-encoded RAW link to infra/bicep/main.bicep (or an ARM json). You can use any URL encoder to encode the raw GitHub URL.

---

Cleanup

• terraform destroy from infra/terraform
• Or delete the Resource Group if you used Bicep/ARM

---

Support

Ping Samuel, Mark, Sofia on Teams if anything blocks you > 15 minutes.