I´m playing around with Azure Container Apps, but I'm running into a small issue when trying to deploy through Azure Pipelines, the thing is that I have one Azure Container Registry and I want to create a new Revision for ca-sandbox-1 and ca-sandbox-2, but since there are in different Resource Group I always get a "Forbidden" when executing Azure Pipelines
If I create the Azure Container Registry in the same Resource Group the pipeline works well.
Now If I try to create a new revision in two different Resource Group, only works from AzureCLI or VSCode. Is there a way of making this work from Azure Pipelines?
Azure
rg-core (Resource Group)
acrcore (Azure Container Registry)
ca-core (Azure Container App)
rg-sandbox-1 (Resource Group)
ca-sandbox-1 (Azure Container App)
rg-sandbox-2 (Resource Group)
ca-sandbox-2 (Azure Container App)
Azure-pipeline.yml
- main
stages:
- stage: Build
displayName: Build and push stage
jobs:
- job: Build
displayName: Build
pool:
vmImage: 'ubuntu-latest'
steps:
- task: Docker#2
displayName: 'docker build and publish'
inputs:
containerRegistry: 'acr-core-connection'
repository: 'ca-core'
command: 'buildAndPush'
Dockerfile: '**/Dockerfile'
buildContext: '.'
- task: AzureContainerAppsRC#0
inputs:
azureSubscription: 'subs-rg-core'
acrName: 'acrcore'
imageToDeploy: 'acrcore.azurecr.io/api-sandbox:$(Build.BuildId)'
containerAppName: 'ca-sandbox-1'
resourceGroup: 'rg-sandbox-1'
targetPort: '80'
Is there a way of making this work from Azure Pipelines?
From your description, you need to access the azure container registry and azure container app in different Resource Groups.
To meet your requirement, you need to create a Service Connection at Subscription Level.
Navigate to Project Settings -> Service Connections -> Select Azure Resource Manager Service Connection. Then you can only select Azure Subscription.
In this case, the Service Connection will have access to whole Azure Subscription.
For example:
Related
I have an integration test that needs to access the cosmosdb in azure cloud. Locally I need to login to the azure and then run the test
az login
poetry run pytest test/integration
My question is how can I implement the equivalent of az login in the azure DevOps pipeline? Isn't the Azure DevOps Server is already connected to the Azure cloud naturally?
The recommended way to access resources in Azure is to create an Azure Resource Manager -type service connection from Project Settings -> Service Connections -> New Service Connection -> Azure Resource Manager -> Service Principal (automatic). Creating a service connection requires you to have sufficient rights to the target Azure Subscription.
A service connection is essentially a service principal that then needs to be authorized to access the resources needed. In this case, you'd have to grant this service principal the (absolutely minimal) access it needs in order to perform the tests.
I'm not an expert on Cosmos DB, but I do know that it supports multiple ways of securely accessing the data, so you might want to explore options like logging in with access keys as well. You can run Az Cli commands in pipeline with the Azure Cli task like this:
- task: AzureCLI#2
displayName: Azure CLI
inputs:
azureSubscription: '$(azureSubscriptionName)'
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
az command parameters
With the service connection name in $(azureSubscriptionName) and actual command (s) with inlineScript (or reference a physical script if that's more suitable). Just remember that you are operating in Azure via the service connection/principal, so you need to grant that sufficient rights to do what needs to be done.
There are multiple ways to do this, so a bit of exploration is required. Also, there seems to be something called Cosmod DB emulator and you might want to check that out first - when running unit/integration tests, the best practice would be not having to access an actual resource at all.
(If you are actually running tests on Azure DevOps Server, and not Azure DevOps Service, there might be some additional obstacles I'm not aware of - haven't used the on-premises version in a while)
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops
https://learn.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key
https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control
https://learn.microsoft.com/en-us/azure/cosmos-db/tutorial-setup-ci-cd
https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-cli?view=azure-devops
I created a resource group and various resources inside it. In Resources I have ADF & Pipelines, SQL Server, DBs & Objects, Logics Apps, AAS Models, Storage Accounts etc.
Now I want to check-in all my information into source control for versioning. I have Azure Devops as well. My need is that I want to deploy the resources and objects into another environment.
e.g I have a dev environment. I created all resources in a resource group. I did not use any template or source control while building this environment. I got Azure DevOps now. Now I want to built the test set up from the dev environment. How do I achieve this?
Any help is appreciated. Thank you.
You can first export the Template from your Azure resource group portal. See below:
1, Go to Azure Resource Group portal-->Click Export template under Automation-->Download
You can also use Az cli/Azure powershell to export the template. See example commands here
Please check the documents here to learn more about how to manage your azure resource using ARM Template.
2, Sync the ARM template downloaded in above step to your azure repo.
3, Create an azure Resource Manager service connection to connect your Azure subscription to Azure devops. See this thread for an example.
4, Create an azure devops pipeline to automate the azure resource deployment.
5, Add Azure Resource Manager (ARM) Template Deployment Task in your azure pipeline to deployment the template exported in the first step.
steps:
- task: AzureResourceManagerTemplateDeployment#3
displayName: 'ARM Template deployment: Resource Group scope'
inputs:
azureResourceManagerConnection: 'azuresubscriptionServiceConnection'
subscriptionId: '......'
resourceGroupName: 'Resource-group'
location: 'East US'
csmFile: template.json
csmParametersFile: parameters.json
Above just gives you the general steps you need to take when deploying azure resources via azure devops pipeline. You need to explore the documents for yourself to learn how to customize your pipeline, how to create ARM template, And how to use the AzureResourceManagerTemplateDeployment task.
I have a Pipeline in Azure DevOps that should build and push a Docker image to an Azure Container Registry. Therefore I have a service connection (type: docker registry) in place in order to authorize the pipeline to push. If I remove the network restriction in the container registry everything goes just fine.
As soon as I want to restrict the network access it does not work anymore and I get a "denied" in the pipeline output of the docker task. I also tried to add the Azure DevOps IP ranges (13.107.43.0/24, 13.107.42.0/24, 13.107.9.0/24, 13.107.6.0/24).
Any idea what is wrong?
Actually, all the tasks run in the agents when you use the Pipeline. And the network of the agents, you can take a look here. As you see you need to allow the IP addresses of the agents, and the IP ranges vary over time. Every week you need to add the new IP addresses in the firewall rules for your organization region. So it's a little troublesome.
Compare with control the access IP address, I recommend you control the permission of the credential of the ACR. If a person does not have enough permission, he can't do the things required special permission even if he can access the ACR. Here are the details about the permission oo ACR.
you could add the agent IP dynamically in the pipeline before the push, and do an equivalent remove afterwards:
- task: AzureCLI#2
inputs:
azureSubscription: $(ACR_SERVICE_CONNECTION_NAME)
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
# Open firewall on ACR for IP of current agent
$agentIp = (New-Object net.webclient).downloadstring("http://checkip.dyndns.com") -replace "[^\d\.]"
az acr network-rule add -n YourACRName--ip-address $agentIp
I'm using a pipeline to deploy function app to azure, in my code I have to use certificate server uri(key vault reference in config file) to get permission.How can I get the Secret Identifier value as a variable when deploy to app services.I just want to deploy this variable from keyvault in pipeline automatically.
Here I'm using Azure keyvault Task:
steps:
- task: AzureKeyVault#1
displayName: 'Azure Key Vault: KV-Secrets-Dev'
inputs:
azureSubscription: 'Azure: DEV'
KeyVaultName: 'KV-Secrets-Dev'
and them deploy funtion app with appsettings:
-clientCertificatePfx #Microsoft.KeyVault(SecretUri=$(spdevpfx))
here I can get the certtificate valut from $(spdevpfx),but I just want it as a server URI,how to get it?
You are not able to get the Secret URI with Azure KeyVault Task in Azure DevOps. Explained in the official documentation:
Use this task in a build or release pipeline to download secrets such
as authentication keys, storage account keys, data encryption keys,
.PFX files, and passwords from an Azure Key Vault instance. The task
can be used to fetch the latest values of all or a subset of secrets
from the vault, and set them as variables that can be used in
subsequent tasks of a pipeline.
Workaround
You may use the Azure PowerShell task to get the id of your secret. And then pass it to the next task by setting it to an environment variable.
I have a question regarding Azure DevOps, It seems it is not possible to set in pipeline's jobs Azure subscription field using variables. On attempt to do this I'm getting the error message:
The pipeline is not valid.
I was trying to use in variable:
Subscription ID
Service Connection Name
Service Connection ID
But with no luck - the same issue again and again. Since I need to change subscriptions for pipeline very often, it's very critical problem for me. Could you please elaborate the issue?
If you use YAML pipelines you could configure your subscription as variable as follows:
- task: AzureCLI#2
inputs:
azureSubscription: '$(SubscriptionId)'
scriptType: 'ps'
scriptLocation: 'inlineScript'
inlineScript: |
az --version
az account show
Variable settings
And during every build you can override your azure subscription.