A Devops pipeline is linked to one subscription. Is it possible to access resources in multiple subscription from one task in a pipeline?
Is it possible to access resources in multiple subscription from one task in a pipeline?
AFAIK, I do not think it is possible to access resources in multiple subscription from one task.
Just ask you know, we could only link one subscription in one task:
If deployed to multiple environments, we could create a Release pipeline with multiple environments. Then add Deploy task for every environment and choose different Azure Service Connections in different environment. Then you could deploy one app to different Azure environment through one release pipeline.
Hope this helps.
This should be doable with light house configurations.
https://adatum.no/azure/multi-subscription-deployment-with-devops-and-azure-lighthouse
You would have to create a new azure devops SPN. You can then in turn give this SPN account via light house access to the subscription.
Related
It's clear that you can set which roles can deploy to a certain on-premise server thanks to the security settings in Deployment Groups and Agent pools. But, any way of restrict access at webapp level?
The only ways I found are:
Creating a specific account, giving it deploying permissions in target server's IIS in required webapps only and provide this credentials to developers on charge of creating the pipelines for deploying those webapps (they will put them as custom environment vars or similar in pipelines)
Same than 1 but using the created account as a service account for an agent. Access to this agent will be restricted to developers on charge of creating the pipelines for deploying those webapps.
Both cases require to create new accounts and to give permissions on server's IIS. No way of doing this from Azure DevOps on the same way that access to whole servers can be restricted?
Regards.
It's clear that you can set which roles can deploy to a certain
on-premise server thanks to the security settings in Deployment Groups
and Agent pools. But, any way of restrict access at webapp level?
Sorry but as I know Azure Devops Service doesn't support such out-of-box feature.
We can manage the access in Organization level(Organization settings), Project Level(Project settings), Feature Level(Security of Pipelines/Deployment Groups feature...) and even the 'instance Level' (Set security for one specific pipeline/deployment group/one specific git repo).
But the 'instance level' is the lowest level, we can only manage the access in specific pipeline or specific deployment group but not one webapp which will be deployed by pipeline/deploymentGroup.
The webapp is not an option hosted by Azure Devops Service, it's just something to be deployed by pipelines(hosted by Azure Devops Service). So Azure Devops Service avtually have no knowledge about the webapp(it also won't have UI that represents one webapp), that's why we can manage the access in pipeline but not webapp in that pipeline...
Update 1
Once you have only one deployment group for the specific target server, you can determine who can access the deployment group here:
The person who is assigned with reader permission can't use the deployment group to do the deploy.
Ok, following the suggestion from #Lance and after some research, this is what I´m planning to do:
Creating a custom service connection where following fields can be set: IIS Server where the WebApp is, Webapp name, User (with permissions to deployment) and Password.
Together with the Custom Service connection I will provide a custom task where developer team can select the service connection against they want to do the deployment (obviously, server admins will only configure service connections to webapps which this team is allowed to deploy).
Agent will run with a low-privileged account (no way of affecting any app) and the custom task will use internally the creds provided on service connection to perform the deploying.
I think that approach is the best workaround to the initial problem and can be extensible to fix the granularity problem in other kinds of resources (like DB´s, Shared Folders, ...) just simply adding another specific custom service connection (to specify the resource and the deployment credentials) and a linked Custom task which allows deployments only against that resource.
The only drawback is the fact that, if you want to set a deployment approval, you have to do it at resource level (for every webapp, for every DB, ...) and that means that approvers will have to approve resource by resource when deploying also (instead of a single approval for the whole application deployment as, in my understanding, should be)
What do you think guys? Any remark before start coding this?
Regards.
I understand how to create a new DevOps project from https://portal.azure.com and I see how that creates a new DevOps organisation or reuses an existing one (scoped to that AzureAD).
A new project is also created as well as an associated WebApps project.
These are my challenges:
When one creates a new Project in that DevOps organisation, it doesn't show up for management in https://portal.azure.com. How can one ensure the resources consumed by that project are part of the Azure Subscription to which the parent organisation is tied? Or is that the default?
What is the easiest way of tying existing DevOps organisations and projects to an Azure subscription to allow increasing the default 5 user limit and consuming more pipeline resources?
There doesn't seem to be any documentation anywhere that directly addresses these issues for me.
You may use Azure DevOps Organizations to connect your azure subscription with devops account:
Then you may use users on Azure DevOps from Azure Active Directory and manage billing (get more license):
Also you may use DevOps Project wizard to create a team project from a template:
Additional links:
Quickstart: Set up billing for your organization
Azure DevOps Projects
Tutorial: Connect your organization to Azure Active Directory
Quickstart: Pay for more Basic users
About access levels
I want to deploy a web app using CI/CD from VSTS to multiple (customer) Azure accounts. So not multiple subscriptions within the same Azure account, but multiple different Azure accounts owned by customers.
The app is a managed app from the Azure Marketplace so I have full access to the resource group in which the app resides.
Is there an easy way to do this using service connections and the web deploy task or should I be using Powershell to do this and script it myself?
Please create multiple Service Connections in your VSTS which used to connect to these Azure account first.
Then please create a Release pipeline with multiple environments. Then add Deploy task for every environment and choose different Azure Service Connections in different environment. Then you could deploy one app to different Azure environment through one release pipeline.
It turns out that with a Managed App, for every customer deployment a resource group is created that I own and therefore shows up in my Azure account.
So from VSTS I can just use Service Connections to those resource groups, no need to connect to these other Azure accounts.
We have a situation where we are in development and experiencing a lot of delay and resistance from the Azure admin which is creating costly delays and impacting deadlines.
I would like to create our own Azure subscription to allow us to fully admin our environment and pipelines as we see fit, without needing to go through the aforementioned resource. The admin can link our Dev subscription to their corporate AD later.
We already have some projects in VSTS, build scripts, began some CD development.
Obviously on a new subscription we would just recreate the pipelines and resources. However, since it would be a new AD, how would this impact our ability to still view content and resources in VSTS?
Link the new AD to the projects?
You can easily associate a VSTS instance with a different Azure subscription, no need to recreate anything. This can be done via the Azure Portal. It can still be connected to the same Azure AD.
I have some build tasks that should be ran against resources located in different Azure subscription. In order to have only one build definition to maintain, i need to be able to parameterize the Azure Subscription field.
For the moment, i have to duplicate the original build definition and only change the subscription in each one, that is painful ti maintain.
The sample below does not work. I tried with the subscription ID, the subscription name, connected service name...
How can i do that ?
It's already supported by VSTS.
Here are the steps to follow:
Create a release definition with Azure resource group deployment tasks.
In all tasks, choose a valid endpoint. You’ll need to do it multiple times and a variable cannot be used here
Create a task group with the tasks above. It would not have Azure subscription as a parameter.
Go to the task group and for each task in the group, you can update the subscription to $(AzureSubscription)
On saving of the task group, the Azure subscription would be bubbled up a as a parameter
You can’t parameterize Azure subscription field in build or release.
There is a similar user voice that you can vote and follow up: Allow service connections to be parameterized in task groups