Anyone know if it's possible to upload custom policies via an Azure DevOps task?
The release pipeline might look like this:
Staging Environment - Deploy from Git to IEF, add suffix _staging
Block pipeline for manual testing
Prod Environment - Deploy to IEF
without the staging suffix
It is possible through MS Graph API for Programmatic access to Custom Policies and Keysets.
You can use Graph API requests to create, update and delete custom policies. These are Graph API requests so you can integrate these in your pipeline but you need to manage the access token.
The MS Graph API is indeed the way to go. For a complete solution look here.
Details on integrating with a DevOps pipeline are here.
Reference 1. Check this blogpost on Custom Policies release automation with Azure DevOps
Reference 2. this extension is available in Azure DevOps marketplace, do the work somewhat similar
Reference 3. Here is Documentation from Azure, Deploy custom policies with Azure Pipelines
Related
I need to create Azure DevOps agent pool using Terraform.
In Terraform I'm using microsoft/azuredevops provider. And resource azuredevops_agent_pool
In conclusion, I have an error Error creating agent pool in Azure DevOps: Access denied. user needs Manage permissions to perform the action. For more information, contact the Azure DevOps Server administrator.
I have Administrator permissions in Azure Devops.
What can I try with this error?
UPD. I can create agent pool from Web UI azuredevops.
I am using authentication with PAT. PAT configured for FULL access.
UPD2. I understood that access on Project Level is other than access on Organization Level. So I have full access on Project Level but terraform is trying to create agent pull on Organization Level.
It's not possible at the moment. I face the same issue.
The issue is still opened since 2020.
https://github.com/Azure/terraform-azurerm-aci-devops-agent/issues/4
As mentioned on the README.md
Before running this module, you need to create an agent pool in your
Azure DevOps organization and a personal access token that it
authorized to manage this agent pool.
So it's not possible to automatically create an agent pool from the official Terraform azure DevOps provider
You might try to find a way through Azure DevOPS REST API:
https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/elasticpools/create?view=azure-devops-rest-7.1
You might also find this GitHub issue comment useful:
https://github.com/microsoft/terraform-provider-azuredevops/issues/204#issuecomment-962504540
Someone has already developed a way to do with Terraform using local-exec combined with azure cli/PowerShell/rest api
In azure api-->Inbound Processing-->Policies
Some of our developers changing these policies and we have no LOG or approval (PR) mechanism.
We want to a Pull request or a similar mechanism to that area.
If any developer changes policies, It should be approved before going live.
Can you give me some Keywords or information if possible.
I don't know how to search for it.
You can establish CI/CD for API Management using Azure Resource Manager templates.
After API developers have finished developing and testing an API, and have generated the API templates, they can submit a pull request
to merge the changes to the publisher repository.
API publishers can validate the pull request and make sure the changes are safe and compliant. For example, they can check if only
HTTPS is allowed to communicate with the API. Most validations can be
automated as a step in the CI/CD pipeline.
Once the changes are approved and merged successfully, API publishers can choose to deploy them to the Production instance either
on schedule or on demand. The deployment of the templates can be
automated using GitHub Actions, Azure Pipelines, Azure PowerShell,
Azure CLI, or other tools.
Azure API Management DevOps Resource Kit is a great place to start with.
I am decided to restrict transaction between two states in azure devops server in inherited process
but i donot know support or not?
if support , how to do it?
i read this link but not found in my azure devops web admin
I am afraid this release has not been updated to the azure devops server. I also did not find the "Restrict the transaction to state" in the Actions on my side.
The release of this feature is currently only for azure devops service. For the release note of Azure DevOps Server, please follow this.
I am working on Azure Analysis service directly from portal.azure.com. Instead i want AAS be save as some file in git repo and deployed is managed through Azure DevOps. Not sure if this possible? How to proceed further on this
Currently, Azure Analysis Service don’t support implementing using Azure Devops.
I would request you to provide the feedback here:
https://feedback.azure.com/forums/556165-azure-analysis-services
All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.
You could have a script task make a REST call to Azure from Azure DevOps, building the URL and payload from code, say passing in parameters, or by utilising a variable group.
I created the ARM templates for Azure Web App, Azure SQL Database, Key vault and Azure Storage. And deployed these ARM templates in to azure using Azure DevOps process CI and CD.
But I want to enforce policies as part of the development process. I know Microsoft released the feature of Azure Policy integration with Azure DevOps is now available. But I don’t know how to integrate policies with Azure DevOps.
Can anyone suggest me or provide any useful documentation?
After creating and assigning policies, they are automatically evaluated on every template deployment. If there is an attempt to deploy a template that violates a policy with a deny effect, you can see this in Azure DevOps:
Edit: How to use steps for creating and assigning policies and finding the output can be found on the docs: https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-policy?view=azure-devops. Also, you can now evaluate Azure Policies via an Release Gate. See: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-policy-check-gate?view=azure-devops
Azure Pipelines has Policy gates that can also be used to check if the underlying resources/resource group/subscription is compliant before proceeding.
You can find details here.