Can I connect VSTS to multiple Azure Accounts using Service Connections? - azure

I want to deploy a web app using CI/CD from VSTS to multiple (customer) Azure accounts. So not multiple subscriptions within the same Azure account, but multiple different Azure accounts owned by customers.
The app is a managed app from the Azure Marketplace so I have full access to the resource group in which the app resides.
Is there an easy way to do this using service connections and the web deploy task or should I be using Powershell to do this and script it myself?

Please create multiple Service Connections in your VSTS which used to connect to these Azure account first.
Then please create a Release pipeline with multiple environments. Then add Deploy task for every environment and choose different Azure Service Connections in different environment. Then you could deploy one app to different Azure environment through one release pipeline.

It turns out that with a Managed App, for every customer deployment a resource group is created that I own and therefore shows up in my Azure account.
So from VSTS I can just use Service Connections to those resource groups, no need to connect to these other Azure accounts.

Related

Is it possible to use an Azure Classic Service Connection in my Release pipeline to deploy App Service?

This is a follow up to this question (Is it possible to use DevOps to deploy to an Azure App Service if I don't have access to Azure Active Directory?) where I can't create a service connection if I don't have access to Azure AD for my tenant.
The standard Service Connection creates a service principal which can't be done if there is no access to Azure AD. So I'm trying to see if I can create an Azure Classic Service Connection instead.
I seem to be able to create the service connection and I've verified and saved it okay.
However, it doesn't appear in the dropdown list in the Deploy Azure App Services task.
Am I doing something wrong? I'm trying this on a free trial tenant where I do definitely have access to Azure AD. I can't find any documentation to say Service Connections can't be Azure Classic.
If this is a restrictions for Pipelines, is it possible to deploy to an App Service in Azure without Azure AD access?
No, the Azure App Service Deploy task doesn't support classic service connections.
From the docs:
The task does not work with the Azure Classic service connection, and it will not list these connections in the settings of the task.

Azure Devops: securing deployments to on-premise servers at webapp level

It's clear that you can set which roles can deploy to a certain on-premise server thanks to the security settings in Deployment Groups and Agent pools. But, any way of restrict access at webapp level?
The only ways I found are:
Creating a specific account, giving it deploying permissions in target server's IIS in required webapps only and provide this credentials to developers on charge of creating the pipelines for deploying those webapps (they will put them as custom environment vars or similar in pipelines)
Same than 1 but using the created account as a service account for an agent. Access to this agent will be restricted to developers on charge of creating the pipelines for deploying those webapps.
Both cases require to create new accounts and to give permissions on server's IIS. No way of doing this from Azure DevOps on the same way that access to whole servers can be restricted?
Regards.
It's clear that you can set which roles can deploy to a certain
on-premise server thanks to the security settings in Deployment Groups
and Agent pools. But, any way of restrict access at webapp level?
Sorry but as I know Azure Devops Service doesn't support such out-of-box feature.
We can manage the access in Organization level(Organization settings), Project Level(Project settings), Feature Level(Security of Pipelines/Deployment Groups feature...) and even the 'instance Level' (Set security for one specific pipeline/deployment group/one specific git repo).
But the 'instance level' is the lowest level, we can only manage the access in specific pipeline or specific deployment group but not one webapp which will be deployed by pipeline/deploymentGroup.
The webapp is not an option hosted by Azure Devops Service, it's just something to be deployed by pipelines(hosted by Azure Devops Service). So Azure Devops Service avtually have no knowledge about the webapp(it also won't have UI that represents one webapp), that's why we can manage the access in pipeline but not webapp in that pipeline...
Update 1
Once you have only one deployment group for the specific target server, you can determine who can access the deployment group here:
The person who is assigned with reader permission can't use the deployment group to do the deploy.
Ok, following the suggestion from #Lance and after some research, this is what I´m planning to do:
Creating a custom service connection where following fields can be set: IIS Server where the WebApp is, Webapp name, User (with permissions to deployment) and Password.
Together with the Custom Service connection I will provide a custom task where developer team can select the service connection against they want to do the deployment (obviously, server admins will only configure service connections to webapps which this team is allowed to deploy).
Agent will run with a low-privileged account (no way of affecting any app) and the custom task will use internally the creds provided on service connection to perform the deploying.
I think that approach is the best workaround to the initial problem and can be extensible to fix the granularity problem in other kinds of resources (like DB´s, Shared Folders, ...) just simply adding another specific custom service connection (to specify the resource and the deployment credentials) and a linked Custom task which allows deployments only against that resource.
The only drawback is the fact that, if you want to set a deployment approval, you have to do it at resource level (for every webapp, for every DB, ...) and that means that approvers will have to approve resource by resource when deploying also (instead of a single approval for the whole application deployment as, in my understanding, should be)
What do you think guys? Any remark before start coding this?
Regards.

How to deploy Azure Logic App and prerequisite?

I've built a Logic App on Azure and it's working fine, this app connects to an API and then puts the data into an SQL server.
This app will need to be deployed to another subscription/resource group entirely at some point, I'm just wondering about the recommended methods for this, at the moment I'm attempting to use Azure DevOps to automate this process, and while I can run SQL against databases that are already there, I'm having trouble with deploying the logic app and then linking it to the SQL database previously deployed.
I'm using Power Shell on Azure DevOps as there doesn't seem to individual actions that I can use to deploy a particular resource (such as a Logic App).
Is Azure DevOps the way to go? Am I just missing something simple?
Logic app requires connection resources which have the credential information for talking to mail or Azure blob. These have to be created in the target resource group.
You can download the logic app and connections as an ARM template using Logic app VS tools.
You can then deploy this ARM template any other subscription or resource group.
However, OAuth based connections like "mail" will have to be authenticated manually in the new resource group.

Understanding Azure Release Pipeline

I'm very new with Azure DevOps and I need some help to understand how to create a Release Pipeline. The Microsoft Doc is very extensive but I can't find what I'm looking for.
I've created a Build Pipeline with the sample python repository. Then I would like to create a Release Pipeline. I linked my account with my subscription, select the App type, but then I'm asking for App service name.
What is this App service ? How can I create it ?
On their documentation (here) they are just saying
App Service Name: Select the name of the web app from your subscription..
No more explanation.
Could someone please give me more information about that ?
Thanks a lot
An Azure DevOps release pipeline deploys the artifacts that are the output of a build pipeline to some environment that you define (Test, QA, Production, etc.).
For web apps the environment will be a "web hosting" (for other apps it could be something different).
The "web hosting" can be a 3rd party (you would deploy using tasks for FTP, WebDeploy, etc.) or it can be Azure "web hosting" PaaS offering, which is named Azure Web Apps.
Azure Web Apps require an Azure App Service Plan (which defines its characteristics and pricing): https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
Note: an Azure App Service can be used not only to host web apps but also to host the back-end (Web APIs) of mobile apps, containers and serverless functions apps. See App Service overview and for high scale and security see Introduction to the App Service Environments
The template for the Release Pipeline that you have chosen (assuming is the one named "Deploy a Python app to Azure App Service and Azure database for MySQL") is intended to "Deploy a Python Django, Bottle, or Flask application to an Azure Web App and database to Azure Database for MySQL." Since it's deploying to an Azure Web App, the task asks you for its Azure Subscription and its App Service Plan within that subscription.
So, if you plan to deploy to an Azure Web App, create a Service Plan in your Azure subscription (you can use the Azure Portal, Azure CLI, etc.). Otherwise remove the task and use a different task to deploy to your 3rd party web hosting.
If you are new to Azure DevOps and want to try out all the cool things, I suggest you to follow Azure DevOps Labs which has a great content to get started from Zero to Advanced.

How to tie VSTS (aka Azure DevOps) account to Azure Subscription

I understand how to create a new DevOps project from https://portal.azure.com and I see how that creates a new DevOps organisation or reuses an existing one (scoped to that AzureAD).
A new project is also created as well as an associated WebApps project.
These are my challenges:
When one creates a new Project in that DevOps organisation, it doesn't show up for management in https://portal.azure.com. How can one ensure the resources consumed by that project are part of the Azure Subscription to which the parent organisation is tied? Or is that the default?
What is the easiest way of tying existing DevOps organisations and projects to an Azure subscription to allow increasing the default 5 user limit and consuming more pipeline resources?
There doesn't seem to be any documentation anywhere that directly addresses these issues for me.
You may use Azure DevOps Organizations to connect your azure subscription with devops account:
Then you may use users on Azure DevOps from Azure Active Directory and manage billing (get more license):
Also you may use DevOps Project wizard to create a team project from a template:
Additional links:
Quickstart: Set up billing for your organization
Azure DevOps Projects
Tutorial: Connect your organization to Azure Active Directory
Quickstart: Pay for more Basic users
About access levels

Resources