Could Azure Pipelines / Deployment Test - CI .yml be shared in the repository for the source of truth/holistic view?

[BenjaminEngeset]

Hi project maintainers and contributors.

Awzm stuff - specially the part around brm tooling. Small gamechanger for me personally (-:

Checked the src, looks like its using some of the functionality as when you are deploying a Bicep file to Azure Resource Manager, just not the build cmdlet when using brm generate and brm validate. All I have to say very good work 💯

Would it be possible to share the .yml that is used for PRs for having all src code used in one place?

Currently the repository is including GH Actions and supporting scripts. But for ADO only the underlaying scripts are there, but the .yml that is using the automagic is not there.

Documentation is currently stating:

[shenglol]

Our ADO pipeline is a "classic" pipeline which is configured via UI due to security concerns. If we add an .yml file for the pipeline to repo, then anyone can modify the pipeline and run malicious scripts by simply submitting a PR. That being said, I'm open to checking in a "template" yml file so that people can use it as a reference to set up their own pipelines.

[BenjaminEngeset]

@shenglol

That makes sense. I was more thinking about yml example for ADO.

Could you please be so kind to pull something like that into the repo so it can be used as a reference?

It would be really great, since there is so much awzm stuff that can be re-used for other projects based on the stuff that has been created here 😃

I'm also trying to re-write some of the GH workflows to ADO pipelines so it can be used in ADO projects as well.

[shenglol]

Yup. I'll add a sample ADO yml file and a readme file for how to setup a test environment when I get a chance.

[BenjaminEngeset]

Thanks! Great 😄

[BenjaminEngeset]

@shenglol

Any update here? I know you are a busy man. I am very eager to use this solution myself and for now I have used CARML CI, but this CI is just so much better and I'd like to convert.

I have access to read the Deployment Test - CI job in Azure DevOps, but nothing more. Would be interesting to see if the solution could be shared as this could be reused by all customers leveraging the brm tooling for in-house created modules as well.

[shenglol]

Apologies for the delay. Currently our team is a bit shorthanded, and I haven't gotten a chance to prioritize this. I need more time to commit a detailed documentation, but here's an yml template with comments that you can use as a reference to set up your own CI:

# Prerequisites:
# - A subscription for running the deployment test.
# - A service principal with owner access to the subscription (Subscription Owner).
# - A service principal with no access to the subscription (RG owner).
# - Two Azure Resource Manager ADO service connections configured with the service principals above.
# - A GitHub repository that is connected to ADO with https://github.com/marketplace/azure-pipelines.
# - A GitHub PAT token for accessing the github repository.

# Variable 'Github.AccessToken' was defined in the Variables tab
# Variable 'ResourceGroupOwner.ApplicationId' was defined in the Variables tab.
# Variable 'ResourceGroupOwner.ObjectId' was defined in the Variables tab
resources:
  repositories:
  - repository: self
    type: git
    ref: refs/heads/main

jobs:
- job: Main
  displayName: Run deployment test
  pool:
    vmImage: windows-2019
  steps:
  - checkout: self
    clean: true

  # To make sure we don't run any malicious scripts, checkout the PowerShell scripts that
  # are known to be legitimate at a specific commit for the pipeline to use.
  - task: CmdLine@2
    displayName: Checkout scripts
    inputs:
      script: >-
        git reset <commit_id> -- .\scripts\azure-pipelines
        git checkout -- .\scripts\azure-pipelines
        git clean -fd .\scripts\azure-pipelines

  - task: PowerShell@2
    displayName: Find changed module
    inputs:
      filePath: scripts\azure-pipelines\Find-ChangedModule.ps1
      arguments: -GitHubToken $(Github.AccessToken) -Repository $(Build.Repository.Name) -PullRequestNumber $(System.PullRequest.PullRequestNumber)
      pwsh: true

  - task: PowerShell@2
    displayName: Get test file
    condition: and(succeeded(), ne(variables.ChangedModuleDirectory, ''))
    inputs:
      filePath: scripts\azure-pipelines\Get-TestFile.ps1
      arguments: -ChangedModuleDirectory $(ChangedModuleDirectory)
      pwsh: true

  # Get the target scope of the test deployment. Only resource group scope is supported, since it is not safe to grant
  # module contributors access to the test subscription.
  - task: PowerShell@2
    displayName: Get target scope
    condition: and(succeeded(), ne(variables.ChangedModuleDirectory, ''))
    inputs:
      filePath: scripts\azure-pipelines\Get-TargetScope.ps1
      arguments: -ChangedModuleDirectory $(ChangedModuleDirectory)
      pwsh: true

  # Create a test resource group with the subscription owner service principal and assign the RG owner service principal
  # owner access to the resource group. The RG owner cannot access resources outside the resource group.
  - task: AzurePowerShell@5
    displayName: Create test resource group
    condition: and(succeeded(), ne(variables.TestFilePath, ''), eq(variables.TargetScope, 'resourceGroup'))
    inputs:
      ConnectedServiceNameARM: <SUBSCRIPTION_OWNER_CONNECTION_ID>
      ScriptPath: scripts\azure-pipelines\New-TestResourceGroup.ps1
      ScriptArguments: -PrincipalId $(ResourceGroupOwner.ObjectId)
      TargetAzurePs: LatestVersion
      CustomTargetAzurePs: 7.1.0
      pwsh: true

  # Run the test deployment with the RG owner service principal.
  - task: AzurePowerShell@5
    displayName: Deploy test file
    condition: and(succeeded(), ne(variables.ResourceGroupName, ''))
    inputs:
      ConnectedServiceNameARM: <RESOURCE_GROUP_OWNER_CONNECTION_ID>
      ScriptType: InlineScript
      ScriptPath: scripts\azure-pipelines\Deploy-TestFile.ps1
      Inline: >
        Invoke-Expression -Command "New-AzResourceGroupDeployment -ResourceGroupName $(ResourceGroupName) -TemplateFile $(TestFilePath)"
      ScriptArguments: -ResourceGroupName $(ResourceGroupName) -TestFilePath $(TestFilePath)
      errorActionPreference: continue
      FailOnStandardError: true
      TargetAzurePs: LatestVersion
      pwsh: true

  # Clean up the test resource group with the subscription owner service principal.
  - task: AzurePowerShell@5
    displayName: Remove test resource group
    condition: and(always(), ne(variables.ResourceGroupName, ''))
    inputs:
      ConnectedServiceNameARM: <TEST_SUB_OWNER_CONNECTION_ID>
      ScriptPath: scripts\azure-pipelines\Remove-TestResourceGroup.ps1
      ScriptArguments: -ResourceGroupName $(ResourceGroupName)
      TargetAzurePs: LatestVersion
      pwsh: true
...

[BenjaminEngeset]

@shenglol Great stuff, thank you!

With some adjustments it runs very well on Azure DevOps repo. Now just subscription and management group deployments left, but that will require additional logic that will probably not be so straight forward.

PowerShell scripts with very high quaility and alot of nice tinkering behind them, good job!

[ChrisSidebotham]

Closing as Outdated