Azure - Deployment Pipeline - Deploy in all env

 trigger:
- master  # Change this to the branch you want to trigger the pipeline from

variables:
  - name: logicAppName
    value: MyLogicApp
  - name: environment
    value: dev  # Change this to the target environment (e.g., test, qa)
  - name: devResourceGroup
    value: 'rg-dev-logicapp'
  - name: testResourceGroup
    value: 'rg-test-logicapp'
  - name: qaResourceGroup
    value: 'rg-qa-logicapp'
  - name: devVNetName
    value: 'vnet-dev'
  - name: testVNetName
    value: 'vnet-test'
  - name: qaVNetName
    value: 'vnet-qa'

stages:
- stage: DeployDev
  displayName: 'Deploy Logic App to Dev'
  jobs:
  - job: DeployLogicAppDev
    displayName: 'Deploy Logic App to Dev'
    pool:
      vmImage: 'windows-latest'
    steps:
    - task: AzureResourceGroupDeployment@2
      inputs:
        azureSubscription: '<AzureSubscription>'
        action: 'Create Or Update Resource Group'
        resourceGroupName: '$(devResourceGroup)'
        location: 'East US'  # Change this to the desired Azure region
        templateLocation: 'Linked artifact'
        csmFile: '<path-to-your-arm-template.json>'
        csmParametersFile: '<path-to-your-arm-parameters-dev.json>'
        deploymentMode: 'Incremental'
        deploymentName: 'Deploy-LogicApp-$(Build.BuildId)'
    # Additional steps specific to Dev environment

- stage: DeployTest
  displayName: 'Deploy Logic App to Test'
  jobs:
  - job: DeployLogicAppTest
    displayName: 'Deploy Logic App to Test'
    pool:
      vmImage: 'windows-latest'
    steps:
    - task: AzureResourceGroupDeployment@2
      inputs:
        azureSubscription: '<AzureSubscription>'
        action: 'Create Or Update Resource Group'
        resourceGroupName: '$(testResourceGroup)'
        location: 'East US'  # Change this to the desired Azure region
        templateLocation: 'Linked artifact'
        csmFile: '<path-to-your-arm-template.json>'
        csmParametersFile: '<path-to-your-arm-parameters-test.json>'
        deploymentMode: 'Incremental'
        deploymentName: 'Deploy-LogicApp-$(Build.BuildId)'
    # Additional steps specific to Test environment

- stage: DeployQA
  displayName: 'Deploy Logic App to QA'
  jobs:
  - job: DeployLogicAppQA
    displayName: 'Deploy Logic App to QA'
    pool:
      vmImage: 'windows-latest'
    steps:
    - task: AzureResourceGroupDeployment@2
      inputs:
        azureSubscription: '<AzureSubscription>'
        action: 'Create Or Update Resource Group'
        resourceGroupName: '$(qaResourceGroup)'
        location: 'East US'  # Change this to the desired Azure region
        templateLocation: 'Linked artifact'
        csmFile: '<path-to-your-arm-template.json>'
        csmParametersFile: '<path-to-your-arm-parameters-qa.json>'
        deploymentMode: 'Incremental'
        deploymentName: 'Deploy-LogicApp-$(Build.BuildId)'
    # Additional steps specific to QA environment



++++++hide azure subscription from the code


To ensure that your Azure subscription is secure when using it in Azure Pipelines, you can follow these best practices:

  1. Use Service Principal Authentication: Instead of using explicit credentials, create an Azure service principal and assign it only the necessary permissions in Azure. Then, use the service principal's credentials to authenticate in your Azure Pipelines YAML file. This reduces the risk of exposing sensitive credentials.

  2. Limit Permissions: Assign the minimal set of permissions required for the tasks in your pipeline to the service principal or user account associated with the Azure subscription. Avoid granting overly broad permissions.

  3. Store Secrets Securely: Store sensitive information such as service principal credentials securely. Azure Pipelines provides a secure way to store and manage secrets using Azure Key Vault or variable groups.

  4. Use Variable Groups: Define variable groups in Azure Pipelines to store sensitive information securely. You can link variable groups to your pipeline and reference the variables containing secrets without exposing them directly in the YAML file.

  5. Restrict Access: Limit access to your Azure Pipelines and Azure subscription to only authorized users or teams. Implement role-based access control (RBAC) in Azure to control who can access and modify resources.

  6. Audit Logs: Enable audit logging for your Azure subscription and Azure Pipelines to monitor activities and detect any suspicious behavior.

  7. Regularly Rotate Secrets: Rotate service principal credentials and other sensitive information regularly to reduce the risk of unauthorized access.

Here's an example of how you can use a service principal in your Azure Pipelines YAML file:

 

- task: AzureResourceGroupDeployment@2
  inputs:
    azureSubscription: 'MyServicePrincipal'  # Use the name of the service connection storing the service principal credentials
    ...
 

Comments

Post a Comment

Popular posts from this blog

APIM -- High Availability skipping DR and Geo-Redundancy

  Regional Redundancy : Deploy your APIM service in an Azure region that offers redundancy and fault tolerance. Azure regions consist of multiple data centers, ensuring resilience against data center failures within the region. Scale Units : Configure your APIM service with multiple scale units within the same region. Scale units are isolated instances of APIM infrastructure that handle incoming traffic independently. Distributing your API traffic across multiple scale units ensures redundancy and fault tolerance at the application layer. Define Terraform Configuration : Write Terraform configuration files (usually with a .tf extension) that describe the resources needed for your APIM deployment, including multiple instances representing scale units. Create Scale Units : Use Terraform to define multiple instances of the APIM service using the azurerm_api_management resource. Each instance represents a scale unit, capable of handling incoming traffic independently.   Availabi...
Read more

Working on Azure -- Terraform - connectivity

If you're using a service principal account to authenticate with Azure, you'll still need to install the Azure CLI on your VDI, but you'll also need to configure the CLI to use the service principal for authentication. Here's how you can do it: Install Azure CLI : Download and install the Azure CLI on your VDI by following the installation instructions provided by Microsoft. You can find the installation instructions for various operating systems here . Authenticate with Service Principal : Once the Azure CLI is installed, you'll need to authenticate with Azure using the service principal credentials. Run the following command and provide the necessary details:  
Read more