| Lab Description | This lab covers the configurations and environment creation for DevOps deployments. |
|---|---|
| Estimated Time to Complete | 30 minutes |
| Key Takeaways | 1. Create resource group in Azure for deployment automation |
| 2. Establish RBAC permissions for resource creation | |
| 3. Setup permissions and service principals for continuous deployments in Azure DevOps environment | |
| By the end of this lab, you should have: Resource Groups, Service Principal, Azure DevOps Environment, Artifacts needed to complete this workshop | |
| Author | Shirley MacKay Frank Garofalo |
This lab will create the environment for the CI/CD process. Service Principals are leveraged to allow permission to deploy or update resources in certain environments for a specific purpose. The Service Connection uses a Service Principal's permissions which are based off of RBAC. It gives Administrators better control over their environment while allowing the engineers the ability to focus on their code.
Summary
- Setup Up Azure Environment
- Azure AD Service Principal
- Setup Azure DevOps Environment
- Push files to your Azure DevOps Repo
Perform the tasks below either via the Portal or PowerShell. Create two resource groups one for Dev and Prod Example naming convention: {name}-prod, {name}-dev
- Active Azure Subscription
- TRIAL SUBSCRIPTIONS ARE NOT SUPPORTED FOR THIS WORKSHOP
- Live workshops may have an Azure Pass Promo Code
- Redeem your Promo Code for activating your Azure Subscription, go to the following link: Click here
- Azure DevOps account
- If you do not have an account Sign up for free using Windows Live ID or Github
- Login to https://portal.azure.com
- Select Resource Groups from the main menu
Create resource groups, SuperchargeSQL-dev and SuperchargeSQL-prod with the steps below:
- Click + Add
- Select the Subscription
- Enter the Resource Group name
- Select the Region
- Click Review + create
- Click Create
- Click Refresh in the portal to see the new resource group
💡 Recommend using the VS Code IDE for PowerShell script development
Create SuperchargeSQL-dev and SuperchargeSQL-prod resource groups with the PowerShell Script below:
- Open VS Code
- Create a new file
- Change the default environment to PowerShell. In the bottom corner of VS Code, click on "Plain Text" and type "PowerShell"
❗ Execute the script below for each resource group
#You only need to use Login-AzAccount once if you use the same session
#IMPORTANT: The signin window may show up BEHIND the application. Minimize windows to view the signin window.
Login-AzAccount #For Azure Government use: #Login-AzAccount -Environment AzureUSGovernment
#For 1st script execution update $rg value with: SuperchargeSQL-dev
#For 2nd script execution update $rg value with: SuperchargeSQL-prod
$rg = "<Your Resource Group Name>"
#You can use the following cmdlet to obtain the region (location)
#Get-AzLocation
$location = "<Location>" #Example: eastus2
#You can use the following cmdlet to obtain the subscription id
#Get-AzSubscription
Select-AzSubscription –Subscription "<Id>"
New-AzResourceGroup -Name $rg -Location $location
Get-AzResourceGroup -Name $rgPerform the tasks below either via the Portal or PowerShell.
💡 This lab uses one Service Principal. Typically, a Service Principal is used for each environment: Development, Staging, Production.
-
Login to https://portal.azure.com
-
Select Azure Active Directory from the main menu or from More Services
-
Select the App Registrations blade
-
Select + New registration
- Enter the Name: {your alias}-SuperchargeSQL-SP
- Leave the defaults
- Click Register
On the App Registrations - {Your App Name} blade
- Select the Certificates & secrets blade
- Select the + New client secret
- Enter the Description
- Click Add
- Copy the Value
❗ Copy the new client secret value and Application Id (Overview blade). You won't be able to retrieve it after you perform another operation or leave this blade. Generate a new secret if it is lost it or expires. We recommend using the portal steps to generate a new client secret.
💡 Use the below PowerShell script in a PowerShell file with VS Code. Make sure to update the parameter values.
#You only need to use Login-AzAccount once if you use the same session
#IMPORTANT: The signin window may show up BEHIND the application.
Login-AzAccount #For Azure Government use: #Login-AzAccount -Environment AzureUSGovernment
#You can use the following cmdlet to obtain the subscription id
#Get-AzSubscription
Select-AzSubscription –Subscription "<Id>"
$spName = "{your alias}-SuperchargeSQL-SP"
$id = (New-Guid).Guid
$secret = (New-Guid).Guid
$cred = New-Object Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential
$cred.StartDate = Get-Date
$cred.EndDate = (Get-Date).AddYears(1)
$cred.KeyId = $id
$cred.Password = $secret
New-AzADServicePrincipal -DisplayName $spName -PasswordCredential $cred
#IMPORTANT: Save the value for $secret, it will be used later
$secret ❗ Copy and save the Service Principal Name, Application Id and Secret. You won't be able to retrieve it after you perform another operation or leave this blade. Generate a new secret if it is lost it or expires. We recommend using the portal steps to generate a new client secret.
Perform the tasks below either via the Portal or PowerShell.
❗ Do the following steps for both resource groups created earlier:
- Go to the resource group
- Click on the Access control (IAM) blade
- Click on + Add
- Click on Add role assignment
- Select the Owner role
- Enter your Service Principal name in the Select box to search
- Click Save
- Click on Role Assignments to verify
❗ Use the below PowerShell Script in a PowerShell file in VS Code, executing it twice, once for each resource group. Make sure to update the parameter values
#You only need to use Login-AzAccount once if you use the same session
#IMPORTANT: The signin window may show up BEHIND the application.
Login-AzAccount #For Azure Government use: #Login-AzAccount -Environment AzureUSGovernment
#You can use the following cmdlet to obtain the subscription id
#Get-AzSubscription
Select-AzSubscription –Subscription "<Id>"
#For 1st script execution update $rg value with: SuperchargeSQL-dev
#For 2nd script execution update $rg value with: SuperchargeSQL-prod
$spName = '<Service Principal Name>'
$rg = "<Your Resource Group Name>"
$app = (Get-AzADServicePrincipal -DisplayName $spName).ApplicationID
New-AzRoleAssignment -ApplicationID $app -ResourceGroupName $rg -RoleDefinitionName 'Owner'- Sign in https://dev.azure.com/
- Navigate to Azure DevOps after signing in
- Click on New Organization
- Confirm and Enter an organization name
- The organization name is a DNS name therefore it must be globally unique.
- Choose a Location
- Confirm and Enter an organization name
- After creation, navigate to your organization https://dev.azure.com/{yourorganization}
- Enter your Project name
- Enter Description (optional)
- Select Private
- Expand the Advanced options
- Select Git and Basic for version control and work item process, respectively.
- Click on + Create project
- Project name: SuperchargeSQLDeployments
- Description: Supercharge SQL Deployments
❗ To prevent any confusion later on in the lab it is strongly recommend to name your DevOps project SuperchargeSQLDeployments. If you name your project something else make note that some of the lab instructions may not match your path(S)
- Click on Repos
- Click on Initialize
Default settings to include Add a README
There are many options for a branching strategy and Git gives you the flexibility in how you use version control to share and manage code. It's an important part of DevOps and your strategy is something that your team should come up with. For more information about branching strategies please review Adopt a Git branching stategy docs page. For this workshop we are going to work with just a dev and master branch.
- Click on Repos to expand the Repos submenu
- Click on submenu Branches
Notice that your Repo only has a master branch, by default new Git Repos only have a master branch
- Click New branch
- Enter Name: dev
- Click Create
- Click on the ellipse on the master branch to expose more options
- Click Branch policies
- You are now going to set a policy to Protect your master branch
This is to keep people from accidentally checking dev code into master/prod branch - Select Require a minimum number of reviewers
- Change the minimum number of reviewers to 1
- Select Requestors can approve their own changes
- Save changes
- Click on Branches
- Notice that your master branch, now has a Branch Policy icon on it.
- Select the Project Settings
- Select Service Connections under Pipelines
- Create a new Service Connection
- Select Azure Resource Manager and Next
- Select Service Principal (Manual) and Next
Enter the following:
- Enter Service connection name: Supercharge SQL Service Connection
- Select Environment
- Select Scope level Subscription
- Enter Subscription Id
Get-AzSubscription #Returns Subscription Name, Id, TenantId and State
- Enter Subscription Name (Found in Resource Group > Overview blade)
- Enter Service Principal Id (Value noted earlier)
- Select Credential Service principal key
- Enter Service principal key (Value noted earlier)
- Enter Tenant ID (Found in Azure Active Directory > properties blade)
- Click on Verify
- Click on Verify and Safe
Your repository is currently empty, except for the default README.md file that was created to initialize your repo. In this exercise you are going to use Git commands to clone down the source files needed for this lab and push them up to your repo.
- Using the TERMINAL in VS Code or Git Bash
- Run the following Git command to clone this Github Repo
git clone https://github.com/microsoft/SuperchargeAzureSQLDeployments.git c:/SuperchargeAzureSQL
- In a browser navagate to your Azure DevOps Project that you created above.
- Click on Repos
- Click Files
- Click the Clone button
- Copy the Command line HTTPS URL for your repo by clicking on the copy icon
- Back in VS Code hit the F1 key to open the command pallet
- Type Git: Clone and hit enter
- Paste the Repository URL for your Azure DevOps Repo > Press Enter on your keyboard
- Navigate to your C:\ drive
- Click the Select Repository Location button
- You may be asked to provide your Microsoft account
- Use your Microsoft account used to login to Azure DevOps
- Open that repository in VS Code, if prompted
- Using windows explore navigate to the the source directory in the cloned GitHub repo
- C:\SuperchargeAzureSQL\source\
- C:\SuperchargeAzureSQL\source\
- Copy both directories: DatabaseProjects & Deployments
- Using windows explore navigate to your cloned Azure DevOps repo
- C:\SuperchargeSQLDeployment
- C:\SuperchargeSQLDeployment
- Paste the copied directories from step 11 into your cloned Azure DevOps repo
- The above steps should result with the following:
- Copy the .gitignore file from:
-
C:\SuperchargeAzureSQL\
❗ Note that SuperchargeAzureSQL is the name of your project in Azure DevOps, you do not create this directory when you clone a repo. Git creates the directory as the root of your local repository. It uses the name of your project from Azure DevOps. If you named your project something different, your path will be: C:\{your DevOps Project name}
-
If you do not see the file enable: File name extensions and Hidden items from the View menu in explorer
- Paste the file into:
- C:\SuperchargeSQLDeployments
- In VS Code from the menu click File > Open Folder
- Navigate to your Cloned Azure DevOps Repo: C:\SuperchargeSQLDeployments (If not already in this directory)
- Click on the Git icon from the left side menu
- Notice that is shows a number on the icon
- This is the number file files that have not been committed to your local Git repository for your Azure DevOps project
- Make sure your are working off of the Dev branch
- Click on master from the bottom left of VS Code
- Click on master from the bottom left of VS Code
- Select dev
- If you haven’t previously selected the dev branch you may need to choose origin/dev
- You should now be in your dev branch
- Click on the + that shows up when you hover over CHANGES
- This will stage all changes in your repo to be committed
- You can also pick and choose which files you want to stage, for this workshop we want all of the initial files staged to be committed
- Type a message for the initial commit in the Message box (ie. initial commit)
- Click the Check mark to perform the commit.
❗ If you receive an error message Make sure you configure your 'user.name' and 'user.email' in git. Click Cancel on the error message
-
Open the Terminal in VS Code
-
Run the following commands, filling in your own name and email address
git config --global user.name "Your Name"
git config --global user.email "[email protected]" -
Run your commit again (Step 6.)
- You now have commited all of the changes to your local Git Repo, notice that the Git icon in the left side menu does not show any numbers.
- Notice that you have changes to push up to your remote Git repo (Azure DevOps Repo
- Click on the sync icon in the bottom left to perform a Git pull & Git push
- You can also run the following Git command
git push
- You may see a Visual Studio Code pop up window that says: This action will push and pull commits to and from 'origin/dev'.
- Click OK
- After the push completes you may receive the following message dialog:
- This is an option setting, when working on a team with multiple developers it is recommend to set this to Yes
- Using a browser navigate to your Azure DevOps project
- Click on Repos > Files
- You should now see all of the files in your repo
- You may need to select the ‘dev’ branch to see the new files
Azure subscriptions
TRIAL SUBSCRIPTIONS ARE NOT SUPPORTED FOR THIS WORKSHOP