Azure DevOps - Infrastructure Build

Azure DevOps former VSTS is so powerful that I have decided to write and share a bit on what you can achieve with it. In this Part 1, I will show how you can leverage Infrastructure-as-code (IaC) and Azure DevOps to build your entire infrastructure in a secure and modular fashion. In Part 2, we will then use Azure DevOps to build and deploy an application to the new infrastructure.

I will make it simple so our infrastructure will consist of:

• 1x Azure KeyVault
• 1x Azure App Service
• 1x Azure SQL DB

All the templates can be cloned from my GitHub repo.

First thing we need to do is to go to the Azure portal, create a new Azure DevOps project and browse to the project homepage. We also have to manually create an Azure KeyVault so that we can authorize it to be used by the project. We will use KeyVault to store our secrets. I have made available the KeyVault templates from the repo as well so that you can deploy them using PowerShell.

Now that we have a DevOps project we can create our first Release pipeline. We don't need a Build pipeline as we are not compiling any code. That said, if you are using an external repo which is not available to be used in the Release pipeline, you can use the Build pipeline to create an artifact based on the source files from the repo and make it available to the Release pipeline.

The following pictures display the steps required to create the Release pipeline to build your infrastructure.

First thing let's authorize the KeyVault we created earlier to be used in our pipelines.

1. Click on Library
2. Click to add a Variable Group

1. Name the variable group
2. Enable the Link secrets from an Azure key vault as variables
3. Select your subscription
4. Select the KeyVault
5. Click on Authorize

1. Click on Add
2. Select the available secrets
3. Click on OK
4. Click on Save

Now let's create a new Release. Click on Releases and New pipeline.

Click on Empty job.

1. Name the stage "Production"
2. Name the pipeline Infrastructure Deployment
3. Click on Add an artifact so we can link our repo

1. Select GitHub
2. Choose the source repository
3. Choose the branch
4. Choose the version
5. Add it.

Note that external repos like BitBucket are not available. In this case you have to create a Build pipeline linked to an external repository and then use the artifact created by selecting Build in the picture above.

Now let's create the tasks which will deploy our resources.

1. Click on the link for jobs and tasks

The first task we will add is a task to retrieve our secrets so that we can query them when building our resources.

1. Click on the + symbol over the Agent job
2. Search for key vault
3. Click on Add twice. We will need to retrieve the secrets twice as we are placing the connecting string of the DB in the KeyVault and we will need to fetch it before building the WebApp.

1. Select your subscription
2. Select the KeyVault

Configure both tasks the same.

Now let's add the tasks to build the database and the WebApp.

1. Click on the + symbol on top of the Agent job
2. Search for resource
3. Add 2 Azure Resource Group Deployment

1. Select the new Azure Resource Group Deployment
2. Name it Provision DB
3. Select your subscription
4. Select a Resource Group or type it if you want a new one provisioned
5. Select the location
6. Select the DB template
7. Select the DB parameter template
8. Enter -administratorLoginPassword $(sqlpass) in the Override template parameter. Here we are passing the sql admin password stored in KeyVault as a parameter

Now let's configure the WebApp.

1. Select the next Azure Resource Group Deployment task
2. Name it Provision WebApp
3. Select your subscription
4. Select a Resource Group or type it if you want a new one provisioned
5. Select the location
6. Select the WebApp template
7. Select the WebApp parameter template
8. Enter -connectionString "$(connectionString)" in the Override template parameter. Here we are passing the connection string to the DB stored in KeyVault as a parameter

Note that when you are passing variables as parameters you must enclose them in $() and if there are spaces in the value stored in the variable you must enclose them in "$()"

1. Move one of the KeyVault tasks after the Provision DB
2. Click on Save. Click OK
3. Click on Release. Create a Release.

1. Select the version (usually you leave the default which is the latest commit)
2. Click on Create

Now you will see a link to the Release job where you can follow the progress and see logs.

1. Click on it

Once it is finished you will see the screen below. You can click on Logs to investigate any issues or to see real-time output of the tasks.

If you want to enable continuous deployment you can set it to trigger a new build when new code is committed to your repo. As an example you could add a new slot to your WebApp template and once committed the deployment is automatically triggered.

You can also deploy on a schedule.

And you can define pre-deployment approvals. The deployment only starts once one or more approvers give the go ahead.

That's it! As you can see this is a simple example but it can expand as much as you want. If you want to deploy it to a different subscription you can clone the pipeline and just update the subscription references.

See you on Part 2 where we are going to deploy the app to the new infrastructure.