Follow the procedures in this article to set up an Azure DevOps project, repo, and pipelines for Gridwich. These DevOps procedures and settings use a placeholder Azure DevOps organization called myorganization
, a new Azure DevOps project called gridwich-clone
, service connection name gridwich-connection
, and application name cl1grw
. Replace these placeholders with your own values as appropriate.
Perform the following procedures in your Azure DevOps organization.
This process clones the Gridwich Git repo into a new Azure DevOps project and repo.
To clone the Gridwich repo to your computer:
-
In a bash window on your computer, change to the directory where you want the cloned repo, and enter
git clone https://github.com/mspnp/gridwich.git
. -
Enter
cd gridwich
to change to the cloned Gridwich directory.
To create the project in your Azure DevOps organization:
-
Sign in to your Azure DevOps organization, and at upper right, select New project.
-
In the Create new project window:
- Under Project name, enter
gridwich-clone
. - Under Visibility, select Private.
- Select Advanced, then under Version control select Git, and under Work item process select Agile.
- Select Create.
- Under Project name, enter
To clone the Gridwich repo into your Azure DevOps project:
-
In the left navigation of your Azure DevOps project, select Repos > Files.
-
On the Add some code screen, select Push an existing repository from command line, and select the copy icon to copy the commands.
-
On your computer, from the location of your cloned Gridwich repo, run the following commands:
git checkout main git pull git remote rm origin
-
Then run the commands you just copied from Azure DevOps:
git remote add origin https://[email protected]/myorganization/gridwich-clone/_git/gridwich-clone git push -u origin --all
The Gridwich repo is now cloned into your organization's gridwich-clone
project repo.
Connect your Azure DevOps project to an Azure subscription.
-
From your Azure DevOps
gridwich-clone
project, select Project settings at the bottom of the left navigation. -
In the Project settings left navigation, under Pipelines, select Service connections, and then select Create service connection.
-
In the New service connection window, select Azure Resource Manager, and then select Next.
-
For Authentication method, select Service Principal (automatic), and then select Next.
-
On the next screen:
- Under Scope level, select Subscription.
- Under Subscription, select the Azure subscription you want to use. Don't select a resource group.
- Under Details, enter
gridwich-connection
as a name for the connection. - Select Grant access permission to all pipelines.
Select Save.
Install the necessary extensions for Azure DevOps to work with Gridwich.
-
From your Azure DevOps
gridwich-clone
project, select the shopping bag icon at upper right. -
Select Manage extensions to see which extensions are already installed for your organization.
-
If the following extensions aren't installed, select Browse Marketplace or use the following links to install them.
- Build Quality Checks, mspremier.BuildQualityChecks
- ReportGenerator, Palmmedia.reportgenerator
- Terraform, ms-devlabs.custom-terraform-tasks
Update some of the installed files.
-
In build-test-report-steps-template.yml, comment out GitHub tasks if your repo doesn't use GitHub.
#- task: GitHubComment@0 # displayName: 'Write alerts as GitHub comment' # inputs: # gitHubConnection: {<github-connection>} # comment: '$(comment)'
-
Update names in several other YAML files:
-
In ci-cd-release-stages.yml, update
serviceConnection: gridwich-*
toserviceConnection: gridwich-connection
or your service connection name. -
In terraform-destroy-stages-template.yml, update two instances of
serviceConnection: gridwich-*
toserviceConnection: gridwich-connection
or your service connection name. -
In terraform-init-steps-template.yml, update
TerraformBackendStorageAccount: gridwichtfstate
toTerraformBackendStorageAccount: <your unique Gridwich storage account name>
.
-
-
In terraform/variables.tf, to avoid name collisions with
gridwich
, update the default application name fromgridwich
tocl1grw
or your application name.variable "appname" { type = string description = "Application name. Use only lowercase letters and numbers" default = "cl1grw" }
-
Commit the changes and push the commit to the project repo.
Add Azure Pipelines variable groups to store secrets and values to pass into the pipelines.
-
In the
gridwich-clone
project left navigation, select Pipelines > Library, and then select + Variable group. -
Under Properties, for Name, enter gridwich-cicd-variables.global.
-
Under Variables, select Add, and add the following Name and Value pairs.
applicationName = cl1grw deploymentEnvironmentType = DEV inboxCORS = <localhost:9002;extsysqa.something.com;extsysuat.something.com;extsys.something.com> telestreamCloudApiKey = tcs_000000000000000000000000
- The inboxCORS entry should match the
allowed_origins
list in terraform/main.tf.
- The inboxCORS entry should match the
-
After adding all the name/value pairs, select Save,
-
Select + Variable group and add a new variable group named gridwich-cicd-variables.sb.
-
Add variable name eventEndpointExtSys with value
https://cl1grw-grw-wa-viewer-sb.azurewebsites.net/api/eventgrid
. -
Select Save.
-
Under Variable groups, select gridwich-cicd-variables.sb.
-
Select Clone, and name the cloned variable group gridwich-cicd-variables.single_env.
-
Select Save.
Add the Azure Pipelines build and deployment pipelines.
This pipeline runs when you make a code pull request from a feature branch to the main branch.
-
In the
gridwich-clone
project left navigation, select Pipelines and then select Create pipeline. -
For source, select Azure Repos Git.
-
Select the gridwich-clone repo.
-
Select Existing Azure Pipelines YAML file.
-
Under Path, select /infrastructure/azure-pipelines/functions_pr_main.yml, and then select Continue.
-
Select Run to run the pipeline.
This pipeline creates the sandbox (SB) developer environment.
-
In the
gridwich-clone
project left navigation, select Pipelines and then select Create pipeline or New pipeline. -
For source, select Azure Repos Git.
-
Select the gridwich-clone repo.
-
Select Existing Azure Pipelines YAML file.
-
Under Path, select /infrastructure/azure-pipelines/ci_cd_dev_release.yml, and then select Continue.
-
Select Run to run the pipeline.
- For the first run, an admin must run the bash scripts to set up authorization.
Use this pipeline to create a new single cloud developer environment with a custom name.
-
In the
gridwich-clone
project left navigation, select Pipelines and then select Create pipeline or New pipeline. -
For source, select Azure Repos Git.
-
Select the gridwich-clone repo.
-
Select Existing Azure Pipelines YAML file.
-
Under Path, select /infrastructure/azure-pipelines/ci_cd_ext_release.yml, and then select Continue.
-
Select Save from the dropdown next to the Run button.
-
Under Pipelines, select the pipeline and then select Edit. In the editor, add the following variables to the pipeline. For each variable, select Let users override this value when running this pipeline.
environment RUN_FLAG_SUBSCRIPTIONS_FAIL_GRACEFULLY = false RUN_FLAG_SUBSCRIPTIONS_DISABLED = false RUN_FLAG_TERRAFORM = true
You can also use Azure CLI to add the variables. Run the following command for each variable respectively, after signing in to the Azure subscription and installing the Pipelines extension:
az pipelines variable create \ --organization https://dev.azure.com/myorganization \ --project "gridwich-clone" --pipeline-id <pipeline ID> \ --name <variable name> --value <default value> --allow-override true
-
Select Run to run the pipeline anytime you want to create a replica of the system.
-
On first run, you must select Permit to approve the pipeline using the FairPlay Secure File you uploaded.
-
For the first run, an admin must run the bash scripts to set up authorization.
-
For more information about how to run this pipeline and set up a new environment, see Create or delete an environment.
Use this pipeline to delete an environment, like one that the ci_cd_ext_release
pipeline created.
-
In the
gridwich-clone
project left navigation, select Pipelines and then select Create pipeline or New pipeline. -
For source, select Azure Repos Git.
-
Select the gridwich-clone repo.
-
Select Existing Azure Pipelines YAML file.
-
Under Path, select /infrastructure/azure-pipelines/tf_destroy_env.yml, and then select Continue.
-
Select Save from the dropdown next to the Run button.
-
Under Pipelines, select the pipeline and then select Edit. In the editor, add the following variables to the pipeline. For each variable, select Let users override this value when running this pipeline.
environment RUN_FLAG_SUBSCRIPTIONS_FAIL_GRACEFULLY = false RUN_FLAG_SUBSCRIPTIONS_DISABLED = false RUN_FLAG_TERRAFORM = true serviceConnectionName = gridwich-connection <or your service connection name> applicationName = cl1grw <or your app name>
You can also use Azure CLI to add the variables. Run the following command for each variable respectively, after signing in to the Azure subscription and installing the Pipelines extension:
az pipelines variable create \ --organization https://dev.azure.com/myorganization \ --project "gridwich-clone" --pipeline-id <pipeline ID> \ --name <variable name> --value <default value> --allow-override true
-
Select Run to run the pipeline anytime you need to destroy an environment.
Adjust the following suggested settings as you see fit.
-
In your Azure DevOps project under Repos > Branches, select the three dots to the right of the main branch and then select Branch policies.
-
Under Branch Policies:
-
Set Require a minimum number of reviewers to On, then set Minimum number of reviewers to 1.
-
If you're the only one working in this branch, select Allow requestors to approve their own changes.
-
Select When new changes are pushed, and then select Reset all code reviewer votes.
-
Optionally, set Check for linked work items to On.
-
Optionally, set Check for comment resolution to On.
-
Set Limit merge types to On, and select only Squash merge.
-
-
Select the + to the right of Build Validation,
Add a Build validation build policy with the following settings:
- Build pipeline:
functions_pr_main
- Path filter:
/src/*
- Display name:
PR Policy
- Build pipeline:
-
Select Save.
For non-development environments, the pipeline doesn't autopopulate most secrets on deployment. Instead the pipeline creates the key vault secrets for the environment with placeholder values. For Gridwich to work, a secrets manager must replace these placeholders with actual values in Azure Key Vault. For more information, see Manage and rotate keys.
The pipeline steps deploy the application into Azure, but they don't set up any of the identity principals or their access rights to Azure resources. A user with elevated privileges must follow the instructions in Pipeline-generated admin scripts to complete the setup.
A user with elevated privileges must run the pipeline-generated admin scripts. To grant users elevated privileges:
-
In Microsoft Entra ID, create a named group such as Gridwich Admins, and add the authorized admins to it.
-
In the Azure Subscription, select Access Control (IAM) in the left navigation, select Add role assignments, and then assign the User Access Administrator role for Gridwich Admins.
Local debugging uses user impersonation, and developers sign in with their browsers. To ensure that the application has the correct rights:
-
In Microsoft Entra ID, create a named group such as Gridwich Devs, and add the authorized developers to it.
-
In the Azure Subscription, select Access Control (IAM) in the left navigation, select Add role assignments, and then assign the following roles for Gridwich Devs:
- Reader and Data Access
- Storage Blob Data Contributor