Versions Compared

Old Version 6

changes.mady.by.user John McKeever

Saved on

compared with

New Version Current

changes.mady.by.user John McKeever

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To automate the required steps in Azure DevOps, you will require…

  • The Azure CLI, which provides a wide range of methods for manipulating the Azure DevOps environment. Refer to Command Line Interface (see Microsoft’s documentation for Installation instructions.)

  • A user with permissions to:

    • Create new Repositories

    • Create and update Environments

    • Create Variable Groups

  • A Personal Access Token with suitable permissions

Create a Personal Access Token (PAT)

  1. Right-click on the signed-in user, then the ellipsis () and User settings

    Image Removed

  2. Select Personal access tokens

    Image Removed

  3. Click on New Token, name the token, select the expiry date and select the scope (your security team will have advice on this, but Full access will minimise the chances of problems), the click on Create.

    Image Removed

  4. Don’t forget to copy the PAT for use in future cURL calls.

    Image Removed

Authentication against an Azure Account

Before performing the required actions, we need to authenticate against the Azure account, using the Access Token.

Code Block
az login -u <USER_EMAIL> -p <PASSWORD>

...

  • An Azure DevOps user and a Personal Access Token that provides the permissions required to create and update…

    • Azure DevOps Projects

    • Agents and Agent Pools

    • Environments

    • Repositories

    • Variable Groups and Variables

    • Pipelines

MettleCI ships with an example repository which includes practical examples of how you can use the Microsoft Azure Command Line Interface to automate the creation of all the environmental assets necessary to establish a working Azure DevOps pipeline using the capabilities of MettleCI. These assets include …

Azure DevOps Asset

Description

Projects

The container for Azure DevOps repositories, boards, and pipelines.

Agents and Agent Pools

Agent pools can be created easily using the Azure DevOps UI. Neither the number of pools you create, or the names you give them, are relevant to your MettleCI-enabled pipelines as jobs are automatically assigned to agents by Azure DevOps based on the demands required by each of your pipelines' steps and the matching capabilities advertised by your agents.

The definition of Agents requires you to install one or more self-hosted Azure agents on a suitably equipped host (see https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/windows-agent?view=azure-devops) and associate the agent(s) with a relevant agent pool.

Environments

The creation of Deployment Environments is not currently supported by the Azure CLI. Environments are created by the supplied pipelines as they are references. i.e., if you try and run a MettleCI deployment to an environment called MyQualityAssurance then environment of that name will be automatically created. Once a deploy environment has been created (either manually using the Azure UI or automatically) you can then configure its 'Approvals and checks' to restrict deployment to that environment as required.

Repositories

You’ll need two repositories: One for your DataStage assets and one for your Compliance rules. We provide commands to create these and import the supplied examples.

Variable Groups

You’ll need a variable group for each DataStage platform you operate. Typically, this will be one Development environment and one Production environment, and perhaps a separate Quality Assurance environment if your organisation structures its platforms like that.

We provide commands to crate the variable groups and populate them with example variables required to execute the sample pipelines. Passwords are configured as ‘secret’ variables. If you wish these values to reside in an Azure Key Store you’ll need to modify the supplied example commands to achieve that.

Pipelines

We provide four example pipelines:

  • devops-ci.yml - A DevOps continuous integration pipeline intended to be triggered by the commit of a DataStage asset to your repository. This pipeline demonstrates the invocation of Compliance and Unit Testing functions and the deployment of code to downstream environments.

  • hotfix-ci.yml - A pipeline which performs CI testing (Compliance and Unit Test operations) on a hotfix-specific branch of your code.

  • hotfix-deploy.yml - A pipeline which deploys your current DataStage software configuration from a hotfix-specific code branch directly into your production environment.

  • upgrade-ci.yml - A special case pipeline used to CI test commits from one environment and promote them into an environment running a different version of DataStage, converting artifacts as required in the process. This is commonly employed to provide a pipeline between DataStage v11.5 and v11.7 environments during an upgrade initiative.

Creating an Approvers Group (optional)

The purpose of this group is to approve promotion of code into an official environment, e.g., eg: Test, QA, Pre-Production, Production. MettleCI CI projects are internal (or “unofficial”) and requiring approval for those would be counter-productivecounterproductive.

If required, create an appropriate approvers group from the Azure DevOps management console.

In order to use this group to automatically create an approval against an environment, we need information about the group we plan to use.

Code Block
$> az devops security group list --org <ORGANISATION_URL> --scope organization --query "graphGroups[?displayName=='<GROUP_NAME>'] | [0]"
{
  ...
  "originId": "<GROUP_ORIGIN_ID>",
  "principalName": "<GROUP_PRINCIPAL_NAME>",
  ...
}

Record these values for use later, where we refer to them as <GROUP_ORIGIN_ID> and <GROUP_PRINCIPAL_NAME>.

...

To create a source code repository within Azure associated with the Project:

Code Block
$> az repos create \
  --name <REPO_NAME> \
  --org <ORGANISATION_URL> \
  --project <PROJECT_NAME>

Create Variable Group

Variable groups are used by the pipeline code to organise variables, and are created per DataStage instance (although it includes agent variables as well).

Create the variable group, recording the id (referred to later as <GROUP_ID>). Regular variables (not the secret value variables we use for passwords) can be added at this time (<VARIABLES> is entered as variable=value, each pair separated by a space)

Code Block
$> az pipelines variable-group create \
  --name <VRAIABLE_GROUP_NAME> \
  --variables <VARIABLES> \
  --authorize true \
  --description <GROUP_DESCRIPTION> \
  --organization <ORGANISATION_URL> \
  --project <PROJECT_NAME>

Add secret value variables to the group individually for MCIPASSWORD and IISPASSWORD

Code Block
$> az pipelines variable-group variable create \
  --org <ORGANISATION_URL> \
  --project <PROJECT_NAME> \
  --group-id <GROUP_ID> \
  --name <VARIABLE_NAME> \
  --secret true \
  --value <VARIABLE_VALUE>

Info

...

We have observed instances in Azure DevOps where the secret value variable is created but the value is not assigned. In this case you will need to update the value manually in the Azure DevOps administration console.

Create Environment

Creating an Environment is currently not supported by the Azure CLI, but can be achieved using the REST API. All environments need to be created: MettleCI CI environments, and ‘official’ environments, i.e. Test, QA, Production, etc.

  1. Encode the previously-created PAT as Base64. Note that the colon : inside the single quotes, before the PAT, is critical.

    Code Block
    $> echo -n ':<PERSONAL_ACCESS_TOKEN>' | base64

  2. Add the encoded value as part of the authorisation in the cURL header.

    Code Block
    $> curl POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Basic <ENCODED_COLON_THEN_PAT>' \
'https://dev.azure.com/<ORGANISATION_NAME>/<PROJECT_NAME>/_apis/distributedtask/environments?api-version=5.0-preview.1' \
-d '{"description":"<ENVIRONMENT_DESCRIPTION>","name":"<ENVIRONMENT_NAME"}'

    Record the id field from the result. This is used below as <ENVIRONMENT_ID>.

  3. If the environment requires approval, use <ENVIRONMENT_NAME>, <ENVIRONMENT_ID>, <GROUP_ORIGIN_ID> and <GROUP_PRINCIPAL_NAME> to fill out the information required for the body of the request.

    Code Block
    $> curl POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Basic <ENCODED_COLON_THEN_PAT>' \
'https://dev.azure.com/<ORGANISATION_NAME>/<PROJECT_NAME>/_apis/pipelines/checks/configurations?api-version=7.1-preview.1' \
-d '{"type":{"id":"8C6F20A7-A545-4486-9777-F762FAFE0D4D","name":"Approval"},"settings":{"approvers":[{"displayName":"<GROUP_PRINCIPAL_NAME>","id":"<GROUP_ORIGIN_ID>"}],"executionOrder":1,"blockedApprovers":[],"minRequiredApprovers":0,"requesterCannotBeApprover":false},"resource":{"type":"environment","id":"<ENVIRONMENT_ID>","name":"<ENVIRONMENT_NAME"}}'

Info

Note: In the creation of an Approval for an Environment, the type section ({"id":"8C6F20A7-A545-4486-9777-F762FAFE0D4D","name":"Approval"}) contains a hard-coded id value. This is not neither project or - nor pipeline-specific, rather it but is the internal id of the “Approval” class in Azure DevOps, and does not need to be changedshould be used verbatim as described here.