Let's say I have a YAML pipeline, releasing to dev and prod, and I want to set an approval before releasing to production.
Currently, this can be done via Environments approvals (MS Docs - Define approvals and checks).
However, this seems to work only for virtual machines.
How can I set an approval when releasing to Azure PaaS components, e.g. Azure function or Azure App Service?
To achieve this, go to service connection that is used to connect to cloud env, and set the approval there.
Project settings -> service connections -> select your connection (prod) -> click the three dots -> approvals and checks.
In your pipeline you need to define a deployment job, specifying an Environment which is configured to require an Approval.
Related
I have a resource group containing multiple function apps as follows:
These functions app only have one production slot:
I would like to add a staging on all these function apps so that during deployment (via Azure Dev Ops), it gets deployed to staging slot first. How do I do that via PowerShell commands/ARM templates? Also, what updates need to be done in order to test in staging environment before deploying to production slot?
I'm not sure about the Azure DevOps! Normally, I would do these changes when publishing to and testing in the Staging Slot in Azure Function App or App Service.
Please check if the below workaround helps to:
In the Portal of Azure Function App - Deployment Slots, Add a Slot:
My Function App is in consumption plan, so it has limit of 2 Deployment Slots. Refer Function App Limits for more information.
From Visual Studio, I can choose the deployment slot where I need to publish the Function App like below:
Also, what updates need to be done in order to test in staging environment before deploying to production slot?
Suppose when publishing and testing the application in staging slot, I need to see all the request-response logs, traces and metrics. Then I would select the few configurations setting as deployment slot setting to capture staging logs like:
Check the App Insights Instrumentation Key deployment slot setting to get the Application Insight Logs/Traces from the staging slot:
Note: Azure Functions deployment Slots
We're using yaml pipelines with environment agents installed on local infrastructure. Each Environment is backed by a Deployment Pool which is implicitly created by AzDO. The pools reside at the org level.
Every time someone adds an environment to a pipeline it requires the project collection admin to authorize the pipeline. The devs cannot authorize the pipeline because they don't have permission at the org level. Image below shows prompt received.
Is there anyway to simplify this so the PCA is not required to authorize every on-prem pipeline?
No, we do not have any methods to skip the permit from PCA, when a pipeline is trying to target to an environment at the first time.
On the Organization Settings and Project Settings, we also do not have any built-in options to defaultly permit all new environments on all pipelines.
This is aiming to prevent the environments from being abused.
I'm new to Azure DevOps pipeline, currently nothing works,
I am using Azure DevOps Service with the hosted agent from Azure. Can I some how keep that VM that runs Azure DevOps pipeline running? I want to test my azure-pipeleines.yml file in the faster way via access this VM by terminal.
You cannot access Microsoft-hosted agents via terminal. They are assigned for your build and after they go to pool again to use by someone else.
If you want to access to agents you must have your own. You can create them on your own Azure VM's for instance.
He is right, hosted agents are just containers which are disposed when the pipeline is done. if you want to debug, like checking files or what it's not working, you need to have a self hosted agent. it can be on your own computer for debugging and you use the hosted one during normal processing
I have several self-hosted Azure DevOps agents (each installed on a dedicated on-prem server) and I need to perform reoccurring maintenance on them (i.e. patching, etc.). Is there's a good way to define those maintenance windows within Azure DevOps so that server admins could do their job without worrying to interrupt any ongoing build/release task?
There seem to be a setting related to configuring reoccurring maintenance (Organization Settings -> Agent Pools -> <Pool Name>-> Settings [tab]) but it seems as if it would apply to the whole pool and it's hard to tell which of the agents will be considered offline at which time slot.
Unfortunately I couldn't find any documentation about it and not sure if there's something that Azure DevOps would also be doing on the agent machines (i.e. running cleanup, updating agents and so on)
Currently, the process involves a person with admin permissions in Azure DevOps to disable an agent allowing a server admin to perform regular maintenance and to re-enable it back when server admin is done. It would be great if a server admin could not involve an Azure DevOps Admin every time for such routines.
Due to the fact that you have your own Azure Pipelines agents, then the maintenance should be easier and you will have total control of either having automatic maintenance or not. If you use Microsoft's hosted agents, you could not update the hosted agents from Microsoft because these agents are maintained by Microsoft exclusively.
The best way to do this is by having more than one agent on one machine instance then organize the agents on one pool. If you have multiple pools, then you can configure Azure DevOps to have different maintenance window schedule on each pool to have different time, and give some time to download and configure itself.
For example, I usually configure the maintenance window on weekend days such as Sunday early morning once a month on certain date. And for any pools I have I gave them intervals of 40 minutes on each pool to have maintenance to give enough time for the agent to download, update and restart itself.
Please consult these documentation further for detailed explanation and use cases:
For Azure DevOps Server:
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops-2019
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-devops-2019
For Azure DevOps Service (on cloud TFS, formerly Visual Studio Team Services):
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-devops
How secure are the Azure Pipelines hosted Agents and can they be used for more sensitive tasks like code signing?
Consider using container jobs to run your builds. This ensures that everything is done within a disposable container and removed once your task is over. You can inject secrets via Azure KeyVault.