I'm looking for a way to automate/script Azure DevOps project creation. I know that I can use VSTeam PowerShell module to create a project, but it does not provide a way to programmatically set project settings (the ones on the screenshot below). Is there a way to do that with PowerShell or AZ CLI? In particular I'm looking for a way to control/change these two settings:
Limit job authorization scope to current project for non-release pipelines
Limit job authorization scope to referenced Azure DevOps repositories
You can try to use Rest API:
How to use PowerShell with rest API: Modify Azure Devops Test Case Parameters Through REST API
Rest API Methods: General Settings - Get; General Settings - Update
To create a project you will need to send a POST to https://dev.azure.com/<devopsOrgName>/_apis/projects?api-version=5.0-preview.3
with a body like the below. To get the "template type" value used in the body, you will need to set a GET to https://dev.azure.com/<devopsOrgName>/_apis/process/processes?api-version=5.0-preview.1
` {
"description": "Tailspin Toys",
"name": "Tailspin_TOYS",
"capabilities": {
"versioncontrol": {
"sourceControlType": "Git"
},
"processTemplate": {
"templateTypeId": "24268e03-7eed-4ac0-a178-700881565b99"
}
}
}`
To change specific settings, that you can't find in the documentation, I would suggest using the developer tools in your browser (f12). Watch the network tab and you should see the requests going when you change your setting.
In this instance, I can see the below request when I try these settings
URL: https://dev.azure.com/<devopsOrgName>/_apis/Contribution/HierarchyQuery
Type: POST
Body:
{ "contributionIds":["ms.vss-build-web.pipelines-general-settings-data-provider"],"dataProviderContext":{"properties":{"enforceJobAuthScopeForReleases":"false","sourcePage":{"url":"https://dev.azure.com/<devopsOrgName>/<projectName>/_settings/settings","routeId":"ms.vss-admin-web.project-admin-hub-route","routeValues":{"project":"<projectName>","adminPivot":"settings","controller":"ContributedPage","action":"Execute","serviceHost":"495d404e-cdeb-496a-8496-fccf9df3d9fa (<devopsOrgName>)"}}}} }
Azure DevOps REST isn't the most documented, but when used with your browser develop tools, I haven't found something I couldn't set.
Related
Getting the branch policy from Azure DevOps Services return only the policy type but not the "Required reviewers" - looking for Reviewer Name or Team Name .
I could not find a call to extract the "Required reviewers" from the selected policy/branch.
looked for policy extraction method could not find .
For REST API checkout the Policy Configurations. The Confguration object in the example on the page shows a settings.requiredReviewerIds property with what seems to be an array of Azure AD Object IDs for the required reviewers.
As an alternative to REST, az cli also has the az repos policy required reviewer command documented here to manage reviewers in branch policies.
I have an ADF pipeline. The task is to productionize the pipeline. I am using azure devops CI/CD (classic). I am following this documentation
https://learn.microsoft.com/en-us/azure/data-factory/continuous-integration-delivery-resource-manager-custom-parameters
I have to move the pipeline to test and prod. Thereforem, there are many parameters that are parametrized but few parameters like sql user_name, secret_name are not parametrized.
I want to edit the ARM template and add custom parameter so that I do not have to edit the template.json and paramete-template.json and push them again to repo. The edit option in adf allows to create custom params and therefore generate these in ARM templates when exported.
I have the parameter in the template.
The parameter secretName doesnt appear in ARM template in CD flow
Which mode you are using to configure the parameters?
ARM parameter configuration is only enabled in "GIT mode". Currently it is disabled in "live mode" or "Data Factory" mode.
So, as per above official statement from Microsoft, you should be using Git repository.
Also, take note - Creating a custom Resource Manager parameter configuration creates a file named arm-template-parameters-definition.json in the root folder of your git branch. You must use that exact file name.
There are other multiple ways which you can try to pass secrets in ARM template. Refer this article from devkimchi.com.
After lot of tries and understanding the credential structure the ADF follows for different LinkedServices, we have found that to parametrize a custom nested argument, we have to specify the argument in a nested form. The parameter configuration needs to be edited like this:
For example, the secret name for SQL linked service (using password – connected to azurekeyvault) needs to be like this:
"password": {
"secretName": "="
}
But for the secret type (from azure keyvault) for storage linked service, it has to be like this:
"servicePrincipalCredential": {
"secretName": "="
}
And then these args can be passed directly from azure keyvault if variable groups are connected to keyvault. This solves the problem we were facing.
We use Synapse git Integration to deploy artifacts such as linked services generated by a Data Warehouse automation tool (JSON files)
It is different then deploying ARM template in ADF.
We created one Azure Key Vault (AKV) per environment so we do have an Azure Key Vault LinkedService in each environment and the linked services has the same name. But each AKV as his own URL so we need to change the URL in the deployed linked services during the CI/CD process.
I read this https://learn.microsoft.com/en-us/azure/synapse-analytics/cicd/continuous-integration-deployment#use-custom-parameters-of-the-workspace-template
I think I need to create a template to change "Microsoft.Synapse/workspaces/linkedServices"
But I didn't find any example on how to modify the KV url parameters.
Here is the linked services I want to modify,https://myKeyVaultDev.vault.azure.net as to be changed when deploying
{
"name": "myKeyVault",
"properties": {
"type": "AzureKeyVault",
"typeProperties": {
"baseUrl": "https://myKeyVaultDev.vault.azure.net"
}
}
}
Not much familiar with the ci/cd and azure devOps yet, but still I need to do it...
I have done this using Azure Devops. When you create the Release pipeline within Azure Devops, one of the options is to "override parameters". at this point you can specify the name of the keyvault and the corresponding value. The corresponding value is configured in a pipeline variable set - which itself can come from the same keyvault.
You don't need to create the template. Synapse already does that and stores it in the publish branch (“workspace_publish”). If you look in that branch you will see the template along with the available parameters that you can override.
More info is available here:
https://www.drware.com/how-to-use-ci-cd-integration-to-automate-the-deploy-of-a-synapse-workspace-to-multiple-environments/
https://techcommunity.microsoft.com/t5/data-architecture-blog/ci-cd-in-azure-synapse-analytics-part-1/ba-p/1964172
From the Azure Key Vault side of things, I believe you're right - you have change the Linked Services section within the template to point to the correct Key Vault base URL.
Azure Key Vault linked service
I don't know if you still are looking for the solution.
In order to parametrize linked service property and specially AKV reference, I think you should modify the template-parameters-definition.json, and add the following section:
"Microsoft.Synapse/workspaces/linkedServices":
{ "*":
{ "properties":
{ "typeProperties":
{ "baseUrl": "|:-connectionString:secureString" }
}
}
}
This will create a parameter for each linked service. The next step is to overrideParameters on SynapseWorkspaceDeployment task on Azure Devops.
At the end of the day, I'm trying to implement the solution linked from here: Reuse Github Actions self hosted runner on multiple repositories. But the tutorials walk you though setting up a GitHub app in the UI, and I'm trying to do it via the API.
Context:
Creating a new "GitHub App" (not "OAuth App") in GitHub Enterprise v3.0 (soon migrating to v3.1).
Trying to do it entirely over the API and explicitly NOT the UI, by creating an "app manifest" (https://docs.github.com/en/enterprise-server#3.0/developers/apps/building-github-apps/creating-a-github-app-from-a-manifest).
Everything I've read about permissions on docs.github.com ends up pointing over to https://docs.github.com/en/enterprise-server#3.0/rest/reference/permissions-required-for-github-apps, which does not include the specific values that can be used with the API.
On a GHE instance, there is a large list of permissions available at a URL with this pattern:
https://{HOSTNAME}/organizations/{ORG}/settings/apps/{APP}/permissions
The specific permission I'm trying set says:
Self-hosted runners
View and manage Actions self-hosted runners available to an organization.
Access: Read & write
In the documentation (https://docs.github.com/en/enterprise-server#3.0/developers/apps/building-github-apps/creating-a-github-app-from-a-manifest#github-app-manifest-parameters) there is a parameter called default_permissions.
What is the identifier (key) to use for this permission, where the value is write?
I've tried:
the documented Self-hosted runners
the guess self-hosted runners
the guess self-hosted_runners
the guess self_hosted_runners
the guess selfhosted_runners
the guess runners
…but ultimately, the actual values which can be used here are (as far as I can tell after several hours of digging and guessing) undocumented.
actions:read and checks:read appear to work. Those are also undocumented, but I was able to figure it out by looking at the URLs, making an educated guess, and testing.
All of the tutorials I can find on the internet, including those on docs.github.com, all walk you through creating a new GitHub app via the UI. I am very explicitly trying to do this over the API.
Any tips? Have I missed something? Is this not available in GHE yet?
Here is my app manifest, redacted.
{
"public": true,
"name": "My app",
"description": "My app's description.",
"url": "https://github.example.com/my-org/my-repo",
"redirect_url": "http://localhost:9876/register/redirect",
"default_events": [],
"default_permissions": {
"actions": "read",
"checks": "read",
"runners": "write"
},
"hook_attributes": {
"url": "",
"active": false
}
}
WITH the "runners": "write" line, the error message I receive says:
Invalid GitHub App configuration
The configuration does not appear to be a valid GitHub App manifest.
× Error Default permission records resource is not included in the list
WITHOUT the "runners": "write" line, the submission is successful.
The GitHub team finally updated the documentation. The permission I was looking for was organization_self_hosted_runners.
I have a SSH service connection created in Azure DevOps. My account has enabled 'New service connections experience' preview feature and able to see new security features for service connections. It appears that we can enable security so that certain YAML pipeline(s) are able to use service connection.However, I do not see similar feature for Classic Editor pipeline.Can I get some suggestions on how I can achieve something similar for Classic Editor?
Example : Below details are under same ADO organization and project with same level of user(user/admin/reader) level access
Service Connection name : test-ssh-connection
Classic Editor Pipelines Created:
1) pipeline1 - this can use service connection
2) pipeline2 - we want to restrict service connection so that this pipeline is not able to use service connection.
It appears that we can enable security so that certain YAML
pipeline(s) are able to use service connection.However, I do not see
similar feature for Classic Editor pipeline.Can I get some suggestions
on how I can achieve something similar for Classic Editor?
Sorry but as I know similar experience for Classic pipeline is not supported for now. Just as the document states, pipeline permissions are only for Yaml pipelines while user permissions are for Classic pipelines.
For Classic pipelines, if the account someone uses to sign in Web portal doesn't have the user permission, then the pipeline created by him can't access the service connection:
Though what you want is not supported, I agree with you that it would be better if the pipeline permissions feature can support Classic pipelines. So my suggestion is to add your request for this feature on our UserVoice site. Thank you for helping us build a better Azure DevOps!
Hope it helps :)