Share variables between different projects in Azure DevOps - azure-devops

I hope you are all well!
I need to ask a question about azure devops, I already read the documentation, but I did not find a way to resolve these doubts
I have the X, Y and Z projects and in the X project create in the Pipeline >> Libray a group of variables called general that I would like to be shared with the Y and Z pipelines, when configuring this group I enabled the option "Allow Access to all pipelines" .
In the YAML of the Y and Z pipelines I made the following configuration:
**variables:
group: general**
When running the pipeline he returns an authorization request and even clicking authorize it, according to the print below:
Print Authorization error
There was a resource authorization issue:
"An error occurred while loading the YAML build pipeline.
Variable group was not found or is not authorized for use.
For authorization details, refer to https://aka.ms/yamlauthz."
My question is, is there any way to share variables between pipelines of different purposes, if there is, can you please send me some documentation that can help me to configure this?

Testing in my side and I can reproduce this issue, setting the Allow access to all pipelines option will enable the variable group to be accessible for any pipelines in current project not across projects. It should be a known limitation and this is the feedback ticket. You can vote and follow this ticket. You can also create a new suggestion ticket here. The product group will review these tickets regularly, and consider to take it as roadmap.
In addition, as a workaround, you could try to add these shared variables to Azure Key Vault, and then use Azure Key Vault task to fetch the latest values of all or a subset of secrets from the vault, and set them as variables that can be used in subsequent tasks of a pipeline. See: Use Azure Key Vault secrets in Azure Pipelines for details.

This link gives a good overview of using variables in Azure DevOps pipelines:
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables
In the most common case, you set the variables and use them within the
YAML file.
In the YAML file, you can set a variable at various scopes:
At the root level, to make it available to all jobs in the pipeline.
At the stage level, to make it available only to a specific stage.
At the job level, to make it available only to a specific job.
Q: It sounds like you would like to share variables between YAML pipeline roots, correct? You're currently trying to use variable groups to accomplish this, correct?
Another solution would be to have your pipeline read from a "shared file". For example:
Is there a way to read file from Azure DevOps YAML?
... you can use any scripting language you like to parse the file and
"spit out" whatever you need as a build variable and consume it later
on. here's what I've been doing:
- script: echo "##vso[task.setvariable variable=dp]$(cat $(Build.Repository.LocalPath)/deployment/dp)"
- script: az group delete -n $(dp)-k8s -y --no-wait
In other words:
Create a file with the variables you wish to "export". It can be any script format: Powershell, bash, etc., etc.
Modify your pipeline(s) to read the file and "import" the variable definitions at runtime.
There are many ways to do this. The SO link above is just an example.

Related

Azure Policies - ARM to Bicep conversion issues

We are working on creating a custom azure policy with DiNE effect to deploy certain resources based on the tags existence.
Looking at the Built-in policies for tagging, it seems there is a way to determine the tag existence and run deployments using azure policies.
Due to our internal deployments and SDPs, I need to convert the custom policy definition to Bicep and then deploy it.
I have installed Bicep tools/ VS Code and hitting below errors during conversion.
Can you share inputs on how to handle these? Or there any extended production documentation on how to use Scope and resource functions in Biceps as the current product documentation doesn’t have these details?
Issue: Unable to check the subscription tag existence in Bicep azure policy definition file.
[enter image description here] (https://i.stack.imgur.com/MKcGj.jpg)
Policy definitions for tagging resources - Azure Resource Manager | Microsoft Learn
https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb27a0cbd-a167-4dfa-ae64-4337be671140
Tried to escape the subscription function check but it is not working in bicep file.

Accessing an Azure variable group from a different organization in a yaml pipeline

I got a variable group in organization A in the library of Project1. I got a yaml pipeline in organization B in the repo of Project2. Usually to access a group, you just define it in the variables section, but in case of different organizations, how can the pipeline access the variable group?
I am afraid there is no such a built-in feature in Azure DevOps to share the variable groups across organizations. Currently we even cannot share variable groups across team projects within the same organization.
There's already similar features suggested before :
Library of Variable and Task groups shared between all projects
Add Organization Variable Groups
As a workaround, you can use the Azure Key Vault task to pull data from Azure Key Vault. You can have as many Vaults as you like and use in one or all projects. Alternately, create a new variable group in organization B and enable “Link secrets from an Azure key vault as variables”. See Add & use variable groups for details.

Adding custom parameter to ADF ARM template

I have an ADF pipeline. The task is to productionize the pipeline. I am using azure devops CI/CD (classic). I am following this documentation
https://learn.microsoft.com/en-us/azure/data-factory/continuous-integration-delivery-resource-manager-custom-parameters
I have to move the pipeline to test and prod. Thereforem, there are many parameters that are parametrized but few parameters like sql user_name, secret_name are not parametrized.
I want to edit the ARM template and add custom parameter so that I do not have to edit the template.json and paramete-template.json and push them again to repo. The edit option in adf allows to create custom params and therefore generate these in ARM templates when exported.
I have the parameter in the template.
The parameter secretName doesnt appear in ARM template in CD flow
Which mode you are using to configure the parameters?
ARM parameter configuration is only enabled in "GIT mode". Currently it is disabled in "live mode" or "Data Factory" mode.
So, as per above official statement from Microsoft, you should be using Git repository.
Also, take note - Creating a custom Resource Manager parameter configuration creates a file named arm-template-parameters-definition.json in the root folder of your git branch. You must use that exact file name.
There are other multiple ways which you can try to pass secrets in ARM template. Refer this article from devkimchi.com.
After lot of tries and understanding the credential structure the ADF follows for different LinkedServices, we have found that to parametrize a custom nested argument, we have to specify the argument in a nested form. The parameter configuration needs to be edited like this:
For example, the secret name for SQL linked service (using password – connected to azurekeyvault) needs to be like this:
"password": {
"secretName": "="
}
But for the secret type (from azure keyvault) for storage linked service, it has to be like this:
"servicePrincipalCredential": {
"secretName": "="
}
And then these args can be passed directly from azure keyvault if variable groups are connected to keyvault. This solves the problem we were facing.

Azure Devops Service Now - how to get CHANGE_REQUEST_NUMBER/CHANGE_CORRELATION_ID for YAML pipeline

Following the MS documentation here: https://learn.microsoft.com/en-us/azure/devops/pipelines/release/approvals/servicenow?view=azure-devops
I've set up an Azure DevOps environment with the Service Now Pre-deployment check and can successfully create a new standard change request in Service Now and update it using the UpdateServiceNowChangeRequest#2 task.
However, I'm struggling to find a way to access the CHANGE_REQUEST_NUMBER and CHANGE_CORRELATION_ID that are available to the UpdateServiceNowChangeRequest#2 tasks
The documentation describes how to get to these using the release pipeline by having a name for the gate and using $(PREDEPLOYGATE.mygatename.CHANGE_REQUEST_NUMBER), but there is no option in the YAML setup to name a gate and I can't seem to find another way to get to these variables
I've tried just enumerating all the environment variables in the pwsh task (i.e. gci env:\ ) but nothing relating to these variables shows up.

Azure DevOps- Hide Release Task Logs

Looking for suggestions on a problem I'm facing in pipeline deployments for Azure Functions. I'm using the new Azure App Config service to pull app configuration variables to the pipeline.
These are then being used by an Azure App Service Deploy Task in the App settings section to populate the app configuration of an Azure Function. I'm in need of a way to hide the release logs for this from our developer group in the production stage of our deployment. Otherwise it will display the the app settings in the log file from the release. We still want devs to be able to see other stages of the release pipeline.
I believe I could write a powershell script to mark the variables as secrets, but that seems less manageable based on the number of release pipelines and variables that would need to be scripted. I would rather just be able to hide the logs from everyone besides a select group of users or turn them off for that release task in general by stage.
I'm also trying to avoid using Key-Vault for this scenario.
So long story short-
Is there a way to turn off logs for a specific release task in AzDo? If possible by stage?
Is there a way to hide logs by stage? Can that be done on a user level?
Suggestions are appreciated.
No, this is not possible and leads to security by obscurity.
Just use keyvault or use a script to register the secret values. You don't have to hard-code them in a powershell step or anything, you can register secrets by parsing whatever settings file you have and calling:
write-host "##vso[task.setvariable variable=$name;issecret=true]$valueToRegister"
See:
https://github.com/Microsoft/azure-pipelines-tasks/blob/master/docs/authoring/commands.md