Let say I have 2 Deployment Groups Named QC and Production, each one contains X number of servers.
I also have a Release Pipeline with 2 stages QCStage,ProductionStage.
How can I set my permissions,on Deployment Group Level, so that users can't deploy to Production?
I can achieve this using "Pre-deployment approvals" on each stage but I have hundreds of Pipelines,
we can't be setting permissions for every stage for every pipeline
Update:
This doesn't see to be supported on Azure DevOps,a new Feature Suggestion has been created:
Prevent users from deploying to a Deployment group using Deployment Group Permissions (not on each Stage)
How prevent users from deploying to a Deployment group
Answering this question at two different scope levels.
Scope 1:
Take a simple sample, there has 2 deployment groups in your project: QA and Product.
If what you want is some of users can deploy to QA but not Product, I'm afraid this hasn't been expanded into azure devops until now.
Now for azure devops service, we provide 3 permission level controlled: collection, project and object. Deployment group is the one which belong to object level permission. We haven't provided more granular permissions control, like setting permission on one specific deployment group at this scenario.
Scope 2:
Just restrict someone to deploy a release.
As you know, Deployment group are used for a release stage. In this scenario, in order to control who can/can't deploy a release, please use the release permissions. BUT, there has one disadvantage that it work only for manually initiated releases.
So, I'm afraid Approvals on release stage is another and better option for you to make use until now.
Related
We're using yaml pipelines with environment agents installed on local infrastructure. Each Environment is backed by a Deployment Pool which is implicitly created by AzDO. The pools reside at the org level.
Every time someone adds an environment to a pipeline it requires the project collection admin to authorize the pipeline. The devs cannot authorize the pipeline because they don't have permission at the org level. Image below shows prompt received.
Is there anyway to simplify this so the PCA is not required to authorize every on-prem pipeline?
No, we do not have any methods to skip the permit from PCA, when a pipeline is trying to target to an environment at the first time.
On the Organization Settings and Project Settings, we also do not have any built-in options to defaultly permit all new environments on all pipelines.
This is aiming to prevent the environments from being abused.
We currently have 4 Azure DevOps team projects that require two Deployment Groups to be created for their SIT and UAT release pipelines. All 4 team projects will share the two Deployment Groups, the idea being to create the deployment group from one team project and then sharing or extending it to the other 3 (which I believe is common practice).
My main concern though is that due to some budget constraints, the decision has been taken to create both SIT and UAT Deployment Groups on a single target server. Much as I strongly believe this is probably not best practice, are there any technical reasons why this cannot or shouldn't be implemented?
In simple terms, deployment groups is that:
A deployment group is a logical set of deployment target machines that
have agents installed on each one. Deployment groups represent the
physical environments; for example, "Dev", "Test", "UAT", and
"Production". In effect, a deployment group is just another grouping
of agents, much like an agent pool.
We support registering the same machine to multiple deployment groups. However you would need to edit the agent name in our PS "registration script" provided in the UI. Or log into the machine physically and execute the script in a different folder than the default one specified in the script.
Normally, we set up deployment groups with multiple agents and run deployment just to target agent according to requirements.
What you can do is assign tags to deployment agents and use tags to assign releases to specific agents.
In summary, it's able to register the same machine/server to multiple deployment groups if you insist on.
But due to server performance, environmental isolation , Disaster Tolerance and other factors.
My project is Windows Service application which could be installed in several roles (the difference is in service name, exe path and some setting in app.config). Each role could be scaled horizontally by instances count. And all these {roles x replica counts} should be deployed over a set of servers in specific proportions for effective performance and utilization.
As an example:
ServerA
ServiceAlfa.1
ServiceAlfa.2
ServiceBravo
ServiceDelta
ServerB
ServiceBravo
ServiceCharlie
ServiceDelta.1
ServiceDelta.2
ServiceDelta.3
How can I achieve this with Azure DevOps (Dev17.M153.5) instruments?
I know brand new yaml pipeline introduces some conception of Environments and VM. It's just not available in latest stable version yet. But it's like a replacement for Deployment Groups early used for deployment to multiple machines, which I can use. I have already installed deployment agents and registered it. But I still cannot figure it out how better configure my complex mapping of instances to servers in release pipeline.
I can create a one job stage per role and link them with corresponding variable groups like
StageAlfa
ServerA:2
StageBravo
ServerA:1
ServerB:1
StageCharlie
ServerB:1
StageDelta
ServerA:1
ServerB:3
So I should check and compare the server name in my script
Or I can do the opposite: create a stage per machine and link it with variable group describing count of specific role replicas on current server. So in every stage I could select specific machine from deployment group by tag.
Looks like the second approach is simpler but they both are felt so awkward!
P.S. Windows Services on Machines not a containers in Kubernetes due to specific Windows software dependencies.
Your approaches are correct. You may consider migrating to Azure DevOps Service or upgrade to Azure DevOps Server 2020, which supports Envorinments and VM:
https://learn.microsoft.com/en-us/azure/devops/server/release-notes/azuredevops2020?view=azure-devops#continuous-deployment-in-yaml
I'm recreating our very complicated deployment process in Azure DevOps.
Currently, our live environment is composed of 4 VMs behind a load balancer.
The strategy I thought about is kind of blue-green deployment, just that I'll be working on half (2) of the VMs each time.
It's not like rolling deployment since there will not be 2 versions that run simultaneously.
As soon as I finish deploying the first half and I make sure it's up and running, I'll connect it and immediately disconnect the other half to deploy the new version to it too.
I can't do blue-green for now by the book (deploying a complete separate set of VMs in the new version) since unfortunately IPs are hard-coded. The live environment will be just fine with 2 VMs only for the deployment time.
My problem is how to configure a release pipeline in Azure DevOps for this kind of solution (I use the GUI version, not YAML)?
(these are stages)
DbConversionDev > FirstHalfDev > SecondHalfDev > DbConversionQA > FirstHalfQA > SecondHalfQA > DbConversionProd > FirstHalfProd > SecondHalfProd
Maybe the db conversion stage can be parallel.
It's seems complicated and hard to maintain.
Any suggestions?
Thanks in advance :)
what you could try for example is to create deployment groups, e.g. First Group and Second Group - register your agents/VMs to the groups, and in the release pipeline, create Deployment Group job for the First Group, then add the steps to verify the deployment was successful and up/running, and in the same pipeline create another Deployment Group job for the second Deployment Group. (Note: You can create an agentless job for any manual intervention)
EDIT
Here is the complete solution as a summary of the conversation:
Create one Deployment Group for each Environment (e.g. Dev, QA, Prod) and tag the first half of the Agents/VMs in a Deployment Group as blue and the other half as green.
In the release pipeline, create a Stage for each Environment (e.g. Dev, QA, Prod) and in one Stage create 2 Deployment Group Jobs for the corresponding Deployment Group (Dev Stage -> Dev Deployment Group), each Job with a different Tag: blue and green. This will make sure, that in one job half of your VMs will be affected by the deployment.
For reusability purposes, group your Tasks in Task Groups to reuse them in your Deployment Group Jobs.
Can deployment groups be searched for a particular machine? I need a way to find if a server is already part of a deployment group. I can't tell from the group names if they are applicable to the project.
You could use the REST API for Deployment Groups and look in the Machines property.
Or, if you have access, you can open the deployment groups navigation and look at the targets.
You may want to employ a more robust implementation of tags for the machines in your deployment groups, so you know you'll only deploy to machines in the group that are applicable.
You could simply use Rest API to list all deployment groups in a specific team project.
GET https://dev.azure.com/fabrikam/{project}/_apis/distributedtask/deploymentgroups?api-version=5.0-preview.1
Conversely, it's not able to list all target groups for a special machine at present.
As a workaround, you can add a tag to a machine on the depoyment group configuration.
After that, specify the tag at the release deployment group phase.
This will make the release to choose all machine within the group deployment that match you tag.