I know that we can verify extend template used or not at deployment stage on targeted azure devops environment using extend template check.
I have a requirement to verify or run this check at run time before any of the build task starts i.e. when user run the build . I've asked similar question here Azure pipeline build Stage verification but as a centralized compliance team we want to block user from running the build if they are not extending certain template.
You can achieve above requirement by setting a template check for the agent pools. If a agent pool is configured approvals and checks, then all the jobs that targeting this agent pools will need to validate the approvals and checks before running.
You can follow below steps to set approvals and checks for agent pools.
Go to Project settings --> Agent pools under Pipelines-->Select the agent pools(eg. Azure Pipelines).
Click the 3dots on the top right corner--> Click Approvals and checks--> Click the plus sign to Add a template check.
Then all the jobs that targeting an agent in this agent pool will have to pass the template checks before running on the agent.
Note: Please make sure the Multi-stage pipelines experience is turned on. Check the document here here to turn on or off the Preview features.
Related
Context
I'm deploying multiple apps using Azure Pipelines to app dedicated namespace in a single AKS cluster.
Problem
Since my ADO Environments is assigned to a single AKS cluster, and when I add Approvals and cheks for that environment, then every Deployment that points to that environment will need approval. This is problematic when you deploy multiple apps per environment because all deployments will be guarded by this policy.
Question
Besides of creating approvals for Environment per app. Is there a way of setting up a granularity of approvals within ADO Environments?
Short Answer
"No". At the moment of writing this answer, an environment in DevOps supports only one approval -maybe it will change in the future.
Solution
There is a workaround for this problem. You can set approvals for individual service connection instead.
When you deploy an application to an individual namespace, a service connection is automatically created for that namespace. It might look like this <aks-cluster-name>-<k8s-namespace>-<long-intiger-id> e.g. my-aks-dev-we-sandbox-1654784698962. You just need to find this service connection in ADO's Project settings, click it, and then click on three dots (located in right upper corner) and choose Approvals and checks. This way, you will be able to control who should do the approvals.
I'm trying to run my Selenium Webdriver test's after I do a deployment to my staging environment.
But I run into this error.
"The stage refers to resources like queue 'Azure Pipelines', that have been protected with checks. Protected resources can only be used in YAML pipelines. For more details, refer to https://aka.ms/pipelinechecks."
The deploy agent is hosted on-prem.
Here is some troubleshooting advices:
If you use a variable when setting the agent pool and agent in release pipeline, try replacing the variable with the specific value.
If you are using some resources or if your agent has set up Approval & Check, try to refresh the run page and manually pass the approval. Click this document for detailed information.
We use Azure DevOps Server 2020 on prem. We are not in a position to move to Services. We are not in a position to use agents in Azure, because these agent would not be able to talk to the server, which is behind the corporate firewall.
So, we are stuck with on-prem agents and this suffocates us. Our app is a monolith in the worst sense of the word. Its PR build takes time and is extremely hungry on resources. Currently we have 2-3 PR builds running concurrently on the same machine and it takes eternity. In short - it is very bad.
On the other hands, developers have pretty powerful machines. Of course, I do not want my machine to serve PR builds of others, but if it could run my own PR build, that would be fantastic.
Alas, I do not see how this can be done. So, my question - is it possible to configure Azure DevOps Server 2020 so that PR validation build for a PR submitted by Alice would run on the build agent running on Alice's machine and only if there is no such agent would it pick up a "standard" build agent running on a build server?
Clarification
Although the question speaks about Alice, but there are also Bob and Charlie and Deepak. About 300+ developers. So, the solution should not assume there is only one developer working on the code.
is it possible to configure Azure DevOps Server 2020 so that PR validation build for a PR submitted by Alice would run on the build agent running on Alice's machine
We could install the self-hosted agent in the Alice's machine, open Organization Settings->Agent pools->select the agent->click the tab Capabilities->search the field Agent.ComputerName, then open PR build definition and add Demands, such as below.
Then the PR build will run with the specified agent, you could check this doc: Specify demands
for more details.
In addition, if the PR build does not find the matching agent, the build will not run with another agent.
Update1
Each developers have their owner agent on their owner’s machine, right?
Check this doc: predefined variables, it contain the variable Build.RequestedFor and Build.RequestedForEmail, if the pipeline is pull request trigger, it will show the pull request creator name and email, add this to the pipeline Demands. Such as
And then, let all developers add capabilities to their agents, such as TriggerName = {their email or display name}. Since I am using the variable Build.RequestedForEmail, in my agent, I add the capabilities:
Then if I create a pull request, the build will run via my own machine agent.
Update 2
For example, the original PR build name is A. Open it and add default demand(you could add anything)
Add new build definition name B, add task power shell and enter power shell script to call below REST API to update the A definition
Definitions - Get
GET https://dev.azure.com/{organization}/{project}/_apis/build/definitions/{definitionId}?api-version=6.1-preview.7
Definitions - Update
PUT https://dev.azure.com/{organization}/{project}/_apis/build/definitions/{definitionId}?api-version=6.1-preview.7
Then add build B as pull request build.
Update3
is it possible to configure Azure DevOps Server 2020 so that PR validation build for a PR submitted by Alice would run on the build agent running on Alice's machine and only if there is no such agent would it pick up a "standard" build agent running on a build server?
If the "real" targets the build agent initially, then what happens when the auxiliary one determines the dev has an individual agent?
The real build definition has demands, If the build runs by default demands, it will run the standard build agent.
The auxiliary one, we need to add condition to run the power shell script to update the real build demands. if Alice's machine has matching agent, it will update the real build demands, and then the real build will run the Alice's machine agent.
I have created a custom build agent in Azure DevOps. I can view the agent in agent pool, but there is no option to select the agent when queuing the build.
I want to run the build using that custom build agent. So please guide me on how to configure the build pipeline to run with custom build agent.
When you create a self-hosted (I assume you mean this by custom, right?) agent it goes to the Default pool.
So you need to select this pool when you run a build. You can either set this pool as a default for the build in the build configuration OR you can select it right before you start the build instead of the default one.
I'm trying to configure Azure DevOps Release pipelines for our projects, and I have a pretty clear picture of what I want to achieve, but I'm only getting almost all the way there.
Here's what I'd like:
The build pipeline for each respective project outputs, as artifacts, all the things needed to deploy that version into any environment.
The release pipeline automatically deploys to the first environment ("dev" in our case) on each successful build, including PR builds.
For each successive environment, the release must have been deployed successfully to all previous environments. In other words, in order to deploy to the second environment ("st") it must have been deployed to the first one ("dev"), and in order to deploy to the third ("at") it must have been successfully deployed to all previous (both "dev" and "st"), etc.
All environments can have specific requirements on from what branches deployable artifacts must have been built; e.g. only artifacts built from master can be deployed to "at" and "prod".
Each successive deploy to any environment after the first one is triggered manually, by someone on a list of approvers. The list of approvers differs between environments.
The only way I've found to sort-of get all of the above working at the same time, is to automatically trigger the next environment after a successful deployment, and add a pre-deployment gate with a manual approval step. This works, except the manual approval doesn't trigger the deployment per se, but rather let an already triggered deployment start executing. This means that any release that's not approved for lifting into the next environment, is left hanging until manually dismissed.
I can avoid that by having a manual trigger instead of automatic, but then I can't enforce the flow from one environment to the next (it's e.g. possible to deploy to "prod" without waiting for successful deployments to the previous stages).
Is there any way to configure Azure DevOps Release Pipelines to do all of the things I've outlined above at once?
I think you are correct, you can only achieve that by setting automatic releases after successful release with approval gates. I dont see any other options with currect Azure DevOps capabilities.
Manual with approval gates doesnt check previous environments were successfully deployed to, unfortunately.
I hope this provides some clarity after the fact. Have you looked at YAML Pipelines In this you can specify the conditions on each stage
The stages can then have approvals on them as well.