Release management: How to secure? - azure-devops

I am new to VSTS. I am deploying Azure services using PowerShell using VSTS Release management. Now, On dev environment, everything goes well. I want to deploy to Clients Production Subscription. Client won't allow access to Production subscription to the dev team. In that Case, I have Cloned Dev environment pipeline and named it to Prod.
I am using the config file for each environment.
The client doesn't want to check-in Config file of Prod environment. My Question is How to populate Config file in Prod pipeline? First I thought of to copy Config file directly in Drop Folder ( in VSTS agent VM) but if Developer also has access to a private agent then the config is still in Developers' hand. We can't use multiple agents somehow.
Is there any specific way or VSTS security where we set some access permission?
Is there any location where we can put the file and use it in VSTS?
If somebody doesn't understand question Please ask me I will explain in detail.

We have a similar situation where Developers are not allowed to access prod. To solve the problem, we've created a Dev and Prod project. Developers setup the production project initially, but are denied access entirely now using Azure DevOps security groups. Only our Ops group has access to prod, including the repo that the config files are stored in.
To get things from Dev to Prod, we have a third project for our build engineering team that has scripts to promote artifacts from Dev to Prod. This team is neither Dev nor Ops and the promotion pipelines that we use to promote artifacts require approvals.

Looks like all you need is to create a new git repo and add the file that you would like to use. After that, just add the git repo in any release where you want to use it by adding a new artifact, selecting the git option under "Source type", and selecting the name of your repo in the "Source (repository)" dropdown.

You can use Secure files to manage the config file.

Related

Azure pipeline to build xcode project can't clone repo

I would like to know if you have any ideas of what happens to the following pipeline I'm developing to build an xcode project.
I'm configuring a pipeline with the xcode build, copy files, and publish artifact tasks.
I have configured the build task, with my xcworkspace path, and set up the scheme
I have all of my repos, in bitbucket, but I have set it up a service connection between my Azure devops, and bitbucket, using an app password, which have all the permissions allowed, I have developed a pipeline to build an Android app, and I don't have problems with that one, just to mention that this one doesn't depends on other separated repos
The thing is that, the developer separated the api client in a repo, from the main repo were the iOS code is, so when Azure tries to clone this repo, it can't be done, due to a host key verification, he told me that this repo is dependency of the main iOS repo.
This is the error
I'm new to Azure devops, but I have searched for solutions, and nothing. I understand that I have to configure an SSH key, but, I'm using a pipeline with a hosted microsoft agent. Should I add a task to actually set up this SSH key to the agent? Or it is only permission problems?
The things I have done, are:
Creating the app password again, with all permissions set
Change my project path, and use the correct scheme, cause I was using the wrong one. But there's no difference
The only thing I have left is to add the user from my Azure devops to a group of admins, who actually have permissions to the repo Azure is trying to clone. But I need to open a ticket with my partner, cause I cannot logged into the mail account.

Automated deployment pipeline from GitHub to Salesforce.com

I have apex code stored in the master branch of my remote repository in GitHub and would like to deploy it directly into my Salesforce Org.
Is there a way to setup a "pipeline" in GitHub with Salesforce.com in order to facilitate a direct deployment into Salesforce?
Edited on 22nd-Oct-2022: is there a way to setup a button on GitHub that I can click on when I want to deploy changes (delta) from the master branch to a related Salesforce DEV Org?
Learn from Salesforce themselves. The https://github.com/trailheadapps/lwc-recipes (all lwc demos mentioned in documentation) contains actions to run code quality tools (prettier, lint), unit tests (apex, jest), deploy to scratch org, assign permission set, run all tests, delete the scratch org, report on code coverage...
Lots of goodies there. Might be too much if you're just after plain deploy to prod but it's good to know what toys are out there.

Azure DevOps Repos synchronization between Organization

We have two Azure DevOps Organizations,
1. Development
2. Client
I would like to know if we can synchronize Azure DevOps Repos from one organization (Development) to different organization (Client) in a secure way?
If it is possible, what would be the best way to sync from one organization to another securely?
NOTE: We are able to manually clone the Repo from one to another organization for the first time with the help of PAT and GIT Auth but the problem arises when we want to update or re-sync the code. We have to manually re-import the repo (By deleting the existing one) to make changes.
We need to do this programmatically and to another organization.
Azure DevOps Repos synchronization between Organization
Sorry but as I know there's no such out-of-box feature available in Azure Devops Service.
There're similar user voices here: Sync between projects in same org and Automatically Sync Azure Devops Repos with GitHub Repos. Usually one organization is responsible for one product, so Azure Devops doesn't recommend cross-organization actions. But if you do want this behavior in your scenario, you can use these two directions:
1.Try free Git Tools for Azure Devops extension from Martin Hinshelwood. Some steps about how to use it:
Install it in your Development organization, it contains one Publish Git Repo task.
Create a new classic build pipeline named SyncRepos, add the Publish Git Repo task in it.
(Yaml pipeline also works well, but since this is one pipeline in which only exists one task, classic pipeline is enough)
Configure the task. We only need to configure the git repo url, so it's quite easy.
Assuming the name of same repos in another organization Client is ReposToSync, and this repos is in ProjectA. So the url you should enter in pipeline(in organization Development) should be:
See this: https://anything:PAT#dev.azure.com/Client/ProjectA/_git/ReposToSync.
(You should use a PAT which has repos-related permissions. I used Full Access one to test it easily but it should be much better if you create a PAT scoped in repos permissions. It's more secure !)
Now set the trigger, enable the CI and add all the branches into filter.
Yaml pipeline is better in step4 cause it supports trigger all branches with wildcard *. See this.
Now in Development organization, when I have any change in master and qwe branches, it will automatically trigger the pipeline to run. Then the task will sync the changes in Development's repos with repos in 'Client' organization.
Any change in Development org will start a sync, if you want to same behavior in 'Client', you also need another similar pipeline in 'Client'. And, yaml pipeline with wildcard is better if you want the pipeline to monitor newly created branch.
In additions: Apart from using the task from extension, we can also use git commands in CMD task if you're familiar with those commands.
2.Feel free to post a new feature request to our User Voice forum. If you gets enough votes, the request's priority increases and the team would consider it seriously.
Hope all above helps :)
Update1:
No matter git commands or extension, if we want to make it more secure(avoid using PAT or other secrets directly in task), we can use secrets to store the important info like PAT.
1.See create secret variable in Variable Group, then link the variable group, after that we can use $(MyPat) in task and it won't be displayed in log.
2.Also you can consider using Azure Key Valut. Related doc: Link secrets from an Azure key vault.
Today I tried a way of doing it I found in a blog post and it worked perfectly (and is tremendously easy to do).
Steps:
Create a PAT (personal access token) to your Development organization (I see you already have one so skip this step)
Go to the target repo in the Development organization, click clone and copy the url
In the Client organization import the repository with the url you have copied and with your PAT (same here, I think you already did this so skip this step)
Now clone the repo to your computer from the Client organization and add a remote to the repo in your Development organization. If you don't know about remotes, this page could help: Managing remote repositories
After this, you will be able to push and fetch from the Development organization's repo.
Source: Azure DevOps Fork Repos between two Organization - Michael Ghebremedin

How to complete CI/CD pipelines with Azure DevOps for Azure API Management

I need help to understand better how to create complete CI/CD with Azure Devops for APim. Ok I already has explored the tools and read docs:
https://github.com/Azure/azure-api-management-devops-resource-kit
But I still have questions, my scenario:
APim dev instance with APi and operations created and others settings, as well APim prod instance created but empty.
I ran the extract tool and got the templates (not all), still need the Master (linked templates), and on this point seat my doubt, I already have 2 repos too(dev and prod).
How can I create the Master template, and how my changes from dev environment will be automatically applied to prod?
I didn't used the policyXMLBaseUrl parameters not sure what Path insert there, although seems #miaojiang inserted a folder from azure storage.
After some search and tries I deployed API's and Operations from an environment to another, but we still don't have a full automated scenario, where I make a change in a instance and that is automatically available.Is necessary to edit policies and definitions directly on the repositories or run the extract tool again.

How do I move an Azure DevOps project to a different organization?

I have got a project in an old org (from VSTS), that I want to move to my new one.
I can't see any options in Azure DevOps on migrating projects, or any information on the interwebs.
Anyone know how to do it?
If you just need to move repos, you can use the built in clone functions:
Go to the Azure Devops source repo -> Files
Click "Clone"
Choose "Generate Git Credentials"
Create the target repo in the target Azure DevOps
Choose "Import a repository"
Use the URL and credentials from Step 3
Done
This is not supported today. But this feature was planned to develop: make it possible to move a Team Project between Team Project Collections
If your Azure Devops project only tracks code versions using a single Git repo, hence no boards, user stories, tasks, pipelines, etc. then you can do the following:
Clone your project repo.
For example with Visual Studio.
You don't need to clone if you already have a local repo.
Destroy the association with the remote.
For this typically, you need to open a command line prompt in the folder that contains the .git database folder, most likely the solution folder of Visual Studio and type git remote rm origin.
Here is an example using git bash showing the content of the solution folder, including the .git database and the *.sln Visual Studio solution file:
Open the solution with Visual Studio if not already done.
It should now show that you have many commits waiting to be pushed to a remote. For illustration purpose, my toy project only have 8 commits in total.
Click the up arrow and choose your new remote, say a brand new Azure DevOps project, in the organization of your choice, then push.
You are now done cloning the project in another organization. If needed, then destroy the project in the old organization to complete the "move" operation.
There are 3 projects that I know of to achieve this.
A paid for option by Ops Hub -
OpsHub Visual Studio Migration Utility
An open source tool that requires making changes to the work item process template - Azure DevOps Migration tools
An lastly an Unofficial but still written by Microsoft tool to create Azure DevOps project templates - Azure DevOps Demo Generator & extractor tool
With the last one (the Demo Generator) you extract the project as a template, then apply it to the new organisation. As it is a tool for demo's there is no support provided and in my experience it works for simple projects but falls over on anything complex.
Expanding on others' answers, this post regards Pipelines.
Azure DevOps API
Migrating nearly all aspects of a project across organizations is doable, but it is a lot of manual work using the Azure DevOps API. The link below shows you all the end points, variables, etc. From there you'll probably want to write a Power Shell script and do a couple test runs to a dummy Organization.
https://learn.microsoft.com/en-us/rest/api/azure/devops/?view=azure-devops-rest-6.1&viewFallbackFrom=azure-devops-rest-6.0
In App options
If you avoid the API, there is no way to migrate pipelines that preserve build or release history, but you can preserve your configurations and processes by going into your Pipelines and selecting View YAML. From here you can either take this away as notes to recreate the GUI steps in your new org/project location, or actually adopt the YAML standard in your git repository.
I do not believe there is a way to migrate pipeline variables outside of the API. However, you can move the variables to Azure Key Vault and change your pipeline settings (YAML) to reference values from key vault. This is not a large amount of effort and is a nice process improvement.
Lastly, if you have any locally installed pipeline agents for releases, you will need to run the Power Shell script for your new organization on the boxes. Very simple 5m step, but right now the Agent Pools are not sharable across organization.
As #Frederic mentioned in his answer, we can actually easily do it with Visual Studio. I have done this without Visual Studio. The steps involved are below.
Add a User to Both Organization
Configure SSH Key
Update the SSH Key in Source DevOps and Clone the Repository
Check out all the Branches and Tags
Update the SSH Key in the Destination DevOps
Remove Old and Add New Origin
Push all the branches
The commands and detailed explanations can be found here.
BTW, if you need to change the entire Devops Organization tied to your personal Tenant (E.g. VS Enterprise Subscription) and move it to new Tenant, you can change the AAD and point it to the new one e.g. your EA Tenant on Azure commercial cloud.
Before you switch your organization directory, make sure the following statements are true:
You're in the Project Collection Administrator group for the
organization.
You're a member or a guest in the source Azure AD and a
member in the destination Azure AD
You have 100 or fewer users in
your source organization. Otherwise you will have to open a support ticket.
You may have to add the users back in destination org if they do not exist becuase they will loose access the moment you switch the AAD.
you could just download as a zip file and then download it to the destination repo