jeffwmiles / azure-dsc-pipeline Goto Github PK

The contents of this repo provide an example of how to insert Azure DSC workflow into a pipeline, end-to-end.

This also uses DSC Composite module, to compartmentalize your DSC code into managable sections.

Note: on the initial run, this set of pipelines will likely take over 30 minutes to complete.

To-Do: There is a bit of a chicken-egg scenario with the pipeline triggers. If I update the composite module, I need the module pipeline to run before the DSC import/compile pipeline. But the module doesn't need to be re-imported every time a change occurs within the repo, so I don't want to collapse it into one pipeline. Some linked dependency needs to be created here.

• An Azure Subscription in which to deploy resources
• An Azure KeyVault that will be used to generate certificates
• An Azure Storage Account with a container, to store composite module zip
• An Azure DevOps organization you can create pipelines in
• An Azure Service Principal with the following RBAC: (so that it can itself create new service principals)
  • must be "Application Administrator" on the Azure AD tenant
  • must be "Owner" on the subscription
  • must have appropriate rights to an access policy on the KeyVault to generate and retrieve Certificates
  • must have API permissions within the Azure Active directory for:
    • API: Azure Active Directory Graph | Type: Application | Permission: Application.ReadWrite.OwnedBy
    • API: Microsoft Graph | Type: Application | Permission: Application.ReadWrite.OwnedBy
• An Azure DevOps Service Connection linked to the Service Principal above

Assuming you're connecting to a GitHub repository containing this code:

• Populate the "dsc_parameters.ps1" file with values as you desire
• Within Azure DevOps, create a new Pipeline, and link it to your GitHub (creating a service connection using OATH login)
• Select an existing yaml file to create the pipeline from
  • Do this twice for "ModuleDeploy-pipeline.yml" and "azure-pipelines.yml"
  • Don't forget to rename your pipelines in DevOps portal, to something meaningful
• Manually run the "ModuleDeploy-pipeline.yml" pipeline

• ModuleDeploy-pipeline.yml pipeline runs and
  • takes module from repository and creates a zip file
  • uploads DSC composite module zip to blob storage
  • creates automation account if it doesn't exist
  • imports DSC composite module to automation account from blob storage (with SAS)
• azure-pipelines.yml pipeline runs and:
  • creates automation account if it doesn't exist
  • imports/updates Az.Accounts module
  • imports/updates remaining modules identified in parameters
  • creates new automation runas account (and required service principal) if it doesn't exist (generating an Azure KeyVault certificate to do so)
  • performs a 'first-time' run of the "Update-AutomationAzureModulesForAccount" runbook (because automation account is created with out-of-date default modules)
  • imports DSC configuration
  • compiles DSC configuration against configuration data