This presentation covers deploy Azure DevOps projects, repositories, pipelines, variable groups, etc. using the newly released Azure DevOps Terraform provider.
A recording of this presentation is available on my YouTube channel here: https://www.youtube.com/c/adinermie
A blog article about this topic is also available here: https://adinermie.com/deploying-azure-devops-ado-using-terraform/
3. Microsoft’s investments in Terraform
• Microsoft Team HashiCorp Team
• Terraform AzureRM Provider updates
• Latest release (August 5, 2020)
enhancements/bug fixes
releases/updates published in July alone!
• Terraform Module Registry
• https://registry.terraform.io/browse/modules?provider
=azurerm
5. Terraform v0.13 highlights
• Support for , , and
• New syntax
• Custom
command connects a CLI user
to the Terraform Cloud app
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "2.0.0"
}
}
}
variable "image_id" {
type = string
description = "The id of the machine image (AMI) to use for the server."
validation {
condition = length(var.image_id) > 4 && substr(var.image_id, 0, 4) == "ami-"
error_message = "The image_id value must be a valid AMI id, starting with "ami-"."
}
}
7. Environment Variables
• $ENV:AZDO_PERSONAL_ACCESS_TOKEN = 'SomeBigLongGUID'
• $ENV:AZDO_ORG_SERVICE_URL = 'https://dev.azure.com/AdinErmie'
• $ENV:AZDO_GITHUB_SERVICE_CONNECTION_PAT = 'SomeOtherGUID'
• ADO Personal Access Token
• Used to allow you current execution credentials permission into you DevOps Org (via
the API), to create a new ADO Project
• Use personal access tokens
• ADO Organization Service URL
• Simply, the Org URL (because you’re making a new project inside an existing Org, not
a new Org)
• GitHub Service Connection Personal Access Token
• Used for acceptance testing
17. Lessons Learned
• You need to pre-create storage account where you will store the TF State file for the creation of the ADO
project
• Unless you create it using Terraform, and then use terraform import to bring it under Terraform
control/management
• Importing a public OR private GitHub repo is not yet supported
• Creating Service Endpoints is confusing
• Unsure how to ‘authorize’ the Azure service connection with permissions on the Key Vault (for existing SPNs)
• For demo simplicity, set the Key Vault default network access control to ‘allow’
• Not a best-practice, but unless you’re VPN’d into a VNET that has access to the KV, you won’t be able to
see any keys/secrets
• SPN password (if used to pass into the Terraform command-line via pipeline), does not like $p3c1@l (special)
characters
18. Lessons Learned
(continued)
• If you define a new repo, and then
attempt to define the pipeline via code,
but the YAML file doesn’t already
existing in the repo (because they’re
not pushed to it), you’ll encounter the
error “File FILENAME.yml not found in
repository REPO NAME”
19. (more) Lessons Learned
• Currently not supported to
programmatically (through Terraform)
grant the Pipeline access to the Service
Connection
• Issue #41 - Authorize service
connection use by pipeline via
Terraform
21. Bonus! TFLint
• A part of the GitHub Super Linter
• One linter to rule them all
• Used to validate against issues
• Focused on possible errors, , etc.
• Support for all providers
• Rules that warn against
• AWS = 700+ rules
• Azure = 279 rules (Experimental support)
• GCP = WIP
22. Resources
• Adin’s personal curated list of Terraform resources
• Automating infrastructure deployments in the Cloud with Terraform
and Azure Pipelines
• Deploying Terraform Infrastructure using Azure DevOps Pipelines Step
by Step
Don’t forget about these Visual Studio
Code (VS Code) extensions:
Azure Terraform (by Microsoft)
Terraform (by Mikael Olenfalk)
Now owned by HashiCorp!