ARM Templates with Azure DevOps

ARM templates with Azure DevOps is the third post in our getting started with ARM template blog series.

In the first two posts we cover the basics of ARM Templates. Specifically, what they are, how to use them, and how to create and deploy them. Including how to test and troubleshoot deployments. So, in this post we are going to look at how you can use Azure DevOps to automate your deployments using a Continuous Integration (CI) and Continuous Deployment (CD) pipeline.

Azure Repos

Azure Repos is the set of version control tools available in Azure DevOps. These tools allow you to track the changes that you make to your code over time. Including the ability for you to coordinate your code changes across your team.

Specifically, there are two types of version control that Azure Repos provides, the first is Git a distributed version control. And the second is Team Foundation Version Control (TFVC), a centralised version control.

Azure Pipelines

Azure Pipelines are the CI/CD tools in Azure DevOps that allow you to automatically build, test and deploy you code to any target. And create a workflow that models your software delivery process. From what happens when your development team check in code, for example running automated test or deploying your code to a specific environment. Including any approval gates required throughout the process.

There are two options for defining pipelines in Azure Pipelines. First is by authoring YAML files and including as part of your code. Second is through the user interface, known as Classic pipelines.

Azure DevOps Services Connections

Connecting to Azure

In order to connect your Azure DevOps project to your Azure Subscription. You will need to create an Azure Resource Manager service connection.

The Azure Resource Manager service connection uses a Service Principal to connect to your Azure Subscription. Specifically, a Service Principal is an Application Registration in Azure Active Directory (Azure AD) that is granted permissions to resources within Azure.

In other words, you create a Service Connection with a specific Azure Active Directory account for your pipeline to use. And your pipeline will have all the permissions that granted to that account.

Two options are available when you create an Azure Resource Manager service connection. Firstly, using an automatically created account Service Principal or secondly using an existing Service Principal.

Importantly, when you use the automatically create Service Principal option. Azure DevOps will specify the name for the Service Principal automatically. In fact, it will create an Application Registration in Azure AD with a client secret that is valid for two years.

ARM Template Deployment Options in Azure DevOps

Deployment Options

In addition, you will need to consider the which of the deployment options in Azure DevOps you will use to deploy your ARM Templates from a pipeline. There are three primary options available for deploying your ARM Templates from a pipeline.

The first and easiest option is to use the ARM template deployment task. This option works well you want to deploy a template from a repository. Learn more about the ARM template deployment task here.

The second option is to use the PowerShell task to run a PowerShell script that deploys your ARM Template. One of the advantages of using this approach is that it provides consistency throughout development lifecycle, because you use the same script that you used when running tests locally. Also, by using a PowerShell script you can perform other operations. For example, getting values to use as parameters. Learn more about the PowerShell task here.

The Azure Resource Group project provided by Visual Studio has a PowerShell script that you can use to get started. This script stages the artifacts, such as linked templates, scripts and application binaries from your project to a storage account. Simply run it using the PowerShell task option when getting started.

Lastly, you can use the copy and deploy tasks as an alternative to the project PowerShell script. In this case you configure the copy and deploy tasks in your pipeline. One, task stages the artifacts to an accessible location. And the other deploys the templates from that location.

Importantly, the type of ARM Template will impact the deployment options that you can use. For example, if you are deploying linked templates, you will need stage the linked templates to an accessible location. Before you can deploy your templates.

Deployment Architecture Overview

When you use Azure DevOps to deploy your ARM Templates you should have a deployment architecture like the one the diagram below. Each of these components will be covered in the sections below to provide to provide further clarity.

ARM Template Authoring Tools

An editor such as Visual Studio or VS Code for creating and editing your ARM Templates.  Alternatively, other editors can be used. However, they may not offer some of the functionality offered by Visual Studio or VS Code.

Azure DevOps

In order to use the version control and CI/CD tools available in Azure DevOps. You will require an Azure DevOps Organisation. Importantly, this is the highest level in the Azure DevOps hierarchy.

Azure DevOps Project

You will need a Project within your Azure DevOps Organisation. Specifically, this Project will be the primary container used to manage the Azure Repo and Azure Pipeline services. In addition, the service connections required to connect to you Azure Subscription are managed at the Project level.

Azure Repo

Either a TFVC or Git repository will be required to store and manage the versions of your ARM Templates. As well as any accompanying scripts or code. Importantly, it should be noted that distributed version control approached such as Git are the most used.

Azure Pipeline

Finally, you will need a CI/CD pipeline that will perform the series of steps to build, test and deploy your ARM Templates. For example, when you check in your ARM Template into the Git repository. The Pipeline can be triggered to download the ARM Template, test that it is valid. And then deploy it to a development environment without user intervention.

Azure Subscription

Azure Tenant and Subscription

First and foremost, you will need an Azure Tenant that will host your Azure Subscription. Just as the Azure DevOps Organisation is the highest level in the hierarchy from an Azure DevOps perspective. The Azure Tenant is the highest level in the hierarchy from an Azure perspective. Consequently, you can think of an Azure Tenant as an Organisation.

Importantly, each Azure Tenant is a dedicated instance of Azure AD and is separate from other Azure AD tenants.

Next, you will need an Azure Subscription that is linked to your Azure Tenant. In order words a subscription that has a trust relationship with your Azure AD. To authenticate users, services and devices.

App Registration with Service Principal

Also, you will need an Application Registration with Service Principal in Azure AD. This is the account that the Azure DevOps Service Connection will use to connect to Azure. Service Principals level role-based access controls. So, you will need to ensure that the appropriate roles have been assigned to this account for the Azure Resources you wish to deploy.

For example, giving the Service Principal the contributor role on the Resource Group that your pipeline will be creating or updating resources in.

To conclude

In this article you have learned the basics of how to deploy your ARM Templates with Azure DevOps. Including,

• What Azure Repos is
• What Azure Pipelines are
• How Azure DevOps connects to your Azure Subscription
• A basic deployment architecture for ARM Templates and Azure DevOps

Now that we’ve covered some of the basics of how to deploy your ARM Templates with Azure DevOps, we are ready to take a step-by-step approach to build, test and deploy Azure ARM Templates with Azure DevOps.

Thank you for reading. We hope that this article has help you in getting started with ARM templates.