Azure DevOps: Deploy a Windows Server with a DevOps Pipeline and Key Vault

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we deploy a simple windows server with an azure devops pipeline [Applause] [Music] hello everyone i'm travis and this is cerraltos my it experience has focused primarily on it infrastructure not development but with devops the line between those two is blurred i have a couple projects that require deploying infrastructure as code so i thought i'd share some of the things i've learned along the way before that please take a second to subscribe like share click the bell icon for notifications of new content you can follow me on twitter and if you'd like to learn about windows virtual desktop check out my course zero2hero with windows virtual desktop on udemy.com i had a simple goal with this project i want to deploy a windows server with a devops pipeline this is not a deep dive into azure devops in fact it's intended for people with little or no azure devops or arm template experience as part of deploying a server in azure we have to specify a local admin password it's bad practice to store passwords and code so i also want to pull the password from an azure key vault secret that way the password is not exposed in the code although deploying a single server may not be that significant having a reference for an arm template deployment pipeline that leverages an azure key vault secret opens the door to a lot more advanced deployments to follow along you'll need an azure subscription with an account that has elevated permissions on that subscription we're going to create a service principle and modify key vault permissions coming up you'll need a key vault in the subscription with a secret used for the local admin password also you can't use devop pipelines without an azure devops account you can sign up for a free account to follow along let's get started in azure devops here we are let's start in devops now if you're new to devops that's fine we'll cover all you need to know for this video which for what it's worth is close to all i know about devops you'll need to sign up if you don't have an account in azure devops yet you'll also need access to an azure subscription with global admin rights we're going to create a service principle and assign it rights to the subscription we also have to modify uh key vault permissions once in select your organization you may only have one that's fine and we're going to create a new project give it a name i'll call this one simple server and give it a description if you'd like i'll skip that make sure visibility is set to private and then click create this creates the project from here we're going to go to repos there we are we'll go into repos this is where we'll store all the configuration files for the project there's nothing in here yet we'll fix that soon we can edit everything in the web browser we can start that process by initializing the main branch and creating a file go ahead and initialize you can also be fancy and clone it to vs code notice there's other options if you have other editors you prefer editing in vs code is my preference but it requires vs code and git to be installed on the computer i'm trying to keep this simple so we'll edit in devops once initialized we can add our first template file we do that by getting our simple server template file from github here we are on github azure's quick start template repo to be specific i'll include links to everything i mention in this video below we want the azure deploy.json file if i was working this into an automation situation i'd use invoke web request to copy the file down but that's not the case i'm going to do an old-fashioned copy and paste let's go into the file click raw and we'll do a control a and ctrl c now we've copied that contents switching to raw makes it easier to copy the file that way you don't copy html code along with the contents of the file okay let's hop back to devops create a new file and we'll call this azuredeploy.json once you have it open do a control v to paste the contents of your clipboard in now if you've never worked with a json template file before you don't know what you're missing out from i'll share a blog post i did a while ago that goes over some of the basic formatting it's a good overview of what the brackets and the quotes are for the link will be below let's scroll to the top a json arm template starts with a list of parameters these can be set at run time to define settings for the deployment we have an admin username that's a string and there's an admin password that's a secure string and has a minimum length requirement we have a dns label prefix that has a default value if we don't specify anything the default values will apply take a look at public ipsku the default value is basic but it only allows basic or standard as input so parameters can have input validation the os version defaults to data center 2019 but has several options and so then we get to variables we can change parameters at runtime but we can't change variables at runtime these are internal to the template here it's setting the storage account name and some networking settings after that is the resources or what actually gets deployed it's going to set up a storage account networking a virtual machine and all supporting services click commit to save the template file you can add a comment if you'd like and remember if you need to make changes to this or any file in devops you have to go to edit then you can change it and click commit again i'll just cancel out of that okay let's go back to the task at hand we have a template file we need a parameter file next there was one available back on github let's go to that here's the parameter file we'll switch to raw and copy that let's go back to devops to create the parameter file we'll do the same thing new file we'll call this azuredeploy.parameters.json and we'll paste in the contents the beauty of the parameter file is you can create a different one for different use cases let's say we need to deploy three different versions of the server we could create three different parameter files that all use the same json template file okay we need to update the parameter file set the admin username and remember you can't use administrator remove everything between the double quotes on admin password we never want to add a password to code we'll get back to using the key vault secret to fill in the password shortly next set the dns label prefix and remember to keep this value lowercase the parameter file overrides the default values of the template we're keeping this one simple but it wouldn't be uncommon to have a lot more parameters available in the parameter file things like server size os type would probably all be included our file looks good next let's commit to save the file we'll click commit and commit at this point we have our server template and parameter file in a github repo on devops now what now we create a service connection a service connection is a service principle that acts on devops behalf to manage and deploy resources in your azure subscription go to project settings that's at the bottom on the left go to service connections create a service connection notice all the service connections available there's a lot of options here for this example select azure resource manager and click next we'll create a service principle leave it as automatic this will let devops manage the service principle click next you need to authenticate this is where you'll need an elevated account to create the service principle next you can set a resource group but the service principle will be scoped to that resource group meaning that it wouldn't be able to create a new resource group it could only create items in that existing resource group let's leave resource group blank because we need to create a new resource group during this deployment give it a name devop sc for this example give it a description if you'd like and click save now the pipeline will create has access to our azure subscription next we need to give the service account rights to read the key vault secrets go to library under pipelines add a new variable group i'll change the name to key vault enable the link secret from an azure key vault as variables option next we'll select the service connection we just created and then select the key vault there's only one in the subscription once you've selected the key vault click authorize this will authenticate to the subscription and give the service principal rights to read the secrets i'll scroll down and under variables click add select the secret the secret name is local admin this secret is the local admin password i'll use for deploying the server click ok click save to finish and again that gives the pipeline access to the key vault let's go back to the repo and we'll set up the pipeline click set up a build use the starter pipeline welcome to yaml one thing to keep in mind with the ammo is that formatting is important so if things aren't working for you as they are on my screen pay close attention to the cursor placement we're going to delete everything under steps we'll update this with our own content the first step we need to get the local admin secret from the key vault remember we don't want to store passwords in the code this step will retrieve the password from the key vault click on show assistant and type in key vault select key vault we're going to select our subscription and use the service connection that's the service connection we recently set up and under key vault select the name of our key vault and under secret filter we can leave it as a wild card and return everything but for this example i'm going to add local admin that's the name of the secret we need to retrieve click add when finished now that we have the step that gets the password we can create the deployment move the cursor to the beginning of the next line and then we'll go back to the assistant and search for arm template deployment there it is arm template deployment leave the deployment scope as a resource group under azure resource group connection select our service connection select our subscription that's the subscription it'll deploy to leave the action as creator update resource group under resource group you can select an existing one or enter a new i'll add a new one and we'll call it simple server rg select the location central us for this example under template leave it linked to artifact and then for the template we need to give it the template name azuredeploy.json for this example under template parameters add the name of the template parameter file azuredeploy.parameters.json for this example remember how we left the admin password blank in the parameter file we're going to add an override parameter and reference the secret from the key vault we'll start by adding dash admin password admin password is the value of the parameter from the template file make sure it's typed the same as in the template file case is important add a space and then we're going to tell it to use the local admin variable from the key vault by typing dollar sign and then local admin in parentheses and make sure that matches the value in the key vault leave the deployment type as incremental and go to advanced we're going to give the deployment a name we'll call this one template deploy and click add okay if it all looks good let's click save and run to see how it does add a commit message if you'd like and then click save and run we'll go to jobs and here we can want to go through the steps of the deployment it may take a couple minutes to go through the resource manager steps i'll pause here until it finishes okay that finished and it looks good let's take a look at azure here's our resource group and the server and all related artifacts created during the build let's go to the server and we'll log into that server i'm using the admin account we used for the parameter file and for the password i'm entering the value of that key vault secret that looks good and that worked there you have it we deployed a simple server with arm templates and a devops pipeline using a secret from the azure key vault congratulations you now have a functioning azure devops pipeline don't forget to de-allocate or delete the server to prevent charges i hope you enjoyed this video don't forget to like and subscribe thanks for watching
Info
Channel: Travis Roberts
Views: 4,234
Rating: undefined out of 5
Keywords: Azure DevOps, DevOps, Azure Pipelines, Pipeline, automation, infrastructure as code, Azure, subscription, repo, git, VS Code, Windows, Server, ARM Template, template, service principle, key vault, keyvault, secret, password, deployment, CI/CD, cloud computing, Microsoft azure, YAML, azure devops tutorial, azure devops pipeline
Id: J4NCvIMuzVE
Channel Id: undefined
Length: 17min 53sec (1073 seconds)
Published: Sat Mar 06 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.