Working in Azure DevOps requires a service connection to authenticate and deploy resources to Azure. Typically we scope this to a single Azure subscription.
Something that is useful and not as common is deploying to multiple subscriptions under a management group.
Creating a single service connection scoped to a management group removes the administrative overhead and enables us to deploy to any subscription in that management group. It does however require some different thinking and changes to our pipelines for successful deployments to occur.
It is also important to consider the security implications when using management group service connections and ensure it is properly secured within Azure DevOps.
If we were to deploy an ARM template using Azure DevOps we would use an Azure resource group deployment task in our Azure DevOps pipeline, which will typically look like the example below.
- task: AzureResourceGroupDeployment@2
displayName: Azure Resource Group Deployment Example
inputs:
azureSubscription: AzureSubscriptionServiceConnection
resourceGroupName: resource-group-name
location: location
csmFile: template-file-path
csmParametersFile: template-parameter-file-path
deploymentMode: Incremental This works well with service connections scoped at the Azure subscription level, but will fail when using a service connection scoped at the management group level. This occurs as we haven’t specified which subscription we would like to deploy our resources into.
So how do we deploy ARM templates when using a management group service connection?
We won’t be able to utilise the built-in Azure resource group deployment task and we will need to use Azure PowerShell tasks instead to deploy our ARM templates.
When configuring the Azure PowerShell task we first we need to select the Azure subscription and then we can deploy our ARM template using the New-AzResourceGroupDeployment cmdlet.
An example is below.
- task: AzurePowerShell@5
displayName: Management Group Deployment
Example
inputs:
azuresubscription: ManagementGroupServiceConnection
ScriptType: InlineScript
Inline: |
Select-AzSubscription -SubscriptionName subscription-name
New-AzResourceGroupDeployment -ResourceGroupName resource-group-name -TemplateFile template-file-path -TemplateParameterFile template-parameter-file-path -Location location
FailOnStandardError: true
azurePowerShellVersion: LatestVersion
pwsh: trueThe same logic applies when deploying to Azure using management group service connections in Azure DevOps pipelines. We first need to select the subscription we want to work on and then execute our deployment, no matter the method whether it’s ARM templates, Azure CLI or Azure PowerShell.
