Share on facebook
Share on twitter
Share on linkedin
Share on email

Azure Done Right Series: Azure DevOps and Management Group Service Connections

Working in Azure DevOps requires a service connection to authenticate and deploy resources to Azure. Typically we scope this to a single Azure subscription.

Something that is useful and not as common is deploying to multiple subscriptions under a management group.

Creating a single service connection scoped to a management group removes the administrative overhead and enables us to deploy to any subscription in that management group. It does however require some different thinking and changes to our pipelines for successful deployments to occur.

It is also important to consider the security implications when using management group service connections and ensure it is properly secured within Azure DevOps.

If we were to deploy an ARM template using Azure DevOps we would use an Azure resource group deployment task in our Azure DevOps pipeline, which will typically look like the example below.

- task: AzureResourceGroupDeployment@2
  displayName: Azure Resource Group Deployment Example
    azureSubscription: AzureSubscriptionServiceConnection
    resourceGroupName: resource-group-name
    location: location
    csmFile: template-file-path
    csmParametersFile: template-parameter-file-path    
    deploymentMode: Incremental              

This works well with service connections scoped at the Azure subscription level, but will fail when using a service connection scoped at the management group level. This occurs as we haven’t specified which subscription we would like to deploy our resources into.

So how do we deploy ARM templates when using a management group service connection?

We won’t be able to utilise the built-in Azure resource group deployment task and we will need to use Azure PowerShell tasks instead to deploy our ARM templates.

When configuring the Azure PowerShell task we first we need to select the Azure subscription and then we can deploy our ARM template using the New-AzResourceGroupDeployment cmdlet.

An example is below.

- task: AzurePowerShell@5
  displayName: Management Group Deployment
    azuresubscription: ManagementGroupServiceConnection
    ScriptType: InlineScript
    Inline: |
        Select-AzSubscription -SubscriptionName subscription-name
        New-AzResourceGroupDeployment -ResourceGroupName resource-group-name -TemplateFile template-file-path -TemplateParameterFile template-parameter-file-path -Location location
    FailOnStandardError: true
    azurePowerShellVersion: LatestVersion
    pwsh: true

The same logic applies when deploying to Azure using management group service connections in Azure DevOps pipelines. We first need to select the subscription we want to work on and then execute our deployment, no matter the method whether it’s ARM templates, Azure CLI or Azure PowerShell.


Other Recent Blogs

Using Helm as a configuration manager for AKS

Helm is a package manager for Kubernetes that allows easier packaging, configuring and deployment of applications and services on your Kubernetes cluster, however it is not “only” a tool for application deployment. In this post I will discuss using it as a configuration and compliance management tool for AKS.

Read More »

Our Award Winning AI-Infused Solutions

Learn about the AI-infused solution we developed for Maurice Blackburn Lawyers, Australia’s leading social justice law firm. Leveraging Azure Cognitive Search and Services, the solution uses AI to review life insurance policies to assess rapidly whether a claim has merit and should be pursued. Our solution has helped the firm cut the time taken to assess a client’s entitlement to a superannuation disability insurance claim from months down to the span of the client’s initial phone. Our work with Maurice Blackburn Lawyers was recently featured across a range of Australian publications.

Read More »

Arinco PTY LTD
All Rights Reserved

Level 17, 303 Collins Street
Melbourne VIC 3000