PART 1.1: INFRASTRUCTURE PIPELINE — Building a Scalable App Environment with Infrastructure and Deployment

Using .NET, Angular, Kubernetes, Azure/Devops, Terraform, Eventhubs and other Azure resources.

image by author

Introduction

Prerequisites

Terraform Build/Release Task

Azure

Code Changes

terraform {
backend "azurerm" {
tenant_id = YOUR_TENANT_ID
subscription_id = YOUR_SUBSCRIPTION_ID
resource_group_name = "notifier-resource-group"
storage_account_name = "notifiertfstore"
container_name = "notifiertfstate"
key = "terraform-notifier.tfstate"
}
}
tenant_id: YOUR_TENANT_IDkv_allow:
YOUR_SERVCE_CONNECTION_NAME: # Service Connection (principle which used in azuredevops pipeline)
object_id: YOUR_SERVICE_CONNECTION_OBJECT_ID
secret_permissions: ["get", "list", "delete", "set"]
notifier-devs: # Allow group
object_id: YOUR_NOTIFIER_DEVS_OBJECT_ID
secret_permissions: ["get", "list", "delete", "set", "recover", "backup", "restore"]

Build Pipeline

trigger:
- master
resources:
repositories:
- repository: self
pool:
vmImage: 'ubuntu-latest'
azure-pipelines.ymlsteps:
- task: TerraformInstaller@0
displayName: Install Terraform Latest
inputs:
terraformVersion: 'latest'
  - task: AzureCLI@1
displayName: Authorize Azure
inputs:
azureSubscription: 'ARM Notifier'
scriptLocation: inlineScript
inlineScript: |
echo "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=false]${servicePrincipalId}"
echo "##vso[task.setvariable variable=AZURE_CLIENT_SECRET;issecret=true]${servicePrincipalKey}"
echo "##vso[task.setvariable variable=AZURE_SUBSCRIPTION_ID;issecret=false]$(az account show --query 'id' -o tsv)"
echo "##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=false]${tenantId}"
addSpnToEnvironment: true
  - bash: |
terraform init
for ENV in "acc" "prd"
do
terraform workspace select $ENV || terraform workspace new $ENV
terraform validate
done
workingDirectory: '$(System.DefaultWorkingDirectory)'
displayName: 'Terraform Init/Validate configuration'
env:
ARM_CLIENT_ID: $(AZURE_CLIENT_ID)
ARM_CLIENT_SECRET: $(AZURE_CLIENT_SECRET)
ARM_SUBSCRIPTION_ID: $(AZURE_SUBSCRIPTION_ID)
ARM_TENANT_ID: $(AZURE_TENANT_ID)
  - task: CopyFiles@2
displayName: Copy Terraform Configs
inputs:
SourceFolder: '.'
Contents: '**'
TargetFolder: '$(build.ArtifactStagingDirectory)'
CleanTargetFolder: true
OverWrite: true
  - task: PublishBuildArtifacts@1
displayName: Publish Terraform Artifacts
inputs:
PathtoPublish: '$(build.ArtifactStagingDirectory)'
ArtifactName: 'tf'
publishLocation: 'Container'

Release Pipeline

image by author
image by author
echo "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=false]${servicePrincipalId}"
echo "##vso[task.setvariable variable=AZURE_CLIENT_SECRET;issecret=true]${servicePrincipalKey}"
SUBSCRIPTION_ID=`az account show --query 'id' -o tsv`
echo "selected subscription ${SUBSCRIPTION_ID}"
echo "##vso[task.setvariable variable=AZURE_SUBSCRIPTION_ID;issecret=false]${SUBSCRIPTION_ID}"
echo "##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=false]${tenantId}"
terraform init
terraform workspace select $(env) || terraform workspace new $(env)
if [ "$(tf_action)" = "apply" ]; then
terraform $(tf_action) -auto-approve
else
terraform $(tf_action)
fi
image by author
image by author
image by author
image by author
image by author
image by author

Enable Access AKS to use ACR

az aks update -n notifier-aks-acc -g notifier-resource-group-acc --attach-acr notifiercontainerregistryacc

Problems I had to face with

Terraform — Resource Already Imported

terraform import azurerm_key_vault_secret.kvs_webapi_appinsights https://kv-webapi-acc.vault.azure.net/secrets/ApplicationInsights--InstrumentationKey/d9bff6b232d0412fb3aa2d9e9a07961

Terraform — State Container Locked

Key Vault — Access Policies

Conclusion

Preview

like to create

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store