-
Notifications
You must be signed in to change notification settings - Fork 56
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
55237ec
commit 1f4c721
Showing
1 changed file
with
105 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -34,10 +34,10 @@ Also make sure that you have the following: | |
| - read_registry | ||
| - write_registry | ||
|
|
||
| ## Instructions | ||
| # Instructions | ||
| see https://cloud.google.com/dotnet/docs/creating-a-cicd-pipeline-azure-pipelines-cloud-run | ||
|
|
||
|
|
||
| ### Draft - references from GCP as ENV variables to ADO | ||
| ## Draft - references from GCP as ENV variables to ADO | ||
| - cloudbuild_project_id = "prj-b-cicd-82vv" | ||
| - seed_project_id = "prj-b-seed-8919" | ||
| - gcs_bucket_tfstate = "bkt-prj-b-seed-tfstate-7120" | ||
|
|
@@ -47,33 +47,126 @@ Also make sure that you have the following: | |
| - projects_step_terraform_service_account_email = "[email protected]" | ||
| - environment_step_terraform_service_account_email = "[email protected]" | ||
|
|
||
| ### Draft - Artifacts - Manual | ||
| ## Draft - Artifacts - Manual | ||
|
|
||
| ### Service Accounts for ADO | ||
| - create a GCP service account for use by ADO with the following storage role - to be able to read the terraform remote state file from GCP GCS. | ||
|
|
||
| On your GCP console (tef-olapp is an example bootstrap project below only as in tef-"short domain name - for distinct id - here obrienlabs.app is olapp") | ||
| ``` | ||
| gcloud config set project tef-olapp | ||
| gcloud iam service-accounts create ado-sa --display-name="ado-sa" --project=tef-olapp | ||
| export PROJECT_ID=tef-olapp | ||
| export SA_EMAIL=ado-sa@$PROJECT_ID.iam.gserviceaccount.com | ||
| echo $SA_EMAIL | ||
| [email protected] | ||
| gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SA_EMAIL --role roles/storage.admin --project=$PROJECT_ID | ||
| Updated IAM policy for project [tef-olapp]. | ||
| ``` | ||
| #### Generate service account key | ||
| ``` | ||
| cloud iam service-accounts keys create ado-sa.json --iam-account $SA_EMAIL --project=$PROJECT_ID | ||
| tr -d '\n' < ado-sa.json > ado-sa-oneline.json | ||
| ``` | ||
| - Export the secret token on this SA for use by the ADO pipelines | ||
| - | ||
| #### Create 6 repositories | ||
|
|
||
| ### Create ADO Project | ||
| ### Setup Agents | ||
| #### Ask Azure for a request to increase free parallelism in Azure DevOps. | ||
| this will take an average of 2 days | ||
| - https://learn.microsoft.com/en-us/answers/questions/477716/how-to-resolve-no-hosted-parallelism-has-been-purc | ||
| - https://aka.ms/azpipelines-parallelism-request | ||
| - https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR5zsR558741CrNi6q8iTpANURUhKMVA3WE4wMFhHRExTVlpET1BEMlZSTCQlQCN0PWcu | ||
| #### Create a PAT (Personnal Access Token) in ADO for use by pipeline agents | ||
| User Settings | Security | PAT | ||
| #### Optionally use local agents | ||
| Until the free parallelism request gets approved create and use local agents on one of your machines or VMs. | ||
| - project settings | agent pools | add self-hosted | ||
|
|
||
| Windows example (powershell) | ||
| ``` | ||
| mkdir agent ; cd agent | ||
| Add-Type -AssemblyName System.IO.Compression.FileSystem ; [System.IO.Compression.ZipFile]::ExtractToDirectory("$HOME\Downloads\vsts-agent-win-x64-3.238.0.zip", "$PWD") | ||
| .\config.cmd | ||
| PS C:\opt\agent> .\run.cmd | ||
| Scanning for tool capabilities. | ||
| Connecting to the server. | ||
| 2024-04-24 03:43:31Z: Listening for Jobs | ||
| ``` | ||
| #### Add PAT to the local agent | ||
| make sure to add a trailing slash in the url / - see https://learn.microsoft.com/en-us/answers/questions/272411/vs30063-you-are-not-authorized-to-access-https-dev | ||
| ``` | ||
| >> Connect: | ||
| Enter server URL > https://dev.azure.com/obrienlabsxyz/ | ||
| Enter authentication type (press enter for PAT) > | ||
| Enter personal access token > **************************************************** | ||
| Connecting to server ... | ||
| >> Register Agent: | ||
| Enter agent pool (press enter for default) > olxyz-self | ||
| Enter agent name (press enter for 13900D) > | ||
| Scanning for tool capabilities. | ||
| Connecting to the server. | ||
| Successfully added the agent | ||
| Testing agent connection. | ||
| Enter work folder (press enter for _work) > | ||
| 2024-04-24 03:34:21Z: Settings Saved. | ||
| Enter run agent as service? (Y/N) (press enter for N) > y | ||
| Enter enable SERVICE_SID_TYPE_UNRESTRICTED for agent service (Y/N) (press enter for N) > y | ||
| Enter User account to use for the service (press enter for NT AUTHORITY\NETWORK SERVICE) > | ||
| Granting file permissions to 'NT AUTHORITY\NETWORK SERVICE'. | ||
| Service vstsagent.obrienlabsxyz.olxyz-self.13900D successfully installed | ||
| Service vstsagent.obrienlabsxyz.olxyz-self.13900D successfully set recovery option | ||
| Service vstsagent.obrienlabsxyz.olxyz-self.13900D successfully set to delayed auto start | ||
| Service vstsagent.obrienlabsxyz.olxyz-self.13900D successfully set SID type | ||
| Service vstsagent.obrienlabsxyz.olxyz-self.13900D successfully configured | ||
| Enter whether to prevent service starting immediately after configuration is finished? (Y/N) (press enter for N) > y | ||
| ``` | ||
| If needed - while using a temporary local agent - force the pool | ||
| ``` | ||
| pool: olxyz-self | ||
| # vmImage: ubuntu-latest | ||
| # agent.name: 13900D | ||
| ``` | ||
| ### Import base PBMM Repository | ||
| Repos | Import | ||
| for example - import https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding.git into https://dev.azure.com/obrienlabsxyz/pbmm-on-gcp-onboarding/_git/pbmm-on-gcp-onboarding | ||
| ### Generate GIT Credentials | ||
|
|
||
| ### Create 6 private ADO repositories | ||
| - gcp-bootstrap | ||
| - gcp-environments | ||
| - gcp-networks | ||
| - gcp-org | ||
| - gcp-policies | ||
| - gcp-projects | ||
|
|
||
| The following repository can be temporarily replaced by links to a global/public dockerhub image at https://hub.docker.com/repository/docker/obrienlabs/terraform-example-foundation-ado/tags | ||
| - tf-cloudbuilder | ||
| ### Container Registry | ||
| The following repository can be temporarily replaced by links to a global/public dockerhub image at | ||
| - https://hub.docker.com/repository/docker/obrienlabs/terraform-example-foundation-ado/tags | ||
| - tf-cloudbuilder is replaced by the following line in the pipeline yml | ||
| - - docker run obrienlabs/terraform-example-foundation-ado:0.0.2 --version | ||
|
|
||
| #### ADO Logs and Artifacts | ||
| ### ADO Logs and Artifacts | ||
| By default ADO will log entries and retain artifacts from ADO Pipeline runs for | ||
| - bootstrap | ||
| - env | ||
| - net | ||
| - org | ||
| - proj | ||
|
|
||
| ### Draft - Artifacts - Automated | ||
| ## Draft - Artifacts - Automated | ||
| WIP sh script automation | ||
| ### Draft - references to GCP | ||
| ## Draft - references to GCP | ||
|
|
||
| ## Clone Terraform Example Foundation repo | ||
|
|
||
| ### Clone Terraform Example Foundation repo | ||
| ## Procedure to periodically pull from upstream | ||
| ``` | ||
| git remote add upstream https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding.git | ||
| git fetch upstream | ||
| git merge upstream/main main | ||
| git push origin main | ||
| ``` | ||