From 1f4c72125e3e4894be2255877cc222701ab67a0f Mon Sep 17 00:00:00 2001 From: Michael O'Brien Date: Sun, 28 Apr 2024 19:25:14 -0400 Subject: [PATCH] #399 - ado readme instructions --- 0-bootstrap/README-Azure-DevOps.md | 117 ++++++++++++++++++++++++++--- 1 file changed, 105 insertions(+), 12 deletions(-) diff --git a/0-bootstrap/README-Azure-DevOps.md b/0-bootstrap/README-Azure-DevOps.md index ddf131b9..aad7edc2 100644 --- a/0-bootstrap/README-Azure-DevOps.md +++ b/0-bootstrap/README-Azure-DevOps.md @@ -34,10 +34,10 @@ Also make sure that you have the following: - read_registry - write_registry -## Instructions +# Instructions +see https://cloud.google.com/dotnet/docs/creating-a-cicd-pipeline-azure-pipelines-cloud-run - -### Draft - references from GCP as ENV variables to ADO +## Draft - references from GCP as ENV variables to ADO - cloudbuild_project_id = "prj-b-cicd-82vv" - seed_project_id = "prj-b-seed-8919" - gcs_bucket_tfstate = "bkt-prj-b-seed-tfstate-7120" @@ -47,13 +47,95 @@ Also make sure that you have the following: - projects_step_terraform_service_account_email = "sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com" - environment_step_terraform_service_account_email = "sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com" -### Draft - Artifacts - Manual +## Draft - Artifacts - Manual ### Service Accounts for ADO - create a GCP service account for use by ADO with the following storage role - to be able to read the terraform remote state file from GCP GCS. + +On your GCP console (tef-olapp is an example bootstrap project below only as in tef-"short domain name - for distinct id - here obrienlabs.app is olapp") +``` +gcloud config set project tef-olapp +gcloud iam service-accounts create ado-sa --display-name="ado-sa" --project=tef-olapp +export PROJECT_ID=tef-olapp +export SA_EMAIL=ado-sa@$PROJECT_ID.iam.gserviceaccount.com +echo $SA_EMAIL + ado-sa@tef-olapp.iam.gserviceaccount.com +gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SA_EMAIL --role roles/storage.admin --project=$PROJECT_ID +Updated IAM policy for project [tef-olapp]. +``` +#### Generate service account key +``` +cloud iam service-accounts keys create ado-sa.json --iam-account $SA_EMAIL --project=$PROJECT_ID +tr -d '\n' < ado-sa.json > ado-sa-oneline.json +``` - Export the secret token on this SA for use by the ADO pipelines -- -#### Create 6 repositories + +### Create ADO Project +### Setup Agents +#### Ask Azure for a request to increase free parallelism in Azure DevOps. +this will take an average of 2 days +- https://learn.microsoft.com/en-us/answers/questions/477716/how-to-resolve-no-hosted-parallelism-has-been-purc +- https://aka.ms/azpipelines-parallelism-request +- https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR5zsR558741CrNi6q8iTpANURUhKMVA3WE4wMFhHRExTVlpET1BEMlZSTCQlQCN0PWcu +#### Create a PAT (Personnal Access Token) in ADO for use by pipeline agents +User Settings | Security | PAT +#### Optionally use local agents +Until the free parallelism request gets approved create and use local agents on one of your machines or VMs. +- project settings | agent pools | add self-hosted + +Windows example (powershell) +``` +mkdir agent ; cd agent +Add-Type -AssemblyName System.IO.Compression.FileSystem ; [System.IO.Compression.ZipFile]::ExtractToDirectory("$HOME\Downloads\vsts-agent-win-x64-3.238.0.zip", "$PWD") +.\config.cmd + +PS C:\opt\agent> .\run.cmd +Scanning for tool capabilities. +Connecting to the server. +2024-04-24 03:43:31Z: Listening for Jobs +``` +#### Add PAT to the local agent +make sure to add a trailing slash in the url / - see https://learn.microsoft.com/en-us/answers/questions/272411/vs30063-you-are-not-authorized-to-access-https-dev +``` +>> Connect: + +Enter server URL > https://dev.azure.com/obrienlabsxyz/ +Enter authentication type (press enter for PAT) > +Enter personal access token > **************************************************** +Connecting to server ... + +>> Register Agent: +Enter agent pool (press enter for default) > olxyz-self +Enter agent name (press enter for 13900D) > +Scanning for tool capabilities. +Connecting to the server. +Successfully added the agent +Testing agent connection. +Enter work folder (press enter for _work) > +2024-04-24 03:34:21Z: Settings Saved. +Enter run agent as service? (Y/N) (press enter for N) > y +Enter enable SERVICE_SID_TYPE_UNRESTRICTED for agent service (Y/N) (press enter for N) > y +Enter User account to use for the service (press enter for NT AUTHORITY\NETWORK SERVICE) > +Granting file permissions to 'NT AUTHORITY\NETWORK SERVICE'. +Service vstsagent.obrienlabsxyz.olxyz-self.13900D successfully installed +Service vstsagent.obrienlabsxyz.olxyz-self.13900D successfully set recovery option +Service vstsagent.obrienlabsxyz.olxyz-self.13900D successfully set to delayed auto start +Service vstsagent.obrienlabsxyz.olxyz-self.13900D successfully set SID type +Service vstsagent.obrienlabsxyz.olxyz-self.13900D successfully configured +Enter whether to prevent service starting immediately after configuration is finished? (Y/N) (press enter for N) > y +``` +If needed - while using a temporary local agent - force the pool +``` +pool: olxyz-self +# vmImage: ubuntu-latest +# agent.name: 13900D +``` +### Import base PBMM Repository +Repos | Import +for example - import https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding.git into https://dev.azure.com/obrienlabsxyz/pbmm-on-gcp-onboarding/_git/pbmm-on-gcp-onboarding +### Generate GIT Credentials + +### Create 6 private ADO repositories - gcp-bootstrap - gcp-environments - gcp-networks @@ -61,10 +143,13 @@ Also make sure that you have the following: - gcp-policies - gcp-projects -The following repository can be temporarily replaced by links to a global/public dockerhub image at https://hub.docker.com/repository/docker/obrienlabs/terraform-example-foundation-ado/tags -- tf-cloudbuilder +### Container Registry +The following repository can be temporarily replaced by links to a global/public dockerhub image at +- https://hub.docker.com/repository/docker/obrienlabs/terraform-example-foundation-ado/tags +- tf-cloudbuilder is replaced by the following line in the pipeline yml +- - docker run obrienlabs/terraform-example-foundation-ado:0.0.2 --version -#### ADO Logs and Artifacts +### ADO Logs and Artifacts By default ADO will log entries and retain artifacts from ADO Pipeline runs for - bootstrap - env @@ -72,8 +157,16 @@ By default ADO will log entries and retain artifacts from ADO Pipeline runs for - org - proj -### Draft - Artifacts - Automated +## Draft - Artifacts - Automated WIP sh script automation -### Draft - references to GCP +## Draft - references to GCP + +## Clone Terraform Example Foundation repo -### Clone Terraform Example Foundation repo +## Procedure to periodically pull from upstream +``` +git remote add upstream https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding.git +git fetch upstream +git merge upstream/main main +git push origin main +```