githubabcs-devops
diff --git a/‎.ado/infra-deploy.yml‎
Lines changed: 193 additions & 0 deletions b/‎.ado/infra-deploy.yml‎
Lines changed: 193 additions & 0 deletions
diff --git a/‎.github/workflows/infra-deploy.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/infra-deploy.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/aca/10-aca-iac-bicep/ci-cd-azdo.md‎
Lines changed: 100 additions & 0 deletions b/‎docs/aca/10-aca-iac-bicep/ci-cd-azdo.md‎
Lines changed: 100 additions & 0 deletions
diff --git a/‎docs/aca/10-aca-iac-bicep/ci-cd-git-action.md‎
Lines changed: 7 additions & 13 deletions b/‎docs/aca/10-aca-iac-bicep/ci-cd-git-action.md‎
Lines changed: 7 additions & 13 deletions
@@ -0,0 +1,193 @@
+name: Build and deploy infrastructure as code to Azure
+
+trigger:
+  branches:
+    include:
+    - master
+  paths:
+    include:
+    - bicep/**
+    - '.ado/infra-deploy.yml'
+
+parameters:
+  - name: teardown
+    displayName: Should teardown infrastructure?
+    type: boolean
+    default: false
+
+pool: 
+  vmImage: 'ubuntu-latest'
+
+variables:
+  - name: REGISTRY
+    value: ghcr.io
+  - name: BACKEND_API_IMAGE_NAME
+    value: azure/tasksmanager-backend-api
+  - name: FRONTEND_APP_IMAGE_NAME
+    value: azure/tasksmanager-frontend-webapp
+  - name: BACKEND_PROCESSOR_IMAGE_NAME
+    value: azure/tasksmanager-backend-processor
+  - group: 'AcaApp'
+
+
+stages:
+  - stage: Lint
+    condition:  eq('${{ parameters.teardown }}', false)
+    jobs:
+    - job: Lint  
+      displayName:  Lint bicep files
+      steps:
+        - checkout: self
+        - task: Bash@3
+          displayName: Perform linting
+          inputs:
+            targetType: 'inline'
+            script: |
+              set -e
+              echo "Linting bicep files"
+              az bicep build --f bicep/main.bicep
+
+  - stage: Validate
+    condition: and(succeeded(), eq('${{ parameters.teardown }}', false))
+    dependsOn: Lint
+    jobs:     
+    - job: Validate
+      displayName: Create RG and Validate bicep template
+      steps:
+        - checkout: self
+        - task: AzureCLI@2
+          displayName: Create resource group
+          inputs:
+            azureSubscription: $(AZURE_SUBSCRIPTION)
+            scriptType: 'bash'
+            scriptLocation: 'inlineScript'
+            inlineScript: |
+              set -e
+              echo "Creating resource group"
+              if [[ $(az group exists -n $(RESOURCE_GROUP)) == true ]]
+              then
+                echo "Resource group already exists in the subscription"
+              else
+                az group create  --name $(RESOURCE_GROUP) --location $(LOCATION)
+                echo "Resource group created"
+              fi
+
+        - task: AzureResourceManagerTemplateDeployment@3
+          inputs:
+            deploymentScope: 'Resource Group'
+            azureResourceManagerConnection: $(AZURE_SUBSCRIPTION)
+            action: 'Create Or Update Resource Group'
+            resourceGroupName: $(RESOURCE_GROUP)
+            location: $(LOCATION)
+            templateLocation: 'Linked artifact'
+            csmFile: 'bicep/main.bicep'
+            csmParametersFile: 'bicep/main.parameters.json'
+            deploymentMode: 'Validation'
+
+  - stage: Deploy
+    displayName: Deploy infrastructure using GHCR image
+    dependsOn: Validate
+    condition: and(succeeded() , eq(variables.CONTAINER_REGISTRY_NAME, ''))
+    jobs: 
+    - job: Deploy
+      displayName: Deploy infrastructure using GHCR image
+      steps:
+        - checkout: self
+        - task: AzureResourceManagerTemplateDeployment@3
+          inputs:
+            deploymentScope: 'Resource Group'
+            azureResourceManagerConnection: $(AZURE_SUBSCRIPTION)
+            action: 'Create Or Update Resource Group'
+            resourceGroupName: $(RESOURCE_GROUP)
+            location: '$(LOCATION)'
+            templateLocation: 'Linked artifact'
+            csmFile: 'bicep/main.bicep'
+            csmParametersFile: 'bicep/main.parameters.json'
+            overrideParameters: '-containerRegistryName -backendProcessorServiceImage $(REGISTRY)/$(BACKEND_PROCESSOR_IMAGE_NAME):latest -backendApiServiceImage $(REGISTRY)/$(BACKEND_API_IMAGE_NAME):latest -frontendWebAppServiceImage $(REGISTRY)/$(FRONTEND_APP_IMAGE_NAME):latest'
+            deploymentMode: 'Incremental'
+            deploymentName: 'azdo-deploy-$(Build.BuildId)'
+
+  - stage: Create_Import_ACR
+    displayName: Create Azure Container Registry if needed
+    dependsOn: Validate
+    condition: and(succeeded(), ne(variables.CONTAINER_REGISTRY_NAME, ''), eq('${{ parameters.teardown }}', false))
+    jobs:
+      - job: Create_ACR
+        displayName: Create Azure Container Registry if needed
+        steps:
+          - task: AzureCLI@2
+            displayName: Create Azure Container Registry if needed
+            inputs:
+              azureSubscription: $(AZURE_SUBSCRIPTION)
+              scriptType: 'bash'
+              scriptLocation: 'inlineScript'
+              inlineScript: |
+                set -e
+                echo "Creating Azure Container Registry if needed"
+                if [[ $(az acr check-name -n $(CONTAINER_REGISTRY_NAME)  -o tsv --query "nameAvailable") == false ]]
+                then
+                  echo "ACR already exists."
+                  if [[ $(az acr list -g $(RESOURCE_GROUP) -o tsv --query "[?name=='$(CONTAINER_REGISTRY_NAME)']") == "" ]]
+                  then
+                    echo "ACR exists but not in the resource group $(RESOURCE_GROUP). Please select a different name for the ACR and update in repository variable."
+                    exit 1
+                  fi
+                else
+                  az acr create --name $(CONTAINER_REGISTRY_NAME) --resource-group $(RESOURCE_GROUP) --sku Basic --location $(LOCATION)
+                  echo "ACR created"
+                fi
+      - job: Import_Image
+        displayName: Import image to ACR from GHCR
+        dependsOn: Create_ACR
+        condition: succeeded()
+        steps:
+          - task: AzureCLI@2
+            displayName: Import images from GitHub Container Registry
+            inputs:
+              azureSubscription: $(AZURE_SUBSCRIPTION)
+              scriptType: 'bash'
+              scriptLocation: 'inlineScript'
+              inlineScript: |
+                set -e
+                echo "Import images from GitHub Container Registry"
+                az acr import --name $(CONTAINER_REGISTRY_NAME) --source $(REGISTRY)/$(BACKEND_PROCESSOR_IMAGE_NAME):latest --image tasksmanager/tasksmanager-backend-processor --force
+                az acr import --name $(CONTAINER_REGISTRY_NAME) --source $(REGISTRY)/$(BACKEND_API_IMAGE_NAME):latest --image tasksmanager/tasksmanager-backend-api --force
+                az acr import --name $(CONTAINER_REGISTRY_NAME) --source $(REGISTRY)/$(FRONTEND_APP_IMAGE_NAME):latest --image tasksmanager/tasksmanager-frontend-webapp --force
+      
+  - stage: Deploy_With_ACR
+    displayName: Deploy infrastructure using ACR image
+    dependsOn: Create_Import_ACR
+    condition: and(succeeded(), ne(variables.CONTAINER_REGISTRY_NAME, ''), eq('${{ parameters.teardown }}', false))
+    jobs: 
+    - job: Deploy
+      displayName: Deploy infrastructure using ACR image
+      steps:
+        - checkout: self
+        - task: AzureResourceManagerTemplateDeployment@3
+          inputs:
+            deploymentScope: 'Resource Group'
+            azureResourceManagerConnection: $(AZURE_SUBSCRIPTION)
+            action: 'Create Or Update Resource Group'
+            resourceGroupName: $(RESOURCE_GROUP)
+            location: $(LOCATION)
+            templateLocation: 'Linked artifact'
+            csmFile: 'bicep/main.bicep'
+            csmParametersFile: 'bicep/main.parameters.json'
+            overrideParameters: '-containerRegistryName $(CONTAINER_REGISTRY_NAME) -backendProcessorServiceImage $(CONTAINER_REGISTRY_NAME).azurecr.io/tasksmanager/tasksmanager-backend-processor:latest -backendApiServiceImage $(CONTAINER_REGISTRY_NAME).azurecr.io/tasksmanager/tasksmanager-backend-api:latest -frontendWebAppServiceImage $(CONTAINER_REGISTRY_NAME).azurecr.io/tasksmanager/tasksmanager-frontend-webapp:latest'
+            deploymentMode: 'Incremental'
+            deploymentName: 'azdo-deploy-$(Build.BuildId)'
+
+  - stage: Teardown
+    displayName: Teardown infrastructure
+    dependsOn: []
+    condition: eq('${{ parameters.teardown }}', true)
+    jobs: 
+    - job: Teardown
+      displayName: Teardown infrastructure
+      steps:
+        - task: AzureResourceManagerTemplateDeployment@3
+          inputs:
+            deploymentScope: 'Resource Group'
+            azureResourceManagerConnection: $(AZURE_SUBSCRIPTION)
+            action: 'DeleteRG'
+            resourceGroupName: $(RESOURCE_GROUP)
@@ -137,7 +137,7 @@ jobs:
             az acr import --name ${{ vars.CONTAINER_REGISTRY_NAME }} --source ${{ env.REGISTRY }}/${{ env.BACKEND_API_IMAGE_NAME }}:latest --image tasksmanager/tasksmanager-backend-api --force
             az acr import --name ${{ vars.CONTAINER_REGISTRY_NAME }} --source ${{ env.REGISTRY }}/${{ env.FRONTEND_APP_IMAGE_NAME }}:latest --image tasksmanager/tasksmanager-frontend-webapp --force
 
-  # This job deploys the bicep template to Azure subscription either using ACR images
+  # This job deploys the bicep template to Azure subscription using ACR images
   deploy-with-acr-images:
     runs-on: ubuntu-latest
     if : ${{ github.event.inputs.teardown != 'true' }}
 
@@ -0,0 +1,100 @@
+
+# Deploy Infrastructure Using Azure DevOps
+
+!!! info "Module Duration"
+    30 minutes
+
+In the [previous section](../../aca/10-aca-iac-bicep/iac-bicep.md), we demonstrated how Bicep scripts can be used to automate the deployment of infrastructure components. However, creating the container registry and deploying the Bicep scripts using the Azure CLI still required manual effort. For a more efficient and streamlined process, it's preferable to use automation. Azure DevOps is a great solution for automating workflows, and in this section, we'll explain how to create a Azure DevOps pipeline for deploying the infrastructure components of our application.
+
+The workshop repository contains a Azure Devops Pipeline yaml file that will be used to deploy the infrastructure components of our application. Follow the steps below to create a devops pipeline to deploy the infrastructure components of our application.
+
+!!! note
+        The following instructions assume that you will utilize the forked Github repository both as the host for your YAML pipeline and the source code. However, it is possible to host the same assets in your Azure DevOps repository instead, if that is your preference. It is important to remember that if you choose to store your assets in your Azure DevOps repository, you will have to direct your Azure DevOps pipeline towards the Azure DevOps repository instead of the Github repository.
+
+### Fork the GitHub repository
+
+Start by forking the workshop repository to your GitHub account. Follow the steps below to fork the workshop:
+
+1. Navigate to the workshop repository at [:material-github: Azure/aca-dotnet-workshop](https://github.com/Azure/aca-dotnet-workshop){target=_blank}
+2. Click the **Fork** button in the top-right corner of the page.
+3. Select your GitHub account to fork the repository to.
+4. Wait for the repository to be forked.
+
+### Configure a Service Connection for GitHub and Azure Subscription
+
+Before we start with creating pipeline, we need to configure service connection for GitHub and Azure Subscription. You can do this in either existing or new project.
+
+#### Create a Service Connection for GitHub
+
+Provide access to the repository forked above by creating a service connection to GitHub. You create a new pipeline by first selecting a GitHub repository and then a YAML file in repository at path [.ado/infra-deploy.yml](https://raw.githubusercontent.com/Azure/aca-dotnet-workshop/main/.ado/infra-deploy.yml){target=_blank}. 
+
+The repository in which the YAML file is present is called self repository. By default, this is the repository that your pipeline builds.
+
+There are three authentication types for granting Azure Pipelines access to your GitHub repositories while creating 
+a pipeline. Follow guide at [this link](https://learn.microsoft.com/en-us/azure/devops/pipelines/repos/github?view=azure-devops&tabs=yaml#access-to-github-repositories){target=_blank}
+to create service connection for GitHub.
+
+
+![AZDO GitHub Connection](../../assets/gifs/azdo-github-connection.gif)
+
+#### Create Service Connection for Azure Subscription
+
+Create a new service connection to your azure subscription by following the steps at [this link](https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#create-a-service-connection){target=_blank}.
+
+!!! note
+    Update the created service connection role to have **[User Access Administrator](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator)** role. This is required for pipeline to be able to perform role assignments in the infrastructure components deployed. To update the role of a service connection in Azure DevOps to have the User Access Administrator role, you can follow these steps:
+
+    - Navigate to the Azure portal and select the subscription where the service connection is created.
+
+    - Click on **Access control (IAM)** in the left-hand menu.
+
+    - Click on **Add role assignment**.
+
+    - For the **Assignment type** choose **Privileged administrator roles**.
+
+    - In the **Role** section choose **User Access Administrator**.
+
+    - In the **Members** section, search for the name of the service connection that you want to update and select it.
+
+    - Click **Save** to apply the changes.
+
+### Configure Variable Group under Azure DevOps Library Section
+
+Create a variable group named **AcaApp** under Library in your Azure Devops project. Make sure the pipeline has permissions to access the created variable group under **Pipeline permissions**.
+
+This variable group will be used to store below details:
+
+```bash
+# AZURE_SUBSCRIPTION: Name of the service connection created for Azure Subscription
+AZURE_SUBSCRIPTION=<service connection name>
+
+# LOCATION: Azure region where resources will be deployed
+LOCATION=<location>
+
+# RESOURCE_GROUP: Name of the resource group which will be created and where the resources will be deployed
+RESOURCE_GROUP=<resource group name>
+
+# (OPTIONAL)CONTAINER_REGISTRY_NAME: Unique name of the container registry which will be created and where images will be imported
+CONTAINER_REGISTRY_NAME=<container registry name>
+```
+
+!!! note
+
+    Repository variable `CONTAINER_REGISTRY_NAME` is only needed by pipeline if you intend to deploy images from a private Azure Container Registry (ACR). You may chose to skip defining this variable and the pipeline will use the [public github container registry images](https://github.com/orgs/Azure/packages?repo_name=aca-dotnet-workshop) to deploy the images.
+
+### Trigger Azure Devops Pipeline
+
+With these steps completed, you are now ready to trigger the Pipeline.
+
+!!! success
+    
+    Your Pipeline should be triggered and the infrastructure components of our application should be deployed successfully.
+
+    ![GitHub Actions Workflow](../../assets/gifs/azdo-trigger.gif)
+
+
+??? info "Want to delete the resources deployed by the pipeline?"
+    
+    Trigger the pipeline again select **checkbox** option named **Should teardown infrastructure?**.
+
+    ![GitHub Actions Workflow](../../assets/gifs/azdo-delete.gif)
@@ -1,15 +1,12 @@
 
-# Deploy infrastructure using GitHub Actions
+# Deploy Infrastructure Using GitHub Actions
 
 !!! info "Module Duration"
     30 minutes
 
-GitHub Actions is a great way to automate your workflow. In this section, we will create a GitHub Action workflow to 
-deploy the infrastructure components of our application.
+In the [previous section](../../aca/10-aca-iac-bicep/iac-bicep.md), we demonstrated how Bicep scripts can be used to automate the deployment of infrastructure components. However, creating the container registry and deploying the Bicep scripts using the Azure CLI still required manual effort. For a more efficient and streamlined process, it's preferable to use automation. GitHub Actions is a great solution for automating workflows, and in this section, we'll explain how to create a GitHub Action workflow for deploying the infrastructure components of our application.
 
-The workshop repository contains a GitHub Action workflow file that will be used to deploy the infrastructure 
-components of our application. Follow the steps below to create a GitHub Action workflow to deploy the 
-infrastructure components of our application.
+The workshop repository contains a GitHub Action workflow file that will be used to deploy the infrastructure components of our application. Follow the steps below to create a GitHub Action workflow to deploy the infrastructure components of our application.
 
 ### Fork the GitHub repository
 
@@ -109,8 +106,7 @@ locally, follow the steps below to configure the repository for OIDC authenticat
 
 ### Configure GitHub Repository Secrets
 
-Configure secrets details in GitHub repo as described here in [create GitHub secrets](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux#create-github-secrets). 
-Use below values mapped to relevant secrets in GitHub. 
+Configure secrets details in GitHub repo as described here in [create GitHub secrets](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux#create-github-secrets). Use below values mapped to relevant secrets in GitHub. 
 
 ```bash
 # AZURE_SUBSCRIPTION_ID
@@ -123,11 +119,11 @@ echo $APP_ID
 
 ### Configure GitHub Repository Variables
 
-Configure repository variables as shown below:
+Configure repository variables in GitHub repo as described here in [create GitHub variables](https://docs.github.com/en/actions/learn-github-actions/variables). Use below values mapped to relevant variables in GitHub. 
 
 ```bash 
 # LOCATION: Azure region where resources will be deployed
-LOCATION=<location>
+LOCATION=<location. e.g. eastus>
 
 # RESOURCE_GROUP: Name of the resource group which will be created and resources will be deployed
 RESOURCE_GROUP=<resource group name>
@@ -144,9 +140,7 @@ CONTAINER_REGISTRY_NAME=<container registry name>
 
 ### Trigger GitHub Actions Workflow
 
-With these steps completed, you are now ready to trigger the GitHub Actions workflow name **Build and deploy 
-infrastructure as code to Azure** using **workflow dispatch** to deploy the infrastructure components of our 
-application.
+With these steps completed, you are now ready to trigger the GitHub Actions workflow named **Build and deploy infrastructure as code to Azure** using **workflow dispatch** to deploy the infrastructure components of the application.
 
 !!! success