Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Pipeline issue] - Adapt the pipeline to subscription id for the environment (ability to change scope) #15

Open
TMirpuri opened this issue Sep 9, 2022 · 1 comment
Open

[Pipeline issue] - Adapt the pipeline to subscription id for the environment (ability to change scope) #15

TMirpuri opened this issue Sep 9, 2022 · 1 comment
Labels
enhancement New feature or request

Comments

@TMirpuri
Copy link

TMirpuri commented Sep 9, 2022

The current bug isn't adapted for customers that would like to deploy self-hosted agents to different environments as part of their CI/CD pipeline strategy. Both pipeline.image.jobs.yml and pipeline.scaleset.jobs.yml files doesn't include specific variables for each environment, which doesn't allow good re-use of code. This leads to the pipeline wanting to deploy out to the default subscription in which the SPN is set to. This means that in order to move forward, the .azuredevops folder needs to adapt for variables for different scopes.

Steps to reproduce the behaviour:

  1. While setting up the Self-hosted agent IPkit in your own environment, try deploying to 3 different subscriptions - where each subscription will be dedicated to deploying to sandbox, dev and prod environments.
  2. Ensure that you have setup ready where each parameters file will be deployed to a different scope with their associated bicep file (either in the Azure Image builder or VMSS creation pipeline)
  3. Then, try to deploy the infrastructure or image using the service connection provided.
  4. The following error will pop up:
    WARNING: The client '15041bef-fcd3-XXXX-XXXX-XXXXXXXXXXXX' with object id '15041bef-XXXX-XXXX-XXXXXXXXXXXX' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/ac084e26-de58-XXXX-XXXX-XXXXXXXXXXXX' or the scope is invalid. If access was recently granted, please refresh your credentials.

This illustrates that the default client and associated object id doesn't have the relevant permissions over the default subscription.

I would like to have the self-hosted agents to be able to be deployed to different scope, specifically subscriptions, therefore could we please create variables to allow for this flexibility and update the specific areas of code, specified in the screenshot. I have also included the screenshots to solutions for this issue. In my particular case, the dev service connection should be deploying to the dev subscription and same for production,

If applicable, add screenshots to help explain your problem.

  • OS: Windows 11
  • Browser Microsoft Edge
  • Version: Latest

Happy to fix this issue myself by becoming a contributor to this IPKit.

Problem example:
image

Problem solution:

image

image

image
@AlexanderSehr
Copy link
Contributor

Definitely agree and fortunately you also already pointed the solution out.

@AlexanderSehr AlexanderSehr added the enhancement New feature or request label Sep 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AlexanderSehr @TMirpuri