FTA Live - DevOps Series (November 2021)

part-1.md

FTA Live - DevOps Governance

• Date: 9 November 2021
• Delivery Engineers: Julie Ng, Raul Alarcon, Felip Miguel Puig

This handout was prepared in advance and generic. Actual session content may differ based on discussion. Please refer to your own personal notes.

---

Azure Architecture Center

• Azure-Architecture Center: End-to-end governance in Azure when using CI/CD - preview diagram below
• GitHub.com - Governance on Azure Demo - from DevOps to ARM - repo that accompanies that Architecture Center article

Cloud Adoption Framework

• Cloud Adoption Framework – End-to-end governance from DevOps to Azure ⭐️

• Cloud Adoption Framework – Azure role-based access control

Azure DevOps Docs

• Azure DevOps: Connect your organization to Azure Active Directory
• Azure DevOps: Default permissions and access for Azure DevOps

Azure DevOps Organizations

• Manage your organizations
• Plan your organizational structure 🖥
• Restrict organization creation via Azure AD tenant policy

Azure DevOps Projects

• How many projects do you need? 🖥
• Default permissions quick reference for Azure DevOps

Azure DevOps Repositories

• Set Git repository permissions

Azure DevOps Pipelines

• Verify permissions for contributors - For CD pipelines you want to limit triggering by Contributors!
• Define approvals and checks
• Add & use variable groups
• Set different levels of pipeline permissions
• Securing Azure Pipelines 🖥

part-2.md

FTA Live - CI/CD for Applications

• Date: 10 November 2021
• Delivery Engineers: Julie Ng, Raul Alarcon, Felip Miguel Puig

This handout was prepared in advance and generic. Actual session content may differ based on discussion. Please refer to your own personal notes.

---

Learn DevOps on MS Learn Platform

• Microsoft Learn and Search for “DevOps” and “DevOps Engineer” Role

DevOps Workflow

• Cloud Adoption Framework - End-to-end governance from DevOps to Azure
• GitOps - push vs pull deployments

DevSecOps

• DevSecOps controls
• OWASP - Static code Analysis
• Security and Credential Scanning (GitHub Advance Security)
• Dependency Management & Scanning (OWASP Dependency-Check Project | OWASP, WhiteSource)
• Dynamic Analysis (BinSkim, OWASP ZAP, Anchore Container Scanning)
• Azure Docs - Securing Azure Pipelines
• Comprehensive guidance and references:
  • Security In DevOps
  • Security Engineering Portal

Git

Git Branching

• GitFlow (2010) - the first, but not a standard
• GitHub Flow (2011) - start simple
• Gitlab Flow (2014) - building on simple
• Patterns for Managing Source Code Branches (2020) - team experiences and what happens when you apply all the Best Practices
• Azure Docs - Adopt a Git branching strategy

Git Workflows

• Branch policies

Azure Pipelines

Concepts, Classic vs YAML

• Key concepts for new Azure Pipelines users
• YAML and Classic pipelines
  • Define your Classic pipeline - for reference, comparison
• Feature Availability – YAML vs Classic Pipelines

Anatomy of DevOps Pipelines

• Add stages, dependencies, & conditions
• Azure Pipelines ecosystem support
• Add & use variable groups

Example Pipelines

• Build, test, and deploy JavaScript and Node.js apps
• MSFT Learn – Multistage Pipelines – Promotion
• Node.js Web App - example, not fixed recommendation
  • Architecture: Docker, App Service, Static Assets on Blob Storage + CDN
  • Document Your Pipelines
  • Separate Pipelines per Environment (dev, production)

Versioning Releases

• Specfication - Semantic Versioning
• Specification - Conventional Commits - a specification for adding human and machine readable meaning to commit messages
• Standard Version - a utility for versioning using semver and CHANGELOG generation powered by Conventional Commits.
• Examples
  • Azure Kubernetes Service Releases Page - manual, note categories - release by date
  • Azure Pod Identity Helm Chart - example of correlating multiple versions because of a dependency
  • Node.js Web App from demo above - uses Standard Version

Publishing Packages

• GitHub Actions - Publishing Node.js packages
• Azure Docs - Publish npm packages (YAML/Classic)

part-3.md

FTA Live - CI/CD for Infrastructure

• Date: 11 November 2021
• Delivery Engineers: Julie Ng, Raul Alarcon, Felip Miguel Puig

This handout was prepared in advance and generic. Actual session content may differ based on discussion. Please refer to your own personal notes.

---

Getting Started with Infrastructure as Code (IaC)

• Azure DevOps Channel on YouTube

Azure ARM

• Microsoft Learn Path - Deploy and manage resources in Azure by using JSON ARM templates
• Microsoft on YouTube – ARM Template Series, 1 of 12

Azure Bicep

• Microsoft Learn Path - Bicep
• Bicep Tutorial on GitHub

Infrastructure as Code (IaC) Comparison

Using comparison table below, we'll explain a few important IaC Concepts

• Syntax (Json vs DSL)
• Deployment Preview, e.g. Config Drift Check
  • State Files
• Rollback and Clean Up

Feature	ARM	Terraform	Pulumi
Language	JSON + Bicep	HCL/DSL	Code Native, e.g. JavaScript, Python
Languages (in preview)	Bicep DSL	CDK for Terraform, Python and TypeScript Support	-
Azure Integrations	ARM, AAD via Tenant Scope	ARM, AAD, ADO	ARM, AAD, ADO
Clouds	Azure-only	Agnostic + on-prem	Agnostic + on-prem
Preview Changes	az deployment … what-if	terraform plan	pulumi preview
Rollback Changes	Rollback	Revert code & Re-deploy	Revert code & Re-deploy
Infrastructure Clean Up	Delete Resource Group	terraform destroy	pulumi destroy
Deployment History	Deployment History	SCM + Auditing*	SCM + Auditing*
Code Re-Use	Hosted JSON (ARM) + Private Registry** (Bicep)	Modules + Registry*	Code-Native Packages, e.g. npm or pip
State Files	No State File	Plain-text	Encrypted

* premium feature
** preview feature as of 10 Nov 2021

Abbreviations

• ARM = Azure Resource Manager
• AAD = Azure Active Directory
• ADO = Azure DevOps
• DSL = Domain Specific Language
• HCL = HashiCorp Language
• SCM = Source Code Management

Security Considerations for Automating Infrastructure

• Azure Architecture Center: E2E Governance and what access do security principals need?
• Azure Docs: Principle of Least Privilege
• Azure Docs: Lock resources to prevent unexpected changes
• Cloud Adoption Framework: Standard enterprise governance guide

Use Custom Roles

Example custom role from Azure Architecture Center: End-to-end governance in Azure when using CI/CD

{
  "Name": "Headless Owner",    
  "Description": "Can manage infrastructure.",
  "actions": [
    "*"
  ],
  "notActions": [
    "Microsoft.Authorization/*/Delete"
  ],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId1}",
    "/subscriptions/{subscriptionId2}",
    "/providers/Microsoft.Management/managementGroups/{groupId1}"
  ]
}

Pipeline Walkthroughs

Governance on Azure Demo (Terraform)

• Azure Integrations: ARM, AAD, ADO
• DEPLOY.md example of permissions and configurations required for IaC
• Drift Detection in stages/pull-request.yaml and posting results back to Pull Request (example)

AKS Secure Baseline (ARM/Bicep)

Please note both code projects are based on Secure AKS Baseline Reference Architecture and complementary.

• Secure AKS Baseline Reference Implementation (ARM)
  • has very good step by step multi-page markdown instructions
  • Infra as Code in real life is complicated
  • JSON is not friendliest to read, example cluster-stamp.json
• AKS Bicep Accelerator (Bicep)
  • has multiple files, e.g. ./network.bicep with local directory requirement.
  • main.bicep - note parameters/variables

Resources

Additional resources to bookmark

• Bicep Examples on GitHub.com sorted by level (100, 200, etc.) and great for learning by example.
• Azure Policy Samples on GitHub.com built-in and reference examples for you to learn, extend and use.
• Bicep Scope deployments: Resource Group, Subscription, Management Group, Tenant

This is the public slide deck which has some of the diagrams in the webinars
https://speakerdeck.com/jng/apps-vs-infra-where-are-my-pipelines-devops-dot-js-conference