Automate Azure cloud infrastructure setup using Ansible and Azure DevOps pipeline | How to integrate Ansible with Azure DevOps | Integrating Ansible with Azure DevOps Pipelines |

Ansible is an open-source, configuration management tool that automates cloud provisioning, configuration management, and application deployments. Using Ansible you can provision virtual machines, containers, network, and complete cloud infrastructures. 

Automate Azure cloud infrastructure setup using Ansible and Azure pipeline

Integrate Ansible with Azure Cloud

Integrating Ansible with Microsoft Azure allows you to automate and manage your Azure infrastructure using Ansible playbooks and modules. Ansible provides a collection of Azure-specific modules that enable you to provision and configure resources in Azure.

To configure Azure credentials, you need the following information:

• Your Azure subscription ID and tenant ID
• The service principal application ID and secret

Pre-requisites:

• Azure account subscription, click here if you don't have one.
• Service principal to create any resources in Azure cloud using Azure cloud shell or Azure CLI

Create Azure Service Principal

Run the following commands to create an Azure Service Principal:

az ad sp create-for-rbac --name <service-principal-name> \ 

--role Contributor \ 

--scopes /subscriptions/<subscription_id>

Save the above output in a file as you will not be able retrieve later.

Create an Ansible playbook

Create a simple playbook to create resource group in Azure. Make sure you modify the name of the resource group and location below.

---

- hosts: localhost

  connection: local

  tasks:

    - name: Creating resource group

      azure_rm_resourcegroup:

        name: "my-rg12"

        location: "eastus"

Create Azure YAML build pipeline:

Login to Azure Devops --> https://dev.azure.com

Select project dashboard.

Go to Pipelines -> New pipeline --> Click on Azure Repos Git or any SCM where you have playbooks stored. Select repo, click on Starter pipeline.

Add below four pipeline variables with value received from service principal creation.

AZURE_SUBSCRIPTION_ID

AZURE_CLIENT_ID

AZURE_SECRET

AZURE_TENANT

Add below tasks:

• Install Ansible on build agent
• Install Ansible rm module on build agent
• Execute Ansible playbook for creating resource group in Azure cloud.

trigger:

- main

pr: none # Disable PR triggers, can be adjusted as needed

pool:

vmImage: 'ubuntu-latest'

steps:

- script: |

# Install Ansible

pip3 install "ansible==2.9.17"

displayName: 'Install Ansible'

- script: |

# Install Ansible rm module

pip3 install ansible[azure]

displayName: 'Install Ansible rm module'

- script: |

# Run Ansible playbook to create resource group

ansible-playbook create-rg.yml

displayName: 'Run Ansible Playbook'

env:

AZURE_SUBSCRIPTION_ID: $(AZURE_SUBSCRIPTION_ID)

AZURE_CLIENT_ID: $(AZURE_CLIENT_ID)

AZURE_SECRET: $(AZURE_SECRET)

AZURE_TENANT: $(AZURE_TENANT)

Save the pipeline and run it.

Now Login to Azure cloud to see if the resource group have been created.

Watch Steps in YouTube channel:

Install Ansible on Red Hat Linux | How to setup Ansible on Red Hat Linux VM | Ansible install on Azure Linux Virtual Machine | Ansible Azure Integration

How to setup Ansible on Red Hat Linux VM and Integrate with Azure Cloud?

Ansible is #1 configuration management tool. It can also be used for infrastructure provisioning as well. or You can use Ansible in combination of Terraform which can take care of infra automation and Ansible can do configuration management. We will be setting up Ansible on Red Hat VM in Azure cloud And create some resources in Azure Cloud by using Ansible playbooks.

 

Ansible Architecture:

 

The best way to install Ansible in Linux is to use PIP, a package manager for Python.

Pre-requisites:

• Create new Red Hat VM in Azure Cloud for setting up Ansible, just open port 22 in firewall rule.
• Install Azure CLI on Red Hat Linus VM
• Service principal to create any resources in Azure cloud using Azure CLI

How to setup Ansible on Red Hat Linux VM

Watch Steps in YouTube channel:

Change host name to AnsibleMgmtNode
sudo hostnamectl set-hostname AnsibleMgmtNode

Update Repository
sudo yum update -y

Install Python-pip3

sudo yum install python3-pip -y

Upgrade pip3 sudo pip3 install --upgrade pip

# Install Ansible pip3 install "ansible==2.9.17"

check Ansible version

ansible --version

# Install Ansible azure_rm module for interacting with Azure.

pip3 install ansible[azure]

Authenticate with Azure

To configure Azure credentials, you need the following information:

• Your Azure subscription ID and tenant ID
• The service principal application ID and secret

Create an Azure Service Principal

Login to Azure first

az login

Enter Microsoft credentials

Run the following commands to create an Azure Service Principal:

az ad sp create-for-rbac --name <service-principal-name> \ 

--role Contributor \ 

--scopes /subscriptions/<subscription_id>

Save the above output in a file as you will not be able retrieve later.
Configure the Ansible credentials using one of the following techniques:

• Option 1: Create an Ansible credentials file

• Option 2: Define Ansible environment variables

Option 1: Create Ansible credentials file

In this section, you create a local credentials file to provide credentials to Ansible. For security reasons, credential files should only be used in development environments.

mkdir ~/.azure 

vi ~/.azure/credentials

Insert the following lines into the file. Replace the placeholders with the service principal values.

[default] subscription_id=<subscription_id> client_id=<service_principal_app_id> secret=<service_principal_password> tenant=<service_principal_tenant_id>

Option 2: Define Ansible environment variables

On the host virtual machine, export the service principal values to configure your Ansible credentials.

export AZURE_SUBSCRIPTION_ID=<subscription_id> export AZURE_CLIENT_ID=<service_principal_app_id> export AZURE_SECRET=<service_principal_password> export AZURE_TENANT=<service_principal_tenant_id>

Test Ansible installation

You now have a virtual machine with Ansible installed and configured!

This section shows how to create a test resource group within your new Ansible configuration. If you don't need to do that, you can skip this section.

• Option 1: Use an ad-hoc ansible command
• Option 2: Write and run an Ansible playbook

Option 1: Use an ad-hoc ansible command

Run the following ad-hoc Ansible command to create a resource group:

ansible localhost -m azure_rm_resourcegroup -a "name=my-rg123 location=eastus"

Option 2: Write and run an Ansible playbook

Create a simple playbook to create resource group in Azure.

sudo vi create-rg.yml

---

- hosts: localhost

  connection: local

  tasks:

    - name: Creating resource group

      azure_rm_resourcegroup:

        name: "myResourceGroup"

        location: "eastus"

Execute the playbook using ansible-playbook command.

ansible-playbook create-rg.yml

Now Login to Azure cloud to see if the resource group have been created.

Clean up Resources

Save the following code as delete-rg.yml

sudo vi delete-rg.yml

--- - hosts: localhost tasks: - name: Deleting resource group - "{{ name }}" azure_rm_resourcegroup: name: "{{ name }}" state: absent register: rg - debug: var: rg

ansible-playbook delete-rg.yml --extra-vars "name=myResourceGroup"

check in Azure cloud to see if the resource group have been deleted.

How to secure Azure DevOps Pipelines | Azure DevOps Build Pipelines Best Practices

Securing your Azure DevOps pipelines is crucial to protect your code, data, and infrastructure. Here are several best practices to consider for securing your Azure DevOps pipelines:

1. Pipeline Security:

• Use Version Control: Store your pipeline definitions and code in version control repositories. This ensures version history, change tracking, and controlled access.
• Secure Branch Policies: Implement branch policies to control who can make changes to specific branches. This prevents unauthorized or unreviewed changes from being deployed.
• Use Parameterized Builds: Avoid hardcoding sensitive information like credentials directly into pipeline definitions. Use pipeline variables or parameterized builds instead.
• Limit Access: Follow the principle of least privilege. Only grant necessary permissions to users and groups. Use role-based access control (RBAC) to manage access to pipelines and resources.
• Monitor and Audit: Regularly review access logs, audit logs, and pipeline run history to identify suspicious activities.

2. Secrets Management:

• Use Variable Groups: Azure DevOps provides variable groups that allow you to store sensitive information securely. These can be linked to pipelines without exposing the values directly in pipeline definitions.
• Use Secure File Variables: For sensitive files, use secure file variables to securely store and manage encrypted files that your pipelines can use during execution.
• Azure Key Vault Integration: Integrate Azure Key Vault to store and manage secrets, keys, and certificates. You can then reference these secrets in your pipelines securely.

3. Secure Pipeline Code:

• Use Private Repositories: Store sensitive code in private repositories. Avoid exposing secrets in public repositories.
• Encryption: Encrypt sensitive data at rest and during transmission. Use HTTPS for repository connections and secure protocols for data storage.
• Secure Code Review: Implement code review processes to catch and address security issues in pipeline definitions.

4. Secure Pipeline Execution:

• Agent Security: Secure the build and deployment agents by regularly updating them, applying security patches, and using agents in private networks when possible.
• Use Service Principals: If your pipeline needs access to Azure resources, use service principals with the least privilege required. Avoid using personal credentials.
• Secure Pipeline Variables: When using pipeline variables, ensure that they are set to "Secret" to hide their values in logs and run history.

5. Compliance:

• Regulatory Compliance: If your organization needs to adhere to specific regulatory standards, ensure that your pipelines and processes align with those standards.
• Compliance Scanning: Use security and compliance scanning tools to identify vulnerabilities in your pipeline code and configurations.

6. Continuous Improvement:

• Stay Updated: Regularly review Azure DevOps documentation, security best practices, and new features to stay informed about security improvements.
• Incident Response Plan: Develop an incident response plan to handle security breaches or unauthorized access.

By following these best practices, you can significantly enhance the security of your Azure DevOps pipelines and safeguard your development and deployment processes. Remember that security is an ongoing effort, and it's important to regularly assess and update your security measures as needed.