Merge branch 'master' of github.com:microsoft/bedrock-cli into edaena…

…-homebrew

azure-pipelines/templates/infra-deployment-pipeline.yml

@@ -0,0 +1,111 @@
+trigger:
+  branches:
+    include:
+    - master
+
+stages:
+- stage: Deploy_Prod
+  displayName: Deploy cluster
+  jobs:
+  - deployment: Deploy_aks
+    displayName: Deploy aks voting app
+    pool:
+      vmImage: 'ubuntu-latest'
+    environment: 'prod-aks-live'
+    variables:
+      - group: 'bedrock-infra-hld-vg'
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - checkout: self
+            persistCredentials: true
+            clean: true
+
+          - bash: |
+              curl $BEDROCK_BUILD_SCRIPT > build.sh
+              chmod +x ./build.sh
+            displayName: Download Bedrock orchestration script
+            env:
+              BEDROCK_BUILD_SCRIPT: https://raw.githubusercontent.com/Microsoft/bedrock/master/gitops/azure-devops/build.sh
+
+          - script: |
+              dpkg --configure -a
+              curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+              az extension add --name azure-devops
+              az --version
+              wget https://releases.hashicorp.com/terraform/$(tf_version)/terraform_$(tf_version)_linux_amd64.zip -q
+              unzip -q terraform_$(tf_version)_linux_amd64.zip
+              sudo mv terraform /usr/local/bin
+              terraform -version
+            displayName: 'Install az-cli, az devops extension, and Terraform'
+
+          - script: |
+              . build.sh --source-only
+              init
+              cd $PROJECT_DIRECTORY-generated/$CLUSTER
+              terraform init -backend-config=./backend.tfvars
+            displayName: 'Terraform init'
+
+          - script: |
+              . build.sh --source-only
+              init
+              cd $PROJECT_DIRECTORY-generated/$CLUSTER
+              mkdir deploy_output
+              terraform plan -var-file=./bedrock.tfvars -out=deploy_output/prod-tfplan
+              terraform show -json deploy_output/prod-tfplan >> deploy_output/prod-tfplan.json
+            env:
+              ARM_CLIENT_ID: $(ARM_CLIENT_ID)
+              ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
+              ARM_TENANT_ID: $(ARM_TENANT_ID)
+              ARM_SUBSCRIPTION_ID: $(ARM_SUBSCRIPTION_ID)
+              storage_account_name: $(storage_account_name)
+              ssh_public_key: $(ssh_public_key)
+              access_key: $(access_key)
+            displayName: 'Terraform plan and build artifact'
+
+          - task: PublishPipelineArtifact@1
+            inputs:
+              path: /home/vsts/$PROJECT_DIRECTORY-generated/$CLUSTER/deploy_output
+              artifact: Publish Terraform Plan
+            condition: always()
+
+          # Download secure file
+          # Download a secure file to the agent machine
+          - task: DownloadSecureFile@1
+            name: 'access_key' # The name with which to reference the secure file's path on the agent, like $(mySecureFile.secureFilePath)
+            inputs:
+              secureFile: 'id_rsa' # The file name or GUID of the secure file
+
+          - bash: |
+              # Install the extension
+              export AZURE_DEVOPS_EXT_PAT=$(AZDO_PAT)
+              az extension add --name azure-devops
+              # Login to Azure
+              echo "az login --service-principal --username $(ARM_CLIENT_ID) --password $(ARM_CLIENT_SECRET) --tenant $(ARM_TENANT_ID)"
+              az login --service-principal --username "$(ARM_CLIENT_ID)" --password "$(ARM_CLIENT_SECRET)" --tenant "$(ARM_TENANT_ID)"
+            env:
+              ARM_CLIENT_ID: $(ARM_CLIENT_ID)
+              ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
+              ARM_TENANT_ID: $(ARM_TENANT_ID)
+              ARM_SUBSCRIPTION_ID: $(ARM_SUBSCRIPTION_ID)
+            displayName: 'AZ login'
+
+          - script: |
+              . build.sh --source-only
+              init
+              cd $PROJECT_DIRECTORY-generated/$CLUSTER
+              terraform apply "deploy_output/prod-tfplan" 
+            env:
+              ARM_CLIENT_ID: $(ARM_CLIENT_ID)
+              ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
+              ARM_TENANT_ID: $(ARM_TENANT_ID)
+              ARM_SUBSCRIPTION_ID: $(ARM_SUBSCRIPTION_ID)
+            displayName: 'Terraform apply'
+
+          - task: PublishPipelineArtifact@1
+            inputs:
+              path: /home/vsts/$PROJECT_DIRECTORY-generated/$CLUSTER/output
+              artifact: Publish Kube_config
+            condition: always()
+

guides/infra/bedrock-infra-deployment-pipeline.md

@@ -16,7 +16,7 @@ infrastructure when already using `bedrock` to manage infrastructure.
 With the ability to manage and execute `bedrock infra` commands locally, it is
 often more secure to be running `terraform apply` to create or update production
 infrastructure manually. This means that you can still rely on `bedrock infra`
-to scaffold and generate your terrafom projects, but any terraform operations
+to scaffold and generate your terraform projects, but any terraform operations
 will be handled manually.
 
 If you make changes to any `definition.yaml` files in your project hierarchy,
@@ -38,3 +38,48 @@ prerequisite actions to occur beforehand:
    - Triggered from commits made to the master branch of a Generated repo
    - Download and install Terraform
    - Run `terraform apply` on terraform scripts
+
+## Sample Infrastructure Deployment Pipeline
+
+A template for the deployment of terraform managed infrastructure for Azure
+DevOps using the `bedrock CLI` has been provided in the
+[`infra-deployment-pipeline.yml`](../../azure-pipelines/templates/infra-deployment-pipeline.yml).
+This is a modest base approach to get you started with maintaining persisted
+terraform infrastructure using gitops in Azure DevOps. Use the provided template
+to deploy stateful resources to using gitops and promote the terraform changes
+through your pipeline environments.
+
+### Manage Secure Files
+
+Azure Pipelines Secure Files store files such as signing certificates, binaries,
+executables, and SSH keys on the server without having to commit them to your
+source repository. Store important files required for accessing your AKS cluster
+or services deployed. In the `infra-deployment-pipeline.yml`, it accesses the
+private SSH key for node access to an AKS cluster.
+
+![](../images/bedrock-infra-securefiles.png)
+
+### Azure DevOps Environments
+
+Resources are deployed into pipeline environments allowing traceability of
+commits and work items. Run details or deployments and application desired state
+are captured in environments. At this time resource monitoring is only supported
+for AKS and Virtual Machines.
+
+![](../images/bedrock-infra-environments.png)
+
+> From YAML, you can target the environment or a specific resource. When you
+> create an environment from YAML dynamically, since there are no resources you
+> can only refer to environment. If the resources are added to the environment
+> then you can target the the specific resource from YAML deployment job with
+> environment: `<environment name>`,`<resource name>`.
+
+### Publishing Pipeline Artifacts
+
+Pipeline artifacts are published to associate a terraform plan output with a
+commit hash that has modified the deployed environments. Use the artifacts to
+revert back to previous versions of the environment once the state has failed.
+In the deployment template, the pipeline publishes the `KUBECONFIG` and
+terraform plan output.
+
+![](../images/bedrock-infra-artifacts.png)