Deploy linked ARM templates with VSTS
APPLIES TO: Azure Data Factory Azure Synapse Analytics
This article describes how to deploy linked Azure Resource Manager (ARM) templates with Visual Studio Team Services (VSTS).
When dealing with deploying many components in Azure, a single ARM template might be challenging to manage and maintain. ARM linked templates allow you to make your deployment more modular and makes the templates easier to manage. When dealing with large deployments, it is highly recommended to consider breaking down your deployment into a main template and multiple linked templates representing different components of your deployment.
Deploying ARM templates can be performed using several different methods such as using PowerShell, Azure CLI, and Azure portal. A recommended approach however is to adopt one of DevOps practices, namely continuous deployment. VSTS is an application lifecycle management tool hosted in the cloud and offered as a service. One of the capabilities VSTS offers is release management.
This article describes how you can deploy linked ARM templates using the release management feature of VSTS. In order for the linked templates to be deployed properly, they will need to be stored in a location that can be reached by the Azure Resource Manager, such as Azure Storage; so we will show how Azure Storage can be used to stage the ARM template files. We will also show some recommended practices around keeping secrets protected using Azure Key Vault.
The scenario we walk through here is to deploy VNet with a Network Security Group (NSG) structured as linked templates. We will use VSTS to show how continuous deployment can be set up to enable teams to continuously update Azure with new changes each time there is a modification to the template.
Create an Azure Storage account
Log in to the Azure portal and create an Azure Storage account following the steps documented here.
Once deployment is complete, navigate to the storage account and select Shared access signature. Select Service, Container, and Object for the Allowed resource types. Then select Generate SAS and connection string. Copy the SAS token and keep it available since we will use it later.
Select the storage account Containers page and create a new Container.
Select the new Container properties.
Copy the URL field and keep it handy. We will need it later along with the SAS token from above.
Protect secrets with Azure Key Vault
- In the Azure portal, create an Azure Key Vault resource.
- Select the Azure Key Vault you created above and then select Secrets.
- Select Generate/Import to add the SAS Token.
- For the Name property, enter
StorageSASTokenand then provide the Azure Storage shared access signature key you copied in a previous step for the Value.
- Select Create.
Link Azure Key Vault to VSTS
Log in to your Azure DevOps organization and navigate to your project.
Go to Library under Pipelines in the navigation pane.
Under Variable group, create a new group and for Variable group name enter
Toggle Link secrets from an Azure key vault as variables.
Select your Azure subscription and then the Azure Key Vault you created earlier, and then select Authorize.
Once authorization is successful, you can add variables by clicking Add and will be presented with the option to add references to the secrets in the Azure Key Vault. Add a reference to the
StorageSASTokencreated above, and save it.
Setup continuous deployment using VSTS
Follow steps listed in the article Automate continuous integration using Azure Pipelines releases.
A few changes are required from the above steps in order to use a linked ARM template deployment:
Under the release, link the variable group created earlier:
Linked ARM template:
- For Template, point to ArmTemplate_master.json instead of ArmTemplateForFactory.json
- For Template Parameters, point to 'ArmTemplateParameters_master.json' instead of 'ArmTemplateParametersForFactory.json'
Under override Template parameters update two additional parameters
- containerUri – Paste the URL of container created above.
- containerSasToken - If the secret's name is 'StorageSASToken', enter '$(StorageSASToken)' for this value.
Save the release pipeline and trigger a release.