Deploy to Azure Container Apps from Azure Pipelines
Azure Container Apps allows you to use Azure Pipelines to publish revisions to your container app. As commits are pushed to your Azure DevOps repository, a pipeline is triggered which updates the container image in the container registry. Azure Container Apps creates a new revision based on the updated container image.
Commits to a specific branch in your repository trigger the pipeline. When creating the pipeline, you decide which branch is the trigger.
Container Apps Azure Pipelines task
The task supports the following scenarios:
- Build from a Dockerfile and deploy to Container Apps
- Build from source code without a Dockerfile and deploy to Container Apps. Supported languages include .NET, Java, Node.js, PHP, and Python
- Deploy an existing container image to Container Apps
With the production release, this task comes with Azure DevOps and no longer requires explicit installation. For the complete documentation, see AzureContainerApps@1 - Azure Container Apps Deploy v1 task.
Usage examples
Here are some common scenarios for using the task. For more information, see the task's documentation.
Build and deploy to Container Apps
The following snippet shows how to build a container image from source code and deploy it to Container Apps.
steps:
- task: AzureContainerApps@1
inputs:
appSourcePath: '$(Build.SourcesDirectory)/src'
azureSubscription: 'my-subscription-service-connection'
acrName: 'myregistry'
containerAppName: 'my-container-app'
resourceGroup: 'my-container-app-rg'
The task uses the Dockerfile in appSourcePath
to build the container image. If no Dockerfile is found, the task attempts to build the container image from source code in appSourcePath
.
Deploy an existing container image to Container Apps
The following snippet shows how to deploy an existing container image to Container Apps. The task authenticates with the registry using the service connection. If the service connection's identity isn't assigned the AcrPush
role for the registry, supply the registry's admin credentials using the acrUsername
and acrPassword
input parameters.
steps:
- task: AzureContainerApps@1
inputs:
azureSubscription: 'my-subscription-service-connection'
containerAppName: 'my-container-app'
resourceGroup: 'my-container-app-rg'
imageToDeploy: 'myregistry.azurecr.io/my-container-app:$(Build.BuildId)'
Important
If you're building a container image in a separate step, make sure you use a unique tag such as the build ID instead of a stable tag like latest
. For more information, see Image tag best practices.
Authenticate with Azure Container Registry
The Azure Container Apps task needs to authenticate with your Azure Container Registry to push the container image. The container app also needs to authenticate with your Azure Container Registry to pull the container image.
To push images, the task automatically authenticates with the container registry specified in acrName
using the service connection provided in azureSubscription
. If the service connection's identity isn't assigned the AcrPush
role for the registry, supply the registry's admin credentials using acrUsername
and acrPassword
.
To pull images, Azure Container Apps uses either managed identity (recommended) or admin credentials to authenticate with the Azure Container Registry. To use managed identity, the target container app for the task must be configured to use managed identity. To authenticate with the registry's admin credentials, set the task's acrUsername
and acrPassword
inputs.
Configuration
Take the following steps to configure an Azure DevOps pipeline to deploy to Azure Container Apps.
- Create an Azure DevOps repository for your app
- Create a container app with managed identity enabled
- Assign the
AcrPull
role for the Azure Container Registry to the container app's managed identity - Install the Azure Container Apps task from the Azure DevOps Marketplace
- Configure an Azure DevOps service connection for your Azure subscription
- Create an Azure DevOps pipeline
Prerequisites
Requirement | Instructions |
---|---|
Azure account | If you don't have one, create an account for free. You need the Contributor or Owner permission on the Azure subscription to proceed. Refer to Assign Azure roles using the Azure portal for details. |
Azure DevOps project | Go to Azure DevOps and select Start free. Then create a new project. |
Azure CLI | Install the Azure CLI. |
Create an Azure DevOps repository and clone the source code
Before creating a pipeline, the source code for your app must be in a repository.
Sign in to Azure DevOps and navigate to your project.
Open the Repos page.
In the top navigation bar, select the repositories dropdown and select Import repository.
Enter the following information and select Import:
Field Value Repository type Git Clone URL https://github.com/Azure-Samples/containerapps-albumapi-csharp.git
Name my-container-app
Select Clone to view the repository URL and copy it.
Open a terminal and run the following command:
git clone <REPOSITORY_URL> my-container-app
Replace
<REPOSITORY_URL>
with the URL you copied.
Create a container app and configure managed identity
Create your container app using the az containerapp up
command with the following steps. This command creates Azure resources, builds the container image, stores the image in a registry, and deploys to a container app.
After your app is created, you can add a managed identity to your app and assign the identity the AcrPull
role to allow the identity to pull images from the registry.
Change into the src folder of the cloned repository.
cd my-container-app cd src
Create Azure resources and deploy a container app with the
az containerapp up
command.az containerapp up \ --name my-container-app \ --source . \ --ingress external
In the command output, note the name of the Azure Container Registry.
Get the full resource ID of the container registry.
az acr show --name <ACR_NAME> --query id --output tsv
Replace
<ACR_NAME>
with the name of your registry.Enable managed identity for the container app.
az containerapp identity assign \ --name my-container-app \ --resource-group my-container-app-rg \ --system-assigned
Note the principal ID of the managed identity in the command output.
Assign the
AcrPull
role for the Azure Container Registry to the container app's managed identity.az role assignment create \ --assignee <MANAGED_IDENTITY_PRINCIPAL_ID> \ --role AcrPull \ --scope <ACR_RESOURCE_ID>
Replace
<MANAGED_IDENTITY_PRINCIPAL_ID>
with the principal ID of the managed identity and<ACR_RESOURCE_ID>
with the resource ID of the Azure Container Registry.Configure the container app to use the managed identity to pull images from the Azure Container Registry.
az containerapp registry set \ --name my-container-app \ --resource-group my-container-app-rg \ --server <ACR_NAME>.azurecr.io \ --identity system
Replace
<ACR_NAME>
with the name of your Azure Container Registry.
Create an Azure DevOps service connection
To deploy to Azure Container Apps, you need to create an Azure DevOps service connection for your Azure subscription.
In Azure DevOps, select Project settings.
Select Service connections.
Select New service connection.
Select Azure Resource Manager.
Select Service principal (automatic) and select Next.
Enter the following information and select Save:
Field Value Subscription Select your Azure subscription. Resource group Select the resource group ( my-container-app-rg
) that contains your container app and container registry.Service connection name my-subscription-service-connection
To learn more about service connections, see Connect to Microsoft Azure.
Create an Azure DevOps YAML pipeline
In your Azure DevOps project, select Pipelines.
Select New pipeline.
Select Azure Repos Git.
Select the repo that contains your source code (
my-container-app
).Select Starter pipeline.
In the editor, replace the contents of the file with the following YAML:
trigger: branches: include: - main pool: vmImage: ubuntu-latest steps: - task: AzureContainerApps@1 inputs: appSourcePath: '$(Build.SourcesDirectory)/src' azureSubscription: '<AZURE_SUBSCRIPTION_SERVICE_CONNECTION>' acrName: '<ACR_NAME>' containerAppName: 'my-container-app' resourceGroup: 'my-container-app-rg'
Replace
<AZURE_SUBSCRIPTION_SERVICE_CONNECTION>
with the name of the Azure DevOps service connection (my-subscription-service-connection
) you created in the previous step and<ACR_NAME>
with the name of your Azure Container Registry.Select Save and run.
An Azure Pipelines run starts to build and deploy your container app. To check its progress, navigate to Pipelines and select the run. During the first pipeline run, you might be prompted to authorize the pipeline to use your service connection.
To deploy a new revision of your app, push a new commit to the main branch.