Reputation: 1459
As part of automating alert creation in Loganalytic workspace,We are using AzureDevops Server and looking for a way to run az deployment group
command in Azuredevops pipeline. We have a working pipeline to execute the ADO tasks in Subscription-A like AzureCLI
and AzureResourceGroupDeployment
using the predefined serviceconnection
configured with the service principal{SP-A} which is having required access on Subscripion A and it is working as expected.
Now we got the requirement to execute same pipeline to Subscription B, where the current used servicePrincipal SP-A does not have subscription level access. So we are blocked with the further steps as we are only allowed to get the specific access (like create or modify alert rule in LAW- Microsoft.Insights/ScheduledQueryRules/[Read, Write, Delete] ) for the SP-A to create the alert rules in Loganalyticworkspace of subscription B.
So we are looking for guidance on below things.
Is it possible to configure a service connection to Subscription B using the same SP-A that only has the Microsoft.Insights/ScheduledQueryRules/[Read, Write, Delete] permission on the LAW, and not having any access to subscription B or resource group of LAW-B
If the above method will not work, is there any way to run az group deploy
commands with service Pricipal credentails by adding in to the command as paramaters.
The working ADO tasks for subs A is as follows and looking for a solution if we can use same for Sub B
- task: AzureCLI@2
displayName: "verify the deployment changes"
inputs:
azureSubscription: ${{ parameters.subscription }}
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: 'az deployment group what-if --resource-group ${{ parameters.resourceGroup }} --template-file $(System.DefaultWorkingDirectory)/template.json --parameters $(System.DefaultWorkingDirectory)/param.json'
- task: AzureResourceGroupDeployment@2
inputs:
azureSubscription: ${{ parameters.subscription }}
action: 'Create Or Update Resource Group'
resourceGroupName: ${{ parameters.resourceGroup }}
location: ${{ parameters.region }}
templateLocation: 'Linked artifact'
csmFile: '$(System.DefaultWorkingDirectory)/template.json'
csmParametersFile: '$(System.DefaultWorkingDirectory)/param.json'
deploymentMode: 'Incremental'
Upvotes: 0
Views: 1024
Reputation: 11411
Is it possible to configure a service connection to Subscription B using the same SP-A that only has the Microsoft.Insights/ScheduledQueryRules/[Read, Write, Delete] permission on the LAW, and not having any access to subscription B or resource group of LAW-B
It will be not possible as you will be creating custom role
with only Microsoft.Insights/ScheduledQueryRules/*
which is required for managing/creating Scheduled Query Alerts but for the service account to find the LAW and Deploy the Alerts using the resource group deployment will at least require read
permission on subscription or resource group and Microsoft/Resources/deployments/*
to create deployments.
You can check these built-in roles
for Azure Monitor.
Upvotes: 1