Vowneee
Vowneee

Reputation: 1459

How to run "az deployment group" command with serviceprincipal

As part of automating alert creation in Loganalytic workspace,We are using AzureDevops Server and looking for a way to run az deployment group command in Azuredevops pipeline. We have a working pipeline to execute the ADO tasks in Subscription-A like AzureCLI and AzureResourceGroupDeployment using the predefined serviceconnection configured with the service principal{SP-A} which is having required access on Subscripion A and it is working as expected.

Now we got the requirement to execute same pipeline to Subscription B, where the current used servicePrincipal SP-A does not have subscription level access. So we are blocked with the further steps as we are only allowed to get the specific access (like create or modify alert rule in LAW- Microsoft.Insights/ScheduledQueryRules/[Read, Write, Delete] ) for the SP-A to create the alert rules in Loganalyticworkspace of subscription B.

So we are looking for guidance on below things.

The working ADO tasks for subs A is as follows and looking for a solution if we can use same for Sub B

- task: AzureCLI@2
  displayName: "verify the deployment changes"
  inputs:
    azureSubscription: ${{ parameters.subscription }}
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: 'az deployment group what-if --resource-group ${{ parameters.resourceGroup }} --template-file $(System.DefaultWorkingDirectory)/template.json --parameters $(System.DefaultWorkingDirectory)/param.json'
- task: AzureResourceGroupDeployment@2
  inputs:
    azureSubscription: ${{ parameters.subscription }}
    action: 'Create Or Update Resource Group'
    resourceGroupName: ${{ parameters.resourceGroup }}
    location: ${{ parameters.region }}
    templateLocation: 'Linked artifact'
    csmFile: '$(System.DefaultWorkingDirectory)/template.json'
    csmParametersFile: '$(System.DefaultWorkingDirectory)/param.json'
    deploymentMode: 'Incremental'

Upvotes: 0

Views: 1024

Answers (1)

Ansuman Bal
Ansuman Bal

Reputation: 11411

Is it possible to configure a service connection to Subscription B using the same SP-A that only has the Microsoft.Insights/ScheduledQueryRules/[Read, Write, Delete] permission on the LAW, and not having any access to subscription B or resource group of LAW-B

It will be not possible as you will be creating custom role with only Microsoft.Insights/ScheduledQueryRules/* which is required for managing/creating Scheduled Query Alerts but for the service account to find the LAW and Deploy the Alerts using the resource group deployment will at least require read permission on subscription or resource group and Microsoft/Resources/deployments/* to create deployments.

You can check these built-in roles for Azure Monitor.

Upvotes: 1

Related Questions