DSC Configuration

Owned by Diego Cesa de Meira (Unlicensed)
Last updated: Aug 23, 2019 by Jonathan Bailey (Unlicensed)
5 min read

This page documents how to create Azure DevOps pipelines and an Azure Automation account to automate deployment of DSC configurations.

Create Azure Automation Account

If you don't already have an Azure Automation account, create one now.

  1. In the Azure portal, type Automation in the search box.

  2. Click Automation Accounts in the list of search results.

     

  3. Click Add.

     

  4. Specify a Name, Subscription, Resource Group, and Location for the Automation account, then click Create.

Create an Azure Service connection

If you don't already have an Azure service connection, create one now. The service connection allows Azure DevOps to deploy resources to Azure.

  1. In Azure DevOps, click Project settingss.

     

  2. Under Pipelines, click Service connections.

     

  3. Click the New service connection dropdown list, and click Azure Resource Manager.

     

  4. Click use the automated version of the service connection dialog.

     

  5. Specify a name, Service principal client ID, and Service principal key for the service connection. Obtain a service principal client ID and service principal key from the TC Cloud Team.

     

  6. Click Verify connection. When the connection is successfully verified, click OK.

Source Code

For this example, the source folder has the following contents:

DemoConfig.ps1 is a trival DSC script that ensures that IIS is installed on the target node. Its contents are listed below.

configuration DemoConfig { Node WebServer { WindowsFeature IIS { Ensure = 'Present' Name = 'Web-Server' IncludeAllSubFeature = $true } } }

 

DeployToAzureAutomation.ps1 is a PowerShell script that loads, compiles, and registers the DSC configuration with Azure Automation.

$DSCScriptPath = [System.IO.Path]::GetFullPath([System.IO.Path]::Combine($PSScriptRoot, "DemoConfig.ps1")) $RGLocation = "canadacentral" $AutomationAccountName = "JBCICDSandbox" $AutomationResourceGroupName = "TC-Sandbox-JBeGIS-RG" $ResourceGroupName = "TC-Sandbox-JBeGIS-RG" $WebFrontEndVM = "JB-CI-CD-SBX" Write-Output "Uploading the Web Server Configuration into Azure Automation..." Import-AzureRmAutomationDscConfiguration -SourcePath $DSCScriptPath -ResourceGroupName $AutomationResourceGroupName -AutomationAccountName $AutomationAccountName -Published -Force Write-Output "Compiling the Web Server Configuration within Azure Automation..." Start-AzureRmAutomationDscCompilationJob -ResourceGroupName $AutomationResourceGroupName -AutomationAccountName $AutomationAccountName -ConfigurationName "DemoConfig" $node = Get-AzureRMAutomationDSCNode -ResourceGroupName $AutomationResourceGroupName -AutomationAccountName $AutomationAccountName | ?{$_.Name -eq $WebFrontEndVM} if ($null -eq $node) { Write-Output "Registering the Web Server with Azure Automation" Register-AzureRmAutomationDscNode -AzureVMResourceGroup $ResourceGroupName -AzureVMName $WebFrontEndVM -AzureVMLocation $RGLocation -NodeConfigurationName "DemoConfig.WebServer" -ActionAfterReboot ContinueConfiguration -RebootNodeIfNeeded $true -AutomationAccountName $AutomationAccountName -ResourceGroupName $AutomationResourceGroupName -ConfigurationMode "ApplyAndAutocorrect" }

 

Note the values for the variables specified in the script. These variables are described in the following table:

Variable

Description

Variable

Description

$DSCScriptPath

The path to the DSC configuration script.

$RGLocation

The location of the resource group in which the target node is stored.

$AutomationAccountName

The name of the Azure automation account.

$AutomationResourceGroupName

The name of the resource group that contains the Azure automation account.

$ResourceGroupName

The name of the resource group that contains the target node.

$WebFrontEndVM

The name of the target node (virtual machine).


Create Build Pipeline

Create a build pipeline. This build pipeline won't actually build anything; it's just used to trigger the release pipeline (that we'll create next) whenever the DSC script changes.

  1. In Azure DevOps, click Pipelines, then click Builds.

     

  2. Click New, then click New build pipeline.

     

  3. Click Use the classic editor. Note: This pipeline should be created with YAML when the team has the capability to do so.

     

  4. The correct source should be specified by default. Click Continue.

     

  5. Click Empty job.

     

  6. Click the Pipeline, and in the properties panel, specify a name for the pipeline.

     

  7. Click + next to Agent job 1.

     

  8. In the search box, type publish, then click Add next to the Publish build artifacts task.

     

  9. Click the Publish Artifact: drop task.

     

  10. In the Path to publish text box, specify the path to the folder containing the source files. In this example, the source files are in the root folder.

     

  11. Click on the Triggers tab.

     

  12. Click Enable continuous integration. If your source files are in a subfolder, specify a Path filter to trigger the build pipeline only when the contents of the subfolder are changed.

     

  13. Click Save & queue, then click Save.

     

  14. Click Save.


Create Release Pipeline

The release pipeline is triggered by the build pipeline. It deploys the DSC script to the Azure Automation account.

  1. In Azure DevOps, click Pipelines, then click Releases.

     

  2. Click New, then click New release pipeline.

     

  3. Click Empty job.

     

  4. Click Add an artifact.

     

  5. From the Source dropdown list, choose the name of the build pipeline that you created in the previous section.

     

  6. Click Add.

  7. Click the lightning bolt icon on the artifact.

     

  8. Click the toggle button to enable the Continuous deployment trigger.

     

  9. Click the 1 job, 0 task hyperlink on the Stage 1 box.

     

  10. Click + on the Agent job.

     

  11. In the Search box, type download.

  12. Click Add next to the Download build artifacts task.

     

  13. Click the Download Build Artifacts task.

     

  14. Specify the Artifact name defined in the build pipeline.

     

  15. Click Save.

     

  16. Click OK.

  17. Click + on the Agent job.

  18. In the Search box, type powershell.

  19. Click Add next to the Azure PowerShell task in the search results.

     

  20. Click the Azure PowerShell script: FilePath task.

     

  21. From the Azure Subscription dropdown list, choose the Azure service connection that you created previously.

  22. In the Script Path text box, type the path to the DeployToAzureAutomation.ps1 script.
    The path is in the format$(System.ArtifactsDirectory)/<artifact name>/DeployToAzureAutomation.ps1

    where <artifact name> is the artifact name that you specified in the build pipeline.

  23. Under Azure PowerShell Version, click the Latest installed version option.

     

  24. Click Save.

     

  25. Click OK.

 

TL;DR : YAML

Here's a YAML script that accomplishes the same as the build and release pipelines defined above.

 

trigger: - master pool: name: Hosted VS2017 steps: - task: AzurePowerShell@3 displayName: 'Run Azure PowerShell script' inputs: azureSubscription: 'jon-sbx' ScriptPath: '$(Build.SourcesDirectory)/DeployToAzureAutomation.ps1' azurePowerShellVersion: LatestVersion

 

Configure Network Security

The final task is to configure the target node's network security. The target node must allow outgoing calls on port 443 to allow configuration by Azure Automation DSC.

  1. From the Azure portal, browse to the target virtual machine.

  2. Under Settings, click Networking.

     

  3. Click the Outbound port rules tab, and click Add outbound port rule.

     

  4. Click Basic.

     

  5. From the Service dropdown list, choose HTTPS. Specify a Priority value less than other rules that would deny this connection, and a Name for the rule.

     

  6. Click Add.

 

You've created a CI / CD pipeline that will automatically deploy and run your DSC script when you merge it into the master branch in your Azure DevOps repository.