Managed DevOps Pools in Bicep

Created in August 05, 2024

2024   ·   DevOps   AzureDevOps   Azure   MDP   Pools

Today, I played around with the new preview feature of Azure and Azure DevOps called ‘Managed DevOps Pools.’

Finally, the burden of managing agents is over. As platform engineers, we were already somewhat relieved with the VMMS agent pools where automatic scaling was an option. Still, there was a big hassle of managing images. In most companies I supported, we created our own image based on Microsoft’s Hosted Agents. Yup, every week, failing pipelines because the image creation failed… again and again.

Those days are now over with the Managed DevOps Pools. I could list all the advantages, but Microsoft’s documentation is really good on the Managed DevOps Pools. You can read more on the Managed DevOps Pools learn page. Still, I need to mention VNET integration. FTW!.. w00t! Basically we are shifting towards a PaaS model when it comes to agent management instead of IaaS.

Managed DevOps Pools are at this moment in preview

I already saw allot of blogs on the internet about this subject, but what I am missing is how to deploy the Managed DevOps Pools with Bicep. Microsoft seems not yet documented the API. Based on the documentation and the ARM templates on the learn page I did some engineering. This blogpost explains how you can use Bicep to deploy your Managed DevOps Pool.

Notes

  • SystemAssigned Managed Identities are not supported. You need to create UserAssigned Identities if you want an identity bound to this resource. Example is included in this setup
  • I could not get this working in the ‘West Europe’ region. I get the error message that there are no subscriptions available. This is the reason why I choose ‘East US’ as region. 1ES seems to be working on this.
  • At this moment the scaling pane is broken in the Azure portal. Only way to configure this is by ARM

Preperations

  1. Create a Service Principal in Azure and use this Service Principal with secret to create an ARM Service Connection in Azure DevOps to Azure. You also can use the workflow identity option however I am not sure if you can add this identity to Azure DevOps.
  2. Add the Service Principal that you created to Azure DevOps as an user and give it the correct permissions. Microsoft explains this on this page.

The Pipeline

The Azure DevOps pipeline is pretty straightforward. We need to register the Microsoft.DevOpsInfrastructure provider first and then we can deploy through Bicep.

azure-pipelines.yml:

steps:
  - task: AzurePowerShell@5
    displayName: "Register DevOpsInfrastructure"
    inputs:
      azureSubscription: $(ARMServiceConnection)
      ScriptType: "InlineScript"
      Inline: "Register-AzResourceProvider -ProviderNamespace 'Microsoft.DevOpsInfrastructure'"
      azurePowerShellVersion: "LatestVersion"
      pwsh: true

  - task: AzureResourceManagerTemplateDeployment@3
    displayName: "Deploy Managed DevOps Pools"
    inputs:
      deploymentScope: "Subscription"
      azureResourceManagerConnection: $(ARMServiceConnection)
      subscriptionId: $(SubscriptionId)
      location: "West Europe"
      templateLocation: "Linked artifact"
      csmFile: "main.bicep"
      deploymentMode: "Incremental"

Supporting Resources

devCenter.bicep:

param devCenterName string
param location string = resourceGroup().location

resource devCenter 'Microsoft.DevCenter/devcenters@2024-02-01' = {
  name: 'dc-${devCenterName}'
  location: location
}

resource devCenterProject 'Microsoft.DevCenter/projects@2024-02-01' = {
  name: 'dcp-${devCenterName}'
  location: location
  properties: {
    description: 'Azure DevOps Managed DevOps Pools'
    devCenterId: devCenter.id
  }
}

vnet.bicep:

param virtualNetworkName string
param subnetName string
param location string = resourceGroup().location

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-09-01' = {
  name: 'vnet-${virtualNetworkName}'
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: [
        '10.0.0.0/16'
      ]
    }
    subnets: [
      {
        name: 'sn-${subnetName}'
        properties: {
          addressPrefix: '10.0.1.0/24'
        }
      }
    ]
  }
}

managedIdentity.bicep:

param location string = resourceGroup().location
param userAssignedIdentityName string

resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: 'mi-${userAssignedIdentityName}'
  location: location
}

The real stuff

main.bicep:

param location string = 'eastus'
param devCenterName string = 'azuredevops'
param resourceGroupName string = 'azuredevops'
param managedDevOpsPoolName string = 'foxholenl'
param userAssignedIdentityName string = 'azuredevops'
param azureDevOpsOrganizationName string = 'foxholenl'
param virtualNetworkName string = 'myvnet'
param subnetName string = 'azuredevops'

targetScope = 'subscription'

resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-03-01' = {
  name: 'rg-${resourceGroupName}'
  location: location
}

module  vnet './vnet.bicep' = {
  name: 'vnet-${virtualNetworkName}'
  scope: resourceGroup
  params: {
    virtualNetworkName: virtualNetworkName
    subnetName: subnetName
  }
}

module userAssignedIdentity 'managedIdentity.bicep' = {
  name: 'mi-${userAssignedIdentityName}'
  scope: resourceGroup
  params: {
    userAssignedIdentityName: userAssignedIdentityName
  }
}

module devCenter './devCenter.bicep' = {
  name: 'dc-${devCenterName}'
  scope: resourceGroup
  params: {
    devCenterName: devCenterName
  }
}

module managedDevOpsPool './managedDevOpsPool.bicep' = {
  name: 'mdp-${managedDevOpsPoolName}'
  scope: resourceGroup
  params: {
    managedDevOpsPoolName: managedDevOpsPoolName
    userAssignedIdentityName: userAssignedIdentity.name
    devCenterName: devCenter.name
    azureDevOpsOrganizationName: azureDevOpsOrganizationName
    subnetName: subnetName
    virtualNetworkName: vnet.name
  }
}

What you really want to know

managedDevOpsPool.bicep:

param location string = resourceGroup().location
param managedDevOpsPoolName string
param devCenterName string
param azureDevOpsOrganizationName string
param userAssignedIdentityName string
param virtualNetworkName string
param subnetName string

resource devCenterProject 'Microsoft.DevCenter/projects@2024-02-01' existing = {
  name: 'dcp-${devCenterName}'
}

resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
  name: 'mi-${userAssignedIdentityName}'
}

resource vnet 'Microsoft.Network/virtualNetworks@2024-01-01' existing = {
  name: virtualNetworkName
}

resource subnet 'Microsoft.Network/virtualNetworks/subnets@2024-01-01' existing = {
  name: subnetName
  parent: vnet
}

var userAssignedIdentityId = userAssignedIdentity.id

resource managedDevOpsPool 'Microsoft.DevOpsInfrastructure/pools@2024-04-04-preview' = {
  name: 'mdp-${managedDevOpsPoolName}'
  location: location
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${userAssignedIdentityId}': {}
    }
  }
  properties: {
    organizationProfile: {
      organizations: [
        {
          url: 'https://dev.azure.com/${azureDevOpsOrganizationName}'
          // If you want to add the pool only to a subset of projects, uncomment below
          //projects: [
          //  'MyProject'
          //]
          parallelism: 1
        }
      ]
      permissionProfile: {
        kind: 'CreatorOnly'
      }
      kind: 'AzureDevOps'
    }
    devCenterProjectResourceId: devCenterProject.id
    maximumConcurrency: 1
    agentProfile: {
      kind: 'Stateless' // Or Stateful
      //maxAgentLifetime: '7.00:00:00'    // Only allowed if kind is Stateful
      //gracePeriodTimeSpan: '00:30:00'  // Only allowed if kind is Stateful
      resourcePredictionsProfile: {
        kind: 'Automatic' // Or 'Manual'
        predictionPreference: 'Balanced'
      }
    }
    fabricProfile: {
      sku: {
        name: 'Standard_D2ads_v5'
      }
      images: [
        {
          aliases: [
            'ubuntu-22.04'
            'ubuntu-22.04/latest'
          ]
          wellKnownImageName: 'ubuntu-22.04'
        }
        {
          aliases: [
            'windows-2022'
            'windows-2022/latest'
          ]
          wellKnownImageName: 'windows-2022'
        }
      ]
      osProfile: {
        logonType: 'Service' // Or Interactive
      }
      storageProfile: {
        osDiskStorageAccountType: 'StandardSSD' // StandardSSD, Standard or Premium
      }

      // Remove if you want to use 'Isolated Virtual Network'
      networkProfile: {
        subnetId: subnet.id
      }
      kind: 'Vmss'
    }
  }
}

As you can see in the managedDevOpsPool.bicep file, there are some options that you can pick.

Next steps

I haven’t experimented yet with the clever scaling options. I am courious how this works. At Delta-N we already experimented with dynamic scalling based on historical data of the VMSS agent pools but it was to much work to continue.

You might want to decouple deploying your DevCenter and Managed DevOps Pools. Deploying DevCenter takes allot of time and seems to be a bit error prone.



Enjoy Reading This Article?

Here are some more articles you might like to read next:

  • Multiple Azure Boards organizations / one GitHub organization integration
  • What We Can Learn from SpaceX Regarding DevOps
  • Serious Gaming – Learn Specification by Example with the mBot
  • 10 years of testing - from covering your ass to accelerating feedbackloops