1

Before I submit a bug report to Microsoft, I just wanted to check here first to see if anyone has come across this problem before.

I have set up an App Service Connection using a Management group following two tutorials, one on here Stack Overflow, and another on a blog post. Links Here:

Azure DevOps Service Connections not showing when setting up a new release pipeline

https://4bes.nl/2019/07/11/step-by-step-manually-create-an-azure-devops-service-connection-to-azure/

According to the Microsoft Documentation when you change to a Management Group you just reference that Management group in your code under Azure Subscription in your App Deployment Task in YAML.

Ref here: https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops It states: If you're using YAML, copy the connection name into your code as the azureSubscription value.

Yet when I do this in my YAML code I get: ##[error]Error: 'subscriptionId' cannot be null.

I have a CLI task in my YAML code and when I upgraded that to Version 2 and referenced the ScriptType of PSCORE it works and finds the APP Service connection. Yet when it gets down to line 119 or under the heading of the task: Azure Web App Deploy: $(webappname), It then fails and gives me the error quoted.

Please if anyone has come across this before or knows how to fix it, I'd love to hear from you. If not it's a bug request to Microsoft. Again....

I have included my code below:

#pool:
 # vmImage: windows-latest
resources: 
  repositories: 
  - repository: Student
    name: Classroom In The Cloud/Student
    path:
    - include: /Student/Student 
    type: git 
    ref: master #branch name

variables: 
  System.Debug: true
  azureSubscription: 'CITC-DevPipelines'
  RG: 'ClassroomInTheCloud'
  Location: West Europe 
  containername: 'private'
  appconnectionname: 'CITC-DevPipelines'

jobs:

- job: job1
  displayName: Create And Publish Artifact
  pool:
    vmImage: vs2017-win2016
  steps:
  - checkout: Student
    clean: true

  - task: DotNetCoreCLI@2
    displayName: dotnet restore
    inputs:
      command: restore
      projects: '**/*.csproj'

  - task: DotNetCoreCLI@2
    displayName: dotnet build
    inputs:
      projects: '**/*.csproj'
      workingDirectory: Student

  - task: DotNetCoreCLI@2
    displayName: dotnet publish
    inputs:
      command: publish
      projects: '**/*.csproj'
      arguments: --output "$(Build.ArtifactStagingDirectory)"
      zipAfterPublish: true
      modifyOutputPath: false
      workingDirectory: Student

  - task: PublishPipelineArtifact@1
    displayName: Publish Pipeline Artifact
    inputs:
      targetPath: '$(Build.ArtifactStagingDirectory)'
      artifact: 'Student'
      publishLocation: 'pipeline'

- job: job2
  displayName: 'Get Variable Value for Student Env'
  dependsOn: job1
  steps:
  - task: AzureCLI@2
    displayName: 'Azure CLI '
    inputs:
      azureSubscription: 'CITC-DevPipelines'
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |
        mkdir $(Pipeline.Workspace)\BlobFile
        az storage blob download --container-name $(containername) --file '$(Pipeline.Workspace)/s/student.json' --name 'student.json' --connection-string 'DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;AccountName=devscriptstorage;AccountKey=<MYVALUE>'
       
  - pwsh: |
      cd '/home/vsts/work/1/s/'
      ls
      $armOutput = Get-Content '/home/vsts/work/1/s/student.json' | convertfrom-json
      $student = $armOutput.studentvalue #use student not studentvalue
      $type = $armOutput.type
      $appservice = $armOutput.appservicevalue
      Write-Host "The value of [$student] is [$appservice]"
      Write-Host "##vso[task.setvariable variable=studentvalue;isOutput=true]$student" #use studentvalue not $studentvalue
      Write-Host "##vso[task.setvariable variable=appservicevalue;isOutput=true]$appservice" #use appservicevalue not $appservice
    name: setvarStep

  - script: echo $(setvarStep.studentvalue)
  - script: echo $(setvarStep.appservicevalue)
    name: echovar
  
- job: job3
  displayName: Create Web App 
  dependsOn: job2
  variables:
    webappname: $[ dependencies.job2.outputs['setvarStep.studentvalue'] ]
    appservicename: $[ dependencies.job2.outputs['setvarStep.appservicevalue'] ]
  steps:


# Create Web App
  #- task: AzureCLI@1
  #  displayName: Create Web App $(webappname)
  #  inputs:
  #   azureSubscription: '$(azureSubscription)'
   #  scriptLocation: 'inlineScript'
   #  inlineScript: 'az webapp create -g $(RG) -p $(azureSubscription) -n $(webappname)'

 # Download Artifact File
  - download: none
  - task: DownloadPipelineArtifact@2
    displayName: 'Download Build Artifacts'
    inputs:
      patterns: '**/*.zip'
      path: '$(Build.ArtifactStagingDirectory)'

  # deploy to Azure Web App 
  - task: AzureWebApp@1
    displayName: 'Azure Web App Deploy: $(webappname)'
    inputs:
      package: $(Build.ArtifactStagingDirectory)/**/*.zip 
      azureSubscription: CITC-DevPipelines
      ConnectedServiceName: $(appconnectionname)
      appName: '$(webappname)'
      ResourceGroupName: $(RG)  

  # Change App Settings
 # - task: AzureCLI@1
  #  displayName: Change WebApp Settings
  #  inputs: 
  #   azureSubscription: '$(azureSubscription)'
  #   scriptLocation: 'inlineScript'
   #  Arguments input: '$(webappname)'
   #  inlineScript: |
   #    'az webapp config appsettings set --name %1 --resource-group $(RG) --settings '/home/vsts/work/1/s/studentsettings.json' --subscription $(azureSubscription)'
Jason
  • 510
  • 5
  • 27

2 Answers2

1

It's a limitation of management group service connections. There are already numerous GitHub issues tracking it (i.e. https://github.com/microsoft/azure-pipelines-tasks/issues/14359).

The workaround is to use a service principal connection.

Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
1

Many customers have requested this feature for other Azure deployment tasks as well. So, we have created a new feature work item for this. The product group will review this feature and consider take it as roadmap.

Here is the detailed description of this feature:

Goal

Azure Service Connections support Management groups scope level. Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. The goal is to support service connections with Management group scope within various Azure deployment tasks

Why

Currently only ARM Template Deployment task supports service connections with management groups. Customers have requested this feature for other Azure deployment tasks as well.

How/Outcome

According to customer requests and task usage, the support should be enabled for the following tasks initially

  • Azure App service deploy (AzureRmWebAppDeployment)
  • Azure Web App Deploy (AzureWebApp)
  • Azure Function App deploy (AzureFunctionApp)
  • Azure File Copy (AzureFileCopy)
Walter
  • 2,640
  • 1
  • 5
  • 11
  • "As a workaround, you can create and use service connection with Subscription scope level instead of Management Group." Sure But I have 14 Devs and I cant call their Service Connection the same name so then how do I reference that in the code for the Subscription as each one would be different.... Also, Management Groups now work with CLI 2.0 it has recently been updated. – Jason Apr 19 '21 at 16:22
  • @Jason I updated the detailed information of this feature work item. If you have any other suggestions or ideas, please [create a request](https://developercommunity.visualstudio.com/report?space=21&entry=suggestion) for this feature in the Developer Community. – Walter Apr 20 '21 at 01:49
  • I've already put the request in via the task on the github repo. The team are looking into it. – Jason Apr 20 '21 at 09:28
  • @Jason If my reply helped or gave a right direction. Appreciate for marking it as an answer which will also help others in the community. – Walter Apr 21 '21 at 02:01