Mid DevOps

Assign proper RBAC roles (e.g., Contributor or Owner). Usage in pipeline: - task: AzureResourceManagerTemplateDeployment@3 inputs: azureResourceManagerConnection: 'MyServiceConnection' resourceGroupName: 'MyRG' location: 'East US' csmFile: 'infra/main.json' Example scenario: Your IaC pipeline uses the “ProdServiceConnection” to deploy Bicep templates to the production resource group, without developers ever seeing credentials. 4⃣ How can you automate environment creation and teardown?

You can automate creating and destroying environments (like dev, test, or staging) using

pipeline logic and IaC tools.

✅ Example (Bicep – Create Environment):

  • task: AzureCLI@2

inputs:

azureSubscription: 'MyServiceConnection'

scriptType: 'bash'

inlineScript: |

az group create --name MyRG --location eastus

az deployment group create --resource-group MyRG

  • -template-file infra/main.bicep

✅ Example (Terraform – Teardown Environment):

  • task: TerraformCLI@1

Follow:

inputs:

command: 'destroy'

workingDirectory: 'infra'

commandOptions: '-auto-approve'

environmentServiceName: 'MyServiceConnection'

Example scenario:

Each pull request automatically spins up a temporary Azure environment (App Service +

Database) for testing.

Once the PR is closed or merged, the pipeline runs a teardown job to delete the resources

— saving cost and keeping Azure clean.

✅ Pro Tip:

For professional IaC pipelines in Azure DevOps:

  • Use Bicep for Azure-native infrastructure.
  • Use Terraform for multi-cloud or complex setups.
  • Always deploy with a service connection using least-privilege roles.
  • Automate environment lifecycle (create → test → destroy).

Security & Compliance Advanced /

Real-world Scenarios

1⃣ How do you secure secrets, keys, and connection strings in Azure

Pipelines?

You should never hardcode secrets (like passwords, connection strings, or API keys) in

pipeline YAML files or scripts.

Instead, you store them securely using Azure DevOps Variable Groups or Azure Key

Vault integration.

Ways to secure secrets:

Follow:

  • Use secret variables in pipelines:

→ In Azure DevOps → Pipelines → Variables → Mark variable as secret.

  • Use Azure Key Vault to fetch secrets securely at runtime.
  • Use pipeline permissions to control who can view or edit variables.

Example (YAML):

variables:

  • group: 'ProdSecrets'

steps:

  • script: echo "Connecting to DB..."

env:

ConnectionString: $(DB_Connection)

Example scenario:

You’re deploying an app that needs a SQL connection string.

You store that in Azure Key Vault and reference it securely in the pipeline — so it never

appears in logs or code.

2⃣ What is Azure Key Vault and how is it used with pipelines?

Azure Key Vault is a secure store for secrets, keys, and certificates.

Azure DevOps can connect to it to retrieve secrets dynamically during builds or

deployments.

Steps to use it:

More from Microsoft Azure Tutorial

All questions for this course