Azure DevOps

📘

Azure Project Level Permissions

The user who performs the actions below to connect to Azure DevOps must have project administrator permissions in Azure.

Integrating with a VCS provider unlocks the ability to use GitOps workflows, import modules, enable Open Policy Agent, and much more.

Azure requirements

To enable the integration, there are a few key requirements before going through the authentication flow:

  1. Ensure the "Third-party application access via OAuth" setting is enabled in the organization policies by going to:
    1. Organization settings
    2. Click on policies.
  1. The account that is used to create the integration, must have project administrator permissions for the project you are integrating with.

Setting up the Integration:

Custom Azure Application

  1. Create Azure AD Application Registration
    1. Go to the Azure Portal
    2. Navigate to Azure Active Directory → App registrations
    3. Click "+ New registration"
  2. Configure Basic Settings:
    1. Supported account types: "Accounts in this organizational directory only (Single tenant)"
    2. Redirect URI:
      1. Platform: Web
      2. URI: copy and paste callback URL from Scalr “Connect Azure DevOps Services” form
    3. Click "Register"
  3. Create Client Secret
    1. In your app registration, go to "Certificates & secrets"
    2. Click "+ New client secret"
    3. Click "Add"
  4. Copy and paste data from your Azure app to Scalr:
    1. App (client) ID
    2. Tenant ID
    3. Client secret value
  5. Click on “Connect Azure DevOps Services”

Personal Access Token

  1. Go to https://dev.azure.com/{your_organization}
  2. Sign in with your Azure DevOps account
  3. Create Personal Access Token
    1. Click on your profile icon (top right corner)
    2. Click "Personal Access Tokens"
    3. Click "+ New Token"
    4. Fill in the following details:
      1. Organization: Select "All accessible organizations"
      2. Permission scopes:
        1. Code → Read
        2. Code → Status
        3. Pull request (thread) → Read & Write (if using PR comments)
    5. Create token and paste its value into the “Personal access token” field in Scalr

Pull Request Comments

If enabled, Scalr will send results back as pull request comments to Azure DevOps after a dry run has been executed based on a PR being opened and after the apply finished. To enable comments, go to the Azure integration and enable the pull request comments checkbox:

If you have an existing integration with Azure DevOps, you will need to reauthenticate the integration.

Once this is enabled, you will start seeing the comments posted to pull requests for all new pull requests:

Scalr will also update the comments with the apply results after the run has finished. There is a separate checkbox, "Send the apply summary back to PR comments", that must be enabled for this to work.

Execute Runs from Pull Request Comments

To enable the ability to execute runs from pull request comments, you must enable it at the VCS provider integration level:

  • Allow triggering plan-only runs from the PR comments: Any user who can comment on the PR can execute a plan-only run in Scalr.
  • Allow triggering plan & apply runs from the PR comments: Any user who can comment on the PR can execute an apply run in Scalr.

When enabled, all users who have access to the pull request comment can execute a run. The workspace must have "Enabled VCS-driven dry runs" enabled in the settings for this feature to work.