Guides
Log InSign UpBlog
Start typing to search…

Azure DevOps

📘

Azure Project Level Permissions

The user who performs the actions below to connect to Azure DevOps must have project administrator permissions in Azure.

Integrating with a VCS provider unlocks the ability to use GitOps workflows, import modules, enable Open Policy Agent, and much more.

Azure requirements

To enable the integration, there are a few key requirements before going through the authentication flow:

  1. Ensure the "Third-party application access via OAuth" setting is enabled in the organization policies by going to:
    1. Organization settings
    2. Click on policies.
  1. The account that is used to create the integration, must have project administrator permissions for the project you are integrating with.

Setting up the Integration:

Custom Azure Application

  1. Create Azure AD Application Registration
    1. Go to the Azure Portal
    2. Navigate to Azure Active Directory → App registrations
    3. Click "+ New registration"
  2. Configure Basic Settings:
    1. Supported account types: "Accounts in this organizational directory only (Single tenant)"
    2. Redirect URI:
      1. Platform: Web
      2. URI: copy and paste callback URL from Scalr “Connect Azure DevOps Services” form
    3. Click "Register"
  3. Create Client Secret
    1. In your app registration, go to "Certificates & secrets"
    2. Click "+ New client secret"
    3. Click "Add"
  4. Copy and paste data from your Azure app to Scalr:
    1. App (client) ID
    2. Tenant ID
    3. Client secret value
  5. Click on “Connect Azure DevOps Services”

Personal Access Token

  1. Go to https://dev.azure.com/{your_organization}
  2. Sign in with your Azure DevOps account
  3. Create Personal Access Token
    1. Click on your profile icon (top right corner)
    2. Click "Personal Access Tokens"
    3. Click "+ New Token"
    4. Fill in the following details:
      1. Organization: Select "All accessible organizations"
      2. Permission scopes:
        1. Code → Read
        2. Code → Status
        3. Pull request (thread) → Read & Write (if using PR comments)
    5. Create token and paste its value into the “Personal access token” field in Scalr

Commit Strategy

Admins can choose between the following two commit strategies when adding a VCS provider connection. All workspaces that use this VCS connection will inherit this setting:

Head Commit of the Base Branch: The default base commit strategy compares the latest head commit with the base branch commit

Previous Commit of the PR Branch: The commit compares the latest head commit with the previous head commit

The head commit strategy compares ALL commits in the PR every time a commit is pushed, while the previous commit strategy only compares the new commit to the previous commit that was made.

Pull Request Comments

Scalr provides the option to display run results in the Azure DevOps pull request. The result will be an overall summary of the pull request as well as a per-workspace report showing what resources have been created, updated, or deleted. The cost and OPA results will also be displayed:

Enabling Comments

To be able to see the run summary in an Azure DevOps comment before merging the PR, you must enable this in the Azure DevOps integration:

If you have an existing integration with Azure DevOps, you will need to reauthenticate the integration.

Execute Runs from Pull Request Comments

To enable the ability to execute runs from pull request comments, you must enable it at the VCS provider integration level:

  • Allow triggering plan-only runs from the PR comments: Any user who can comment on the PR can execute a plan-only run in Scalr.
  • Allow triggering plan & apply runs from the PR comments: Any user who can comment on the PR can execute an apply run in Scalr.

When enabled, all users who have access to the pull request comment can execute a run. The workspace must have "Enabled VCS-driven dry runs" enabled in the settings for this feature to work.

Draft PRs

Draft pull requests are commonly used during the early development cycles to note when a pull request is in a draft state. Since draft pull requests are so early on in the development cycle, it's possible that you don't want a Scalr plan to execute when pull requests are opened. Scalr gives you the option to ignore draft pull requests by unchecking "Trigger runs for draft pull requests". As of right now, this will apply to any workspace that is linked to the VCS provider.

Automatic Base Branch Merge Before Run Execution

VCS-driven workspaces can automatically merge the base branch into the head branch before triggering a run. This ensures that runs are always executed against the latest code in the base branch, providing more accurate and reliable results. This helps a common pain point where runs could be executed against outdated head branches, potentially leading to false-positive results or failed applies after merging.

To implement this feature, enable the auto-merge option when configuring the VCS provider:

Updated 3 days ago