CI CD in Azure Synapse Analytics Part 5 - Deploying Azure Synapse Workspace from ARM
Published Nov 30 2021 04:15 AM 31.9K Views
Microsoft

Here's a quick review of the road so far:

 

CI CD in Azure Synapse Analytics Part 1

  • Creating an Azure DevOps project
  • Linking our Azure Synapse Analytics environment to that Project via Git
  • Validating that our Azure DevOps Repo was populated with our Azure Synapse Analytics environment

CI CD in Azure Synapse Analytics Part 2:

  • Create a new branch on our Repo
  • Edit our Azure Synapse Analytics environment
    • Specifically my SQL scripts have demos all over the place and Buck Woody said I have to clean up my very messy room .... Azure Synapse Analytics environment
  • Create a Pull Request in Azure Synapse Analytics to merge our new branch with the main
  • Approve the Pull Request in Azure DevOps
  • Validate our main branch is updated in our Azure Synapse Analytics Environment

CI CD in Azure Synapse Analytics Part 3

  • Create an Artifact pipeline
    • This is to create an Artifact we can use to deploy to another environment

CI CD In Azure Synapse Analytics Part 4

  • Give our Azure DevOps Service Principal access to our Azure Synapse Workspace
  • Validate or Give our Azure DevOps Service Principal Storage Contributor & User Access Administrator (*This is only if your storage account was provisioned before you created your Synapse Workspace or if you connect your Dev, QA, and Prod to the same ADLS G2 storage account.  If you create your Synapse Workspace and Storage account from an ARM template deployed from DevOps, then your DevOps Service Principal will have Owner on the Storage Account and that gives the Service Principal User Access Administrator capabilities.)
  • Create the release pipeline
  • Validate the deployment
  • *If you have SQL Provisioned Pools as part of your deployment pause them, because they will be created on deployment

This time we will:

  • Ensure we have granted permissions to the DevOps Managed Identity for our Azure Subscription
  • Create an ARM template using the Azure Portal
  • Upload the template.json & parameters.json to our DevOps Repo
  • Create our Build Package Pipeline
  • Create our Release pipeline to deploy the Azure Synapse Analytics Workspace using an deploy Arm Template Task
  • Validate our Azure Synapse Analytics Workspace

 

Our Azure DevOps project comes with a Managed Identity.  By default using the agent with the DevOps project utilizes that Managed Identity, MI.  We need to make sure that the MI has the proper level of permissions on our subscription.

 

First let's navigate to the Azure Portal and click on subscriptions.

 

CI CD part 5_01.png

 

Select the subscription we are granting the access to the MI.

 

CI CD part 5_02.png

 

Click on Access control (IAM), click + Add, then click Add role assignment.

 

CI CD part 5_03.png

 

Select the Contributor Role and click Members.

CI CD part 5_04.png

Click +Select members, type in the name of the project workspace, select that MI, click select, then click Next.

CI CD part 5_05.png

 

Validate that everything looks correct and click Review + assign.

 

CI CD part 5_06.png

 

Now that our permissions are in place we will create our template, in the search bar type "Azure Synapse Analytics" and click the Azure Synapse Analytics icon and then click Create.

 

CI CD part 5_07.png

CI CD part 5_08.png

 

In this example we will create a new resource group named "AzureSynapseDeployFromTemplate".... because I like names that say what we are doing.  In all reality you would be using this to create your QA environment after we built our Dev, or you could be using this to build your initial Dev environment.  Whatever you are using this for add your Resource Group, RG, name new or existing.

 

Next we set our Managed resource group.  What is a Managed resource group Dear Reader?  It is the resource group that creates managed components created with the PaaS server that is our Azure Synapse Analytics Workspace.  This used to be auto created now you can create it yourself, I'm naming this with the same RG as above with the extension MRG for Managed Resource Group e.g. "AzureSynapseDeployFromTemplateMRG".

 

Now we name the workspace and we will use the simple name "deployfromtemplate".

 

Next we select our region, then we add the Data Lake Storage account.  We will give the account name and filesystem the same name, "adsldft".  Now click next.

 

*Note some of these names must be unique so please substitute your own naming conventions.  But keep track of these things we will need them later!

 

CI CD part 5_09.png

I'm going to leave the SQL Server admin login as the default, CHANGE THIS!!!  Do not leave this as the default value.  Make it unique per your organization.

 

Then click Next: Networking.

 

CI CD part 5_10.png

Click Enable by Managed virtual network.  This is my preferred setting as it requires a private endpoint for all services interacting with Azure Synapse Analytics.

 

Yes for create managed private endpoint to primary storage, you used to have to do this manually it is nice to add this as a part of deployment.

 

Allow outbound data traffic only to approved targets, I'm selecting no for the demo but when you deploy this for your Dev, QA, Test, Prod, or any other environment should select yes and specify the subscriptions that have access to this system.

 

Public network access.  Again this is a case of do what I say not what I do.  I'm enabling this, but you will disable this.  This adds a public firewall rule that leaves your workspace open to anyone in your AAD tenant.  They still have to be in your AAD tenant, and you can remove this rule after deployment. 

 

When you do your forever deployments, click disable and add the firewalls needed, or leave this disabled and use Azure Synapse Analytics Private Link Hubs and private endpoints to secure your environment.  That should be another blog.... more on that later. 

 

Finally click Next: Tags.

 

 

CI CD part 5_11.png

 

There are all kinds of useful tags, they can allow you to group items via PowerShell and assist with charge back.  Add your tags here are some examples.

 

Click Next: Review + create.

 

 

 

CI CD part 5_12.png

NOW this is where we get our template!  Instead of clicking Create we will click Download a template for automation.

 

CI CD part 5_13.png

Click the download link up at the top of the screen.

 

CI CD part 5_14.png

 

As you can see from my screen shot, I've done this a few times.   This zip file we have downloaded contains our template and parameter JSON files.  Extract these files in a folder we will be uploading them to our Azure DevOps Repo shortly. 

CI CD part 5_15.png

 

Now browse to your DevOps Repo.  Click on the three dots next to the Repo name and select New Folder.  We will name this folder ARMTemplate and create a file call readme.txt.  We don't need this file, but you cannot create a new folder.  We will delete the readme.txt shortly, but keep it for now.

 

CI CD part 5_16.png

 

Click Commit to save the readme.txt

 

CI CD part 5_17.png

 

Click the three dots next to the ARMTempalte folder and click Upload file(s).

 

CI CD part 5_18.png

 

Click Browse... in order to browse to our file we extracted our template and parameters JSON files.  Click both files and open them.  Click Commit. 

 

CI CD part 5_19.png

 

Now we can delete the readme.txt.  Click the three dots next to the readme.txt and click Delete.

 

CI CD part 5_20.png

 

Now we can create our Build Pipeline.  Navigate to Pipelines and click New pipeline.

 

CI CD part 5_21.png

 

Click Use the classic editor.

 

CI CD part 5_22.png

 

Ensure our Repo is selected and click Continue.

 

CI CD part 5_23.png

Click Empty job.

 

CI CD part 5_24.png

 

We should name our Pipeline something that states exactly what it does, for example "Build Pipeline ARM Deployment Synapse Environment". 

 

Click the + next to Agent job 1, type copy files, click Add.

 

CI CD part 5_25.png

 

Set the Display name to "Copy Files to: $(Build.ArtifactStagingDirectory)/ARM".

 

Click the ... next to the Source Folder text box ,navigate to the ARMTemplate folder, and click OK.

 

Under Contents type "*.json". 

 

Our Target Folder is using the variable to store our files on the build agent, "$(Build.ArtifactStagingDirectory)/ARM"

 

CI CD part 5_26.png

 

Click the + next to Agent job 1 and type Publish Pipeline Artifacts.  Click add. 

 

CI CD part 5_27.png

 

Type "$(Build.ArtifactStagingDirectory)" for the File or directory path. 

 

We will name our Artifact name ASW_Drop for Azure Synapse Workspace Drop.

 

CI CD part 5_28.png

 

Click Save & queue.

 

CI CD part 5_29.png

 

Type something under the Save comment and click Save and run.

 

CI CD part 5_30.png

 

Validate that the build goes smoothly.

 

CI CD part 5_31.png

 

Now we create our release pipeline.  Navigate to Releases and click + New  and + New release pipeline.

 

CI CD part 5_32.png

 

Select Empty job.

 

CI CD part 5_33.png

 

Select our Build Pipeline, and be glad we named it something obvious!

 

CI CD part 5_34.png

 

Validate that everything is populated as expected and click Add.

 

CI CD part 5_35.png

 

Click 1 job, 0 tasks.  

 

*Note my images says 1 job, 1 task.  Ignore that yours will say 1 job, 1 task.

 

CI CD part 5_36.png

 

Click the + next to Agent job and type ARM template deployment and click Add. 

 

CI CD part 5_37.png

 

We will add our Azure Resource Manager connection.  (If you haven't set this up you will need this.  This links your DevOps Repo to your Azure Subscription, so make sure this is in place).

 

After selecting the Resource Manager connection, select the subscription to which we will be deploying resources.

 

Type in the name of the Resource Group, aka RG, from our template.  For example, AzureSynapseDeployFromTemplate.

 

Select our Azure Region, for example East US 2.

 

CI CD part 5_38.png

Click the ... next to the Template text box and navigate to our template.json file in our build package.

 

CI CD part 5_39.png

 

Click the ... next to the Template parameters text box and navigate to our parameters.json file in our build package.

 

CI CD part 5_40b.png

 

Now we need to set our password for our SQL Administrative account for the Azure Synapse Workspace.  This value in the parameters.json is a secure string.  By nature a secure string cannot be plain text and must be encrypted.  To do that we will click on the Variables pane.  

 

Click + Add.  We will name this the exact same attribute that is in the JSON file, in this case "sqlAdministratorLoginPassword".  Type in the password value and then click the lock Icon.  That will make this a secure string.

 

Also add the value system.debug with a value of TRUE.  If we get any errors this should help us with detailed output. 

 

CI CD part 5_41.png

 

Now in the Override template parameters type "-sqlAdministratorLoginPassword $(sqlAdministratorLoginPassword)". 

 

We are substituting the sqlAdministratorLoginPassword value in the JSON with the -sqlAdministratorLoginPassword command.  The value we are replacing this with is our varialble $(sqlAdministratorLoginPassword). 

 

CI CD part 5_42.png

 

Next we need to keep in mind the MI of the DevOps project is deploying this which means it will by default have admin access to the Azure Synapse Workspace, but nothing else will.  To that end we will add an Azure PowerShell script that adds an AAD group to the Admin group of the Workspace. 

 

CI CD part 5_43.png

 

Select our Azure Subscription, Inline path, and copy the script below.

 

*Note the version of Az.Synapse PowerShell module will change over time, as of the publishing of this blog 0.7.0 currently works.

 

# You can write your azure powershell scripts inline here.
# You can also pass predefined and custom variables to this script using arguments
##Required for azure devops initial deployment
Install-Module Az.Synapse -RequiredVersion 0.7.0 -Scope CurrentUser -Force -AllowClobber


##ObjectID is for bballasw_WSAdmins
New-AzSynapseRoleAssignment -WorkspaceName <insert your workspace name here> -RoleDefinitionName "Workspace Admin" -ObjectID <insert your AAD Group here>

 

Add the Preferred Azure PowerShell Version as 3.1.0.

 

CI CD part 5_44.png

 

Click Save and OK.

 

CI CD part 5_45.png

 

Click Create release.

 

CI CD part 5_46.png

 

Click Create.

 

 

CI CD part 5_47.png

 

Allow this to run and validate that the resources have been deployed to our Resource Group.  

 

CI CD part 5_48.png

 

Click on the link to the Azure Synapse Workspace and validate that you can access it.

CI CD part 5_49.png

 

 

My appologies on the delay and the technical issues.  Thank you again Dear Reader for stopping by!

 

Thanks,

 

Brad

 

 

 

12 Comments
Co-Authors
Version history
Last update:
‎Dec 01 2021 09:36 AM
Updated by: