How to configure DevOps with Lighthouse (1/6)

Lighthouse

Peering virtual networks between two tenants using IaC/ARM? Or any other task requiring you to login into multiple tenants during deployment, but want to automate it without having credentials in the script or any other local solution for encrypting credentials?

Want to deploy everything with templates from DevOps, but each task in a pipeline only connects to one subscription?

The solution is configuring Azure Lighthouse with a service principal (app registration), and configure Service Connections in DevOps with the service principal. This makes sure the service principal receives a token for each subscription added to Azure Lighthouse, when connecting to one of them, which was necessary in order to achieve VNET Peering across tenants.

Here is the start of a guide to how you setup Azure Lighthouse, register App Registration and create the Service Connection in Azure DevOps.

Pre-req: Decide which tenant and subscription shall be the hub with access to all other subscriptions. Important as you might add users with Portal Access to all subscriptions, and not only a DevOps Pipeline.

Agenda:

1. Create and configure an Application Registration to gain access using a secret.
2. Create a template- and parameter-file for connecting other subscriptions to Lighthouse in the hub subscription.
3. Register the AppReg in all other tenants.
4. Create a custom role for the AppReg (or use builtin roles).
5. Deploy the Lighthouse Template- and Parameter-file.
6. Create the Service Connections in Azure DevOps.
7. Test DevOps with Lighthouse

 

Step 1 Create and configure an Application Registration to gain access using a secret.

  1. Create a new AppReg from Azure Active Directory.
    1. Requires minimum Application Administrator Role.
    2. Choose multitenant configuration, because we need to register this AppReg in all tenants we wanne deploy our network peering to.

AppReg1

2. Create a Secret and copy the secret to notepad, as you will only see it once after creation.

ApPReg2

3. Achieve the Service Principal Name ID, and copy the Id to notepad for use later.

AppReg3

Next up is; Create a template- and parameter-file for connecting other subscriptions to Lighthouse in the hub subscription.

Leave a Comment