r1153upgradeadopipelineresources.md
markdown_main
rendered_wus3/r1153upgradeadopipelineresources.md
Rendered Markdown
653 lines
|**Metadata**|**Description** |
|--|--|
|Doc Title| MVM v3: Update pipeline related Azure DevOps resources|
|Navigation|[WIKI Home Page](https://dev.azure.com/mvmprodeus2/MVM/_wiki/wikis/documentation/1/documents-home#)|
|Tracking| Document Number: VPE-5512-003|
|Author| Graeme Thomson (gt163y) |
| Agreement Number | 24252.S.005 |
***
**Notices**
Copyright © 2025 Metaswitch Networks. All rights reserved.
This manual is Confidential Information of Metaswitch Networks subject to the confidentiality terms
of the Agreement 01019223 as amended between AT&T and Metaswitch Networks.
It is issued on the understanding that no part of the product code or documentation (including this manual)
will be copied or distributed without prior agreement in writing from Metaswitch Networks and Microsoft.
Metaswitch Networks and Microsoft reserve the right to, without notice, modify or revise all or part of
this document and/or change product features or specifications and shall not be responsible for any
loss, cost, or damage, including consequential damage, caused by reliance on these materials.
Metaswitch and the Metaswitch logo are trademarks of Metaswitch Networks. Other brands and
products referenced herein are the trademarks or registered trademarks of their respective holders.
Product(s) and features documented in this manual handle various forms of data relating to your
users. You must comply with all laws and regulations applicable to your deployment, management,
and use of said product(s), and you should take all appropriate technical and organizational
measures to ensure you are handling this data appropriately according to any local legal and
regulatory obligations.
You are responsible for determining whether said product(s) or feature(s) is/are appropriate for
storage and processing of information subject to any specific law or regulation and for using said
product(s) or feature(s) in a manner consistent with your own legal and regulatory obligations. You
are also responsible for responding to any request from a third party regarding your use of said
product(s), such as a request to take down content under the U.S. Digital Millennium Copyright Act
or other applicable laws.
Metaswitch Networks
399 Main Street
Los Altos
CA 94022
<http://www.metaswitch.com>
***
***Table of Contents***
[[_TOC_]]
# 1. Document History
| **Issue** | **Issue Date** | **Author(s)** | **Identification** **of** **Changes** |
|-|-|-|-|
| 1| 06/10/2024| Gthomson| initial draft |
| 2| 09/30/2024| Gthomson| updates based on Ops feedback |
| 3| 11/26/2024| Gthomson| Format cloud shell location in monospace format in section 5.2 |
| 4| 11/26/2024| Gthomson| Update default_vars.yml using sed |
# 2. Versions
| **Version #** | **Editor** | **Comments** |
|-|-|-|
| 1| Gthomson| initial draft |
| 2| Gthomson| updates based on Ops feedback |
| 3| Gthomson| Format cloud shell location in monospace format in section 5.2 |
| 4| Gthomson| Update default_vars.yml using sed |
# 3. Integrated Solution Approach v1 (ISA v1)
| **Version #** | **Editor** | **Comments** |
|-|-|-|
| 1| Gthomson| initial draft |
| 2| Gthomson| updates based on Ops feedback |
| 3| Gthomson| Format cloud shell location in monospace format in section 5.2 |
| 4| Gthomson| Update default_vars.yml using sed |
# 4. MOP Impact Scope / General Information
## 4.1 Description
Pipelines are used to automate management of various MVM resources
This MOP describes the process to update the pipeline resources when they are delivered with a new release
## 4.2 Site Specific Description
| **Originator** | **Date** | **Time** |
|-|-|-|
| **Deployment Location(s)** | |
| **Description** | This MOP applies to the MVM V3 on Azure deployment, Release R11.5.3 | |
## 4.3 Service Impact
Service impact is not expected during this procedure.
## 4.4 Coordination
This MOP has no interactions outside of the MVM subscription.
# 5. Prerequisite/Dependencies/Entrance Criteria of MOP
This MOP is one of several that need to be run to execute the process to upgrade an existing deployment to an 11.5.3 release/patch.
Please refer to the corresponding *R11.5.3 Release Upgrade Overview* document for guidance on the order in which to run these MOPs
## 5.1 Required parameters
The following parameter values are required to run this MOP
| **Identifier** | **Description** |
|-|-|
| **AZURE_REGION** | This Azure region, e.g. `eastus2`. |
| **CLOUD_SHELL_LOCATION** | The location of the files that were copied to the Cloud Shell account. |
| **DOWNLEVEL_PIPELINE_CONFIGURATION_NAME** | Name of the downlevel pipeline configuration file for the region without the .yml suffix (e.g. `vars_eus2_11400`). |
| **GIT_AUTOMATION_URL** | URL of the automation git repository.|
| **GIT_AUTOMATION_BRANCH** | Name of the default branch of the MVM Azure automation repository. This is usually `main`. |
| **GIT_AUTOMATION_REPOSITORY** | Name of the automation Azure DevOps repository. |
| **GIT_PASSWORD** | Password used to access the Azure DevOps repositories if you are using https to manage the local copy of the access the repository. |
| **ORGANIZATION_NAME** | Name of the Azure DevOps organization. |
| **PROJECT** | Name of the Azure DevOps project. |
| **SUBSCRIPTION_ID** | Azure subscription identifier. |
| **UPLEVEL_MVM_FILESHARE** | Name of the fileshare containing the MVM release (**This is specified in the release note**) |
| **UPLEVEL_MVM_VERSION** | The version number of this release. |
| **UPLEVEL_PIPELINE_CONFIGURATION_NAME** | Name of the uplevel pipeline configuration file for the region without the .yml suffix (e.g. `vars_eus2_11500`). |
## 5.2 Required files
The following directory from the release point `Name of the fileshare containing the MVM release (This is specified in the release note)` must be uploaded to `The location of the files that were copied to the Cloud Shell account.` before starting this MOP:
- `ado_pipelines/repo_template`
# 6. Assumptions
The target audience for this procedure is the AT&T Engineer who will be performing the task. They will need to be familiar with Azure and have a working knowledge of the Azure CLI and Linux.
# 7. Material Requirements
## 7.1 Required Documents
## 7.2 Tools
| **Tool** | **Description** | **Quantity** |
|-|-|-|
| Laptop or Desktop PC | PC With at least 1G Memory and a network communications software application such as Procomm, Reflections or PuTTY | 1 |
| Azure connectivity PC | CloudShell Connectivity is required to the azure subscription. This can be accessed via [My Dashboard - Microsoft Azure](https://portal.azure.com/#cloudshell/) | |
# 8. Pre Maintenance Check, Precautions and Preparations
## 8.1 Precautions and Preparation
## 8.2 Precautions
> This procedure may cause a partial outage during implementation. Use executable script files to minimize down time and typing errors. Familiarize yourself with back-out procedures prior to starting the procedure.
| **Ask Yourself Principle** | **Yes** | **No** | **N/A** |
|-|-|-|-|
| 1. Do I have the proper ID and appropriate building access permissions for the environment I am about to enter? | | |
| 2. Do I know why I'm doing this work? | | |
| 3. Have I identified and notified everybody - customers and internal groups - who will be directly affected by this work? | | |
| 4. Can I prevent or control service interruption? | | |
| 5. Is this the right time to do this work? | | |
| 6. Am I trained and qualified to do this work? | | |
| 7. Are the work orders, MOPs, and supporting documentation current and error-free? | | |
| 8. Do I have everything I need to quickly and safely restore service if something goes wrong? | | |
| 9. Have I walked through the procedure? | | |
| 10. Have I made sure the procedure includes proper closure including obtaining clearance and release for the appropriate work center? | | |
| **E911 Ask Yourself** | **Yes** | **No** | **N/A** |
|-|-|-|-|
| 1. Does this work impact E911? | | |
| 2. Do I know how this work could impact 911/e911? | | |
| 3. Do I know what 911/e911 phase is required? | | |
| 4. Have I identified potential risks to 911/e911 and taken all measures to minimize? | | |
| 5. Does this work affect 15+ sites? | | |
| 6. Can I prevent or control service Interruptions to 911/e911? | | |
| 7. Is this the right time to do the work? | | |
| 8. Is the individual performing the work trained and qualified to do this work? | | |
| 9. Are MOPs and supporting documents current and error free? | | |
| 10. Does the MOP include a 911/e911 test plan? | | |
## 8.3 Pre-Maintenance Check Tools/System
Tier 2 needs to identify which tools they will use. This doesn't necessarily need to be included in the MOP but OPS needs to know which tools they will run.
(NEED TO USE STANDARD TOOLS) TIER 2
## 8.4 Pre-Maintenance Check Manual (Non-Automated Requirements)
These will be identify by the tier 3 MOP developer were required.
(MANDATORY CHECK REQUIRE FOR THE MOP) TIER 3
## 8.5 MOP Certification Environment
Examples: PSL certified. OR This MOP was paper certified by ATS engineers.
## 8.6 ATS Bulletin
**ATS Bulletin Check**
| **Step** | **Action** | **Results/Description** | **Timeline** |
|-|-|-|-|
| 1. | No Applicable bulletins | | |
## 8.7 Emergency Contacts
The following emergency contact numbers are to be used in the event provisioning support is required.
In the event a service interruption is encountered the AT&T Implementation Engineer will:
- Cease all work immediately.
- Notify the AT&T Voicemail TRC.
- Escalate to the next level of support.
| **Organization** | **Contact Name** | **Contact Number** |
|-|-|-|
| Voicemail TRC | SANRC | 877-662-7674, opt 3 |
# 9. Implementation
## 9.1 Preliminary Implementation
Pre-check tasks are completed the night of the cutover at least one hour prior to cutover activities.
1. Connect to the DevOps Portal
1. Start a browser session to <https://dev.azure.com/>. This will be required to manage the pipelines
1. Select the project associated with MVM v3
1. Connect to the Azure Portal
1. Start a browser session to <https://portal.azure.com/>. This will be required to manage Azure resources
and access the log analytics workspace (LAW)
1. If prompted, complete the log in process
1. Connect to Azure Cloud Shell
1. Start a CloudShell session by connecting a browser to <https://shell.azure.com/>
1. If the menu at the top left indicates PowerShell select Bash from the menu and confirm at the prompt
1. Upload any files and directories outlined in section 5.2 to your Cloud Shell account as they will be needed later
## 9.2 Implementation
### 9.2.1 Set the default subscription to the MVM subscription
1. Set the default subscription by running the command:
```
az account set --subscription "Azure subscription identifier for the MVM subscription."
```
### 9.2.2 Prepare the automation Git repository
This is the Git repository that holds the pipelines, Terraform scripts etc.
These commands are run from the CloudShell session created above
1. Set the following environment variables:
```
CLOUD_SHELL_LOCATION=The location of the files that were copied to the Cloud Shell account.
UPLEVEL_MVM_VERSION=The version number of the uplevel release, e.g. 11.5.0+1
BRANCH=Change ID, used as the prefix for any git branch created in the MOPs_The version number of the uplevel release, e.g. 11.5.0+1_update_pipelines
```
Export the correct form of the URL to access the git repository
- If using https to interact with the git repository
```
GIT_AUTOMATION_URL=https://Name of the Azure DevOps organization.@dev.azure.com/Name of the Azure DevOps organization./Name of the Azure DevOps project./_git/Name of the automation Azure DevOps repository.
```
- If using ssh to interact with the git repository
```
GIT_AUTOMATION_URL=git@ssh.dev.azure.com:v3/Name of the Azure DevOps organization./Name of the Azure DevOps project./Name of the automation Azure DevOps repository.
```
1. Change to an appropriate working directory in Cloud shell. Your Git repository will live in a subdirectory off of this path.
```
cd ~
mkdir automation_repo
cd automation_repo
```
1. Clone the existing Azure DevOps Git repository with **<GIT_AUTOMATION_URL>**. The repository can be cloned using either ssh or https. In both cases you will run the following command:
```
git clone ${GIT_AUTOMATION_URL} .
```
(note the trailing whitespace and period after the URL)
- If using HTTPS:
- When prompted, input the password, **<GIT_PASSWORD>**, that you specified when the repository was first created
- If using SSH:
- You will not be prompted for a password.
This will create a local copy of the repository in the current working directory.
1. Create a new working branch by running the command
```
git checkout -b ${BRANCH}
```
The branch currently only exists on your local server - it will be pushed to the DevOps repository in a later step
1. Rename the example pipeline variable file by running the following commands:
```
cd ${CLOUD_SHELL_LOCATION}/repo_template/pipelines/configuration
mv vars_example.yml vars_example_${UPLEVEL_MVM_VERSION}.yml
```
1. Update the contents of the automation repository by running the following commands:
```
cd ~/automation_repo
cp -r ${CLOUD_SHELL_LOCATION}/repo_template/* .
```
1. Update the file `pipelines/mvmselfhost.yml`
Comment out the task that adds the self-hosted agent subnet to the list of allowed
networks that can access the delivery storage account by running the following command:
```
sed -i '/manage_artifact_account_rules.yml/ {
N
N
s/ /# /g
}' pipelines/mvmselfhost.yml
````
This is not required as we already have a Private Endpoint configured that allows us access to the account.
1. Update the file `pipelines/mvmtoolvm.yml`
Comment out the task that adds the tooling vm subnet to the list of allowed
networks that can access the delivery storage account by running the following
command:
```
sed -i '/manage_artifact_account_rules.yml/ {
N
N
s/ /# /g
}' pipelines/mvmtoolvm.yml
````
This is not required as we already have a Private Endpoint configured that allows us access to the account.
1. Add the new files to the repository by running the command
```
git add -A
```
1. Verify that you have a combination of modified and new files by running the command
```
git status
```
This should produce an output that contains a list of new and modified files. If it does not, then stop here and contact Support
1. Commit the change to the local branch by running the command
```
git commit -a -m "Update pipeline files"
```
### 9.2.3 Update the pipeline configuration file
<---------------- PRE-RENDER START --------------->
https://dev.azure.com/mvmprodeus2/MVM/_git/documentation?path=/Labs-ANTS-DevOps/SMOPs/Keystone-Mops/overridesimplaksvmsize.md&_a=preview
<---------------- PRE-RENDER END --------------->
1. Copy the existing pipeline configuration file to a new configuration file by running the command:
```
cp pipelines/configuration/Name of the downlevel pipeline configuration file for the region without the .yml suffix (e.g. vars_eus2_11400)..yml \
pipelines/configuration/Name of the uplevel pipeline configuration file for the region without the .yml suffix (e.g. vars_eus2_11500)..yml
```
1. Edit the variables identified in the release documentation
<---------------- PRE-RENDER START --------------->
https://dev.azure.com/mvmprodeus2/MVM/_git/documentation?path=/Labs-ANTS-DevOps/SMOPs/Keystone-Mops/overridesimplaksvmsize.md&_a=preview
<---------------- PRE-RENDER END --------------->
> This is an optional step that is only required if the release note and/or upgrade overview document indicates that the pipeline configuration file needs to be changed as part of the upgrade process.
1. Add the new file to the repository by running the command:
```
git add -A
```
1. Commit the change to the local branch by running the command:
```
git commit -a -m "Create new pipeline configuration file"
```
### 9.2.4 Update the default vars file
> The default vars file contains the name of the current pipeline configuration file. It is used by the secret monitoring file when it runs in a scheduled mode.
>
> This is an optional step that is only required if a new pipeline variables configuration file was created
1. Update the secrets monitoring configuration file by running the command:
```
sed -i '/^ default_vars/c\ default_vars_file: Name of the uplevel pipeline configuration file for the region without the .yml suffix (e.g. vars_eus2_11500)..yml' pipelines/configuration/default_vars.yml
```
1. Commit the change to the local branch by running the command:
```
git commit -a -m "Update default pipeline configuration file"
```
1. Push the change to the DevOps repository by running the command:
```
git push --set-upstream origin ${BRANCH}
```
1. Merge the change into the main branch via the 'pull request' mechanism
1. Tidy up by running the command:
```
cd ~
rm -rf automation_repo
```
(We have finished with the local copy of the repository)
### 9.2.5 Update the deployment wide sensitive variable group
> This is an optional step that is only required if the release note and/or upgrade overview document indicates that it is required.
>
> This step is run in the session created to the DevOps portal
1. Return to your Azure DevOps project
- Select **Pipelines** on the left sidebar
- Select **Library**
1. Select the variable group `mvm-vault`
1. In the resultant window, select **+ Add** located at the bottom of the existing variables
1. Add the variables indicated in the release note and select **Ok**
1. Select **Save** to commit the changes
### 9.2.6 Update the regional sensitive variable group
> This is an optional step that is only required if the release note and/or upgrade overview document indicates that it is required.
>
> This step is run in the session created to the DevOps portal
1. Return to your Azure DevOps project
- Select **Pipelines** on the left sidebar
- Select **Library**
1. Select the variable group `mvm-The short (4-characters maximum) DNS label for the region-vault`
1. In the resultant window, select **+ Add** located at the bottom of the existing variables
1. Add the variables indicated in the release note and select **Ok**
1. Select **Save** to commit the changes
### 9.2.7 Add the pipelines
Each Azure Pipeline in the release is defined by a .yml file contained in the pipelines/ folder. All pipelines must be added to the project.
You can add new pipelines using the `pipeline_upload.sh` script and a Personal Access Token (PAT)
1. Create a Personal Access Token (PAT)
A PAT is required as part of the upload process. It is not used for day-to-day operation of the pipelines
1. Sign in with the user account you plan to use in your Azure DevOps organization
1. From the home page, open your user settings, and then select Personal access tokens.
1. Create a token.
1. Check Custom defined and Select the Show all scopes link
1. Check Agent Pools: Read
1. Check Build: Read & execute
1. Check Code: Read
1. make sure all the other boxes are unchecked.
1. Select Create
Success, or failure, is reported on screen.
Remember to copy the created token as this will be the only time it is visible.
> Note that the rest of this section is run from a CloudShell session
1. Install the DevOps CLI extension by running the following command:
```
az extension add --name azure-devops
```
Success or failure is reported to screen. An error indicating that the extension is already installed is benign and can be ignored.
1. Set the following environment variables:
```
GIT_AUTOMATION_BRANCH=Name of the default branch of the MVM Azure automation repository. This is usually `main`.
ORGANIZATION_NAME=Name of the Azure DevOps organization.
PROJECT=Name of the Azure DevOps project.
GIT_AUTOMATION_REPOSITORY=Name of the automation Azure DevOps repository.
ORGANIZATION_URL=https://dev.azure.com/${ORGANIZATION_NAME}
```
Export the correct form of the URL to access the git repository
- If using https to interact with the git repository
```
GIT_AUTOMATION_URL=https://Name of the Azure DevOps organization.@dev.azure.com/Name of the Azure DevOps organization./Name of the Azure DevOps project./_git/Name of the automation Azure DevOps repository.
```
- If using ssh to interact with the git repository
```
GIT_AUTOMATION_URL=git@ssh.dev.azure.com:v3/Name of the Azure DevOps organization./Name of the Azure DevOps project./Name of the automation Azure DevOps repository.
```
1. Change to an appropriate working directory. Your Git repository will live in a subdirectory off of this path.
```
cd ~
mkdir automation_repo
cd automation_repo
```
1. Clone the existing Azure DevOps Git repository with **<GIT_AUTOMATION_URL>**. The repository can be cloned using either ssh or https. In both cases you will run the following command:
```
git clone ${GIT_AUTOMATION_URL} .
```
(note the trailing whitespace and period after the URL)
- If using HTTPS:
- When prompted, input the password, **<GIT_PASSWORD>**, that you specified when the repository was first created
- If using SSH:
- You will not be prompted for a password.
This will create a local copy of the repository in the current working directory.
1. Log into ADO by running the following command:
```
az devops login --org ${ORGANIZATION_URL}
```
When prompted, enter the PAT created earlier in this section
The following error is benign and can be ignored
```
Failed to store PAT using keyring; falling back to file storage.
You can clear the stored credential by running az devops logout.
```
Refer to <https://aka.ms/azure-devops-cli-auth> to know more on sign in with PAT.
1. Run the following commands to upload the pipelines:
```
cd pipelines
chmod +x pipeline_upload.sh
./pipeline_upload.sh --org "${ORGANIZATION_NAME}" \
--project "${PROJECT}" \
--repository "${GIT_AUTOMATION_REPOSITORY}" \
--branch "${GIT_AUTOMATION_BRANCH}"
```
Success, or failure, is reported to screen
> Errors of the form Pipeline with name `<pipeline>` already exists can be ignored, as the existing pipelines will pick up the new source code when it was checked in earlier.
### 9.2.8 Remove the local copy of the git repository as we have finished with it
1. Tidy up by running the command:
```
cd ~
rm -rf automation_repo
```
## 9.3 Test Plan
There is no specific test plan associated with this procedure. If all commands complete successfully then the operator can proceed to the next step.
## 9.4 Backout Procedure
Backing out the change involves rolling back the changes in the git repository.
This is described in <docs.microsoft.com/en-us/Azure/devops/repos/git/undo?view=Azure-devops&tabs=command-line>
### 9.4.1 Revert the changes
These commands are run from the DevOps Portal created in section 9.1
1. Access your Git repo in ADO using a web browser.
1. Navigate to Repos > Commits
1. Find the second-to-last commit (the one from before this MOP was ever run).
Note the 8-digit hex string referring to that commit; the location of the string is highlighted in the screenshot below.
1. From your Cloud Shell, within the cloned Git repo, run the following, replacing `<commit>` with the string from step 3 above:
```
git revert <commit>
git commit
git push
```
# 10. Post checks
[System healthchecks]
# 11. Risk Assessment Score
1 - TBD
# 12. Execute MOP clean up if required
# 13. End of Document MOP
# 14. Service Assurance/Monitoring
# A. Appendix and Tables
# B. Approvers
# C. Peer Reviewers
# D. References for Other Documents
# E. Additional Appendices (If required)