Azure Deploy to non-global regions

s.roesch's Avatar

s.roesch

02 Dec, 2016 02:26 AM

Hi,

is it possible to deploy to the non-global Azure regions like Azure Germany (China, US Gov...) from within Octopus? They use different ActiveDirectory URLs as far as I know, so logging in with the normal account does not work. In PowerShell, for example, I needed to add the specific AD URL to be able to log in.

If not, any plans of adding this?

Thanks

  1. Support Staff 1 Posted by Michael Richard... on 05 Dec, 2016 01:34 AM

    Michael Richardson's Avatar

    Hi Sebastian,

    Octopus does not currently have first-class support for non-global Azure Regions.

    We do have plans to implement this, and in fact a member of the community has already contributed partial support for this (partial in that it is not exposed via the Octopus Portal UI).

    Please understand, this is not a feature currently exercised by our internal tests.

    You should be able to set the following variables in your project:

    Octopus.Action.Azure.Environment
    Octopus.Action.Azure.ActiveDirectoryEndPoint
    Octopus.Action.Azure.ServiceManagementEndPoint
    Octopus.Action.Azure.StorageEndpointSuffix //only required for Cloud Service deployments
    

    You can get the values for these variables by executing PowerShell such as this (this example is specific to Germany).

    i.e.

    Octopus.Action.Azure.Environment = AzureGermanCloud
    Octopus.Action.Azure.ActiveDirectoryEndPoint = https://management.core.cloudapi.de/
    AdTenant
    Octopus.Action.Azure.ServiceManagementEndPoint = https://management.core.cloudapi.de/
    Octopus.Action.Azure.StorageEndpointSuffix = core.cloudapi.de
    

    I hope this helps. Please consider updating this thread with your progress?

    Regards,
    Michael

  2. 2 Posted by Sebastian on 08 Dec, 2016 07:07 AM

    Sebastian's Avatar

    Hi Michael,

    thanks a lot for the info.

    I created a new Project in Octopus, added the variables you mentioned and added my Azure Service principal account. The test of the Azure Account fails, which I guess is expected. But when I add the deploy step to my Project and select my account, I get this error so that I cannot select my web app:

    System.Runtime.Serialization.SerializationException: There was an error deserializing the object of type Microsoft.IdentityModel.Clients.ActiveDirectory.TokenResponse. Encountered unexpected character '<'. ---> System.Xml.XmlException: Encountered unexpected character '<'.

       at System.Xml.XmlExceptionHelper.ThrowXmlException(XmlDictionaryReader reader, XmlException exception)

       at System.Runtime.Serialization.Json.XmlJsonReader.Read()

       at System.Xml.XmlBaseReader.IsStartElement()

       at System.Xml.XmlBaseReader.IsStartElement(XmlDictionaryString localName, XmlDictionaryString namespaceUri)

       at System.Runtime.Serialization.Json.DataContractJsonSerializer.InternalIsStartObject(XmlReaderDelegator reader)

       at System.Runtime.Serialization.Json.DataContractJsonSerializer.InternalReadObject(XmlReaderDelegator xmlReader, Boolean verifyObjectName)

       at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName, DataContractResolver dataContractResolver)

       --- End of inner exception stack trace ---

       at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task)

       at Octopus.Worker.Azure.AzureAccountExtensions.GetAuthorizationToken(AzureServicePrincipalAccount account) in Z:\buildAgent\workDir\eec88466c176b607\source\Octopus.Worker\Azure\AzureAccountExtensions.cs:line 25

       at Octopus.Server.Web.Api.Actions.AzureWebSitesListAction.GetSites(AzureServicePrincipalAccount servicePrincipalAccount) in Z:\buildAgent\workDir\eec88466c176b607\source\Octopus.Server\Web\Api\Actions\AzureWebSitesListAction.cs:line 87

       at Octopus.Server.Web.Api.Actions.AzureWebSitesListAction.Execute() in Z:\buildAgent\workDir\eec88466c176b607\source\Octopus.Server\Web\Api\Actions\AzureWebSitesListAction.cs:line 50

       at Octopus.Server.Web.Infrastructure.Api.Responder`1.Respond(TDescriptor options, NancyContext context) in Z:\buildAgent\workDir\eec88466c176b607\source\Octopus.Server\Web\Infrastructure\Api\Responder.cs:line 145

       at System.Dynamic.UpdateDelegates.UpdateAndExecute3[T0,T1,T2,TRet](CallSite site, T0 arg0, T1 arg1, T2 arg2)

       at Octopus.Server.Web.Api.OctopusRestApiModule.<>c__DisplayClass0_0.<.ctor>b__0(Object o) in Z:\buildAgent\workDir\eec88466c176b607\source\Octopus.Server\Web\Api\OctopusRestApiModule.cs:line 46

       at Nancy.Routing.Route.<>c__DisplayClass4.<Wrap>b__3(Object parameters, CancellationToken context)

    Did I understand your instruction correctly or did I do something wrong?

    Thanks,
    Sebastian

  3. Support Staff 3 Posted by Michael Richard... on 09 Dec, 2016 02:04 AM

    Michael Richardson's Avatar

    I apologize, I should have mentioned that you will not be able to use the drop-down to select your Web App. You will have to bind the value to a Variable. You can do this by checking the "Custom bindings" box next to the drop-down. If this is unavailable due to the error, you may have to bind the Account to a variable (similar to the process described here), which will force you to use a variable for the Web App also.

    The support for alternate Azure regions was added to Calamari (our deployment agent executable), but (as you have seen) there is no support in the Octopus Portal UI as yet.

    I did warn you it was not first-class :)

  4. 4 Posted by Sebastian on 09 Dec, 2016 03:12 AM

    Sebastian's Avatar

    Hi Michael,

    No problem, thanks, I will try again.

  5. 5 Posted by Sebastian on 16 Dec, 2016 10:10 PM

    Sebastian's Avatar

    Hi Michael,

    I finally found the time to try it again.
    I added the following config to my project variables and an Azure Web App deploy step:
    [cid:[email blocked]]

    I had to change the AD URL because the one mentioned by you failed.
    I tried using the OAuth2 flow with those URLs and that works fine for me (with login.microsoftonline.de as the OAuth Token Provider and management.microsoftazure.de as the service management endpoint). I also tried the service management endpoint https://management.core.cloudapi.de/ mentioned by you but the result is the same, so I guess it fails before that.

    Now I get the error that it does not know the subscription. Does Octopus maybe still use the global AD? Is there a way that I can find more details about the actual request?

    15:15:53 Info | Deploying to Azure WebApp 'hq-dashboard' in Resource Group hq-production, using subscription-id '8f855cd4-XXXXXXXXXX‘

    15:15:53 Verbose | Authentication Context: https://login.microsoftonline.de/9960fe4d-XXXXXXXXXX

    15:15:53 Error | Hyak.Common.CloudException: SubscriptionNotFound: The subscription '8f855cd4-XXXXXXXXXX' could not be found.

    15:15:53 Error | at Microsoft.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

    15:15:53 Error | at Microsoft.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccess(Task task)

    15:15:53 Error | at Microsoft.Azure.Management.Resources.ResourceGroupOperationsExtensions.List(IResourceGroupOperations operations, ResourceGroupListParameters parameters)

    15:15:53 Error | at Calamari.Azure.Integration.Websites.Publishing.ResourceManagerPublishProfileProvider.GetPublishProperties(String subscriptionId, String resourceGroupName, String siteName, String tenantId, String applicationId, String password, String serviceManagementEndPoint, String activeDirectoryEndPoint) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari.Azure\Integration\Websites\Publishing\ResourceManagerPublishProfileProvider.cs:line 28

    15:15:53 Error | at Calamari.Azure.Deployment.Conventions.AzureWebAppConvention.GetPublishProfile(VariableDictionary variables) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari.Azure\Deployment\Conventions\AzureWebAppConvention.cs:line 96

    15:15:53 Error | at Calamari.Azure.Deployment.Conventions.AzureWebAppConvention.Install(RunningDeployment deployment) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari.Azure\Deployment\Conventions\AzureWebAppConvention.cs:line 29

    15:15:53 Error | at Calamari.Deployment.ConventionProcessor.RunInstallConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 60

    15:15:53 Error | at Calamari.Deployment.ConventionProcessor.RunConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 28

    15:15:53 Error | Running rollback conventions...

    15:15:53 Error | Hyak.Common.CloudException: SubscriptionNotFound: The subscription '8f855cd4-XXXXXXXXXXX‘ could not be found.

    15:15:53 Error | at Microsoft.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

    15:15:53 Error | at Microsoft.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccess(Task task)

    15:15:53 Error | at Microsoft.Azure.Management.Resources.ResourceGroupOperationsExtensions.List(IResourceGroupOperations operations, ResourceGroupListParameters parameters)

    15:15:53 Error | at Calamari.Azure.Integration.Websites.Publishing.ResourceManagerPublishProfileProvider.GetPublishProperties(String subscriptionId, String resourceGroupName, String siteName, String tenantId, String applicationId, String password, String serviceManagementEndPoint, String activeDirectoryEndPoint) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari.Azure\Integration\Websites\Publishing\ResourceManagerPublishProfileProvider.cs:line 28

    15:15:53 Error | at Calamari.Azure.Deployment.Conventions.AzureWebAppConvention.GetPublishProfile(VariableDictionary variables) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari.Azure\Deployment\Conventions\AzureWebAppConvention.cs:line 96

    15:15:53 Error | at Calamari.Azure.Deployment.Conventions.AzureWebAppConvention.Install(RunningDeployment deployment) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari.Azure\Deployment\Conventions\AzureWebAppConvention.cs:line 29

    15:15:53 Error | at Calamari.Deployment.ConventionProcessor.RunInstallConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 60

    15:15:53 Error | at Calamari.Deployment.ConventionProcessor.RunConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 50

    15:15:53 Error | at Calamari.Azure.Commands.DeployAzureWebCommand.Execute(String[] commandLineArguments) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari.Azure\Commands\DeployAzureWebCommand.cs:line 86

    15:15:53 Error | at Calamari.Program.Execute(String[] args) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Program.cs:line 45

    15:15:54 Fatal | The remote script failed with exit code 100

    15:15:54 Verbose | at Octopus.Worker.Scripting.ScriptResult.EnsureSuccessful() in Z:\buildAgent\workDir\eec88466c176b607\source\Octopus.Worker\Scripting\ScriptResult.cs:line 69

                        | at Octopus.Server.Orchestration.Deploy.DeploymentTaskController.<>c__DisplayClass24_0.<ExecuteActionAndInitLoggingContext>b__0() in Z:\buildAgent\workDir\eec88466c176b607\source\Octopus.Server\Orchestration\Deploy\DeploymentTaskController.cs:line 280

                        | at Octopus.Server.Orchestration.Deploy.DeploymentTaskController.ExecuteWithTransientErrorDetection(Action action, Machine machine) in Z:\buildAgent\workDir\eec88466c176b607\source\Octopus.Server\Orchestration\Deploy\DeploymentTaskController.cs:line 384

                        | at Octopus.Server.Orchestration.Deploy.DeploymentTaskController.ExecuteActionAndInitLoggingContext(PlannedStep step, Machine machine, PlannedAction action) in Z:\buildAgent\workDir\eec88466c176b607\source\Octopus.Server\Orchestration\Deploy\DeploymentTaskController.cs:line 278

    Thanks a lot!
    Sebastian

    From: Sebastian Rösch<mailto:[email blocked]>
    Sent: Freitag, 9. Dezember 2016 04:12
    To: Michael Richardson<mailto:[email blocked]>
    Subject: Re: Azure Deploy to non-global regions [Questions #10032]

    Hi Michael,

    No problem, thanks, I will try again.

  6. Support Staff 6 Posted by Michael Richard... on 21 Dec, 2016 11:29 PM

    Michael Richardson's Avatar

    Sebastian,

    Looking at the bottom of this class from the Azure PowerShell repository, it would seem your value of https://login.microsoftonline.de is correct for the Authentication Endpoint.
    Perhaps try https://management.microsoftazure.de/ for the Octopus.Action.Azure.ServiceManagementEndPoint value?

    If that doesn't help, Calamari (our executable that performs deployments) is open-source. The class that is throwing the exception can be seen here, and also of interest is where the authorization token is built here.
    You could try extracting this code out so you can play and debug it.

    You are quite possibly the first person attempting this, as I believe the contributor of that functionality was using Azure China.

    Regards,
    Michael

  7. 7 Posted by Sebastian on 03 Jan, 2017 11:39 PM

    Sebastian's Avatar

    Hi Michael,

    Thank you for the help. I managed to identify the issue and fix it. I created a pull request and would love to hear your feedback.
    https://github.com/OctopusDeploy/Calamari/pull/145

    Thank you,
    Sebastian

  8. 8 Posted by Sebastian on 06 Jan, 2017 06:58 PM

    Sebastian's Avatar

    Hi Michael,

    I wrote a short post about how Azure Web App deploy works for me in Azure Germany with Octopus. Maybe interesting for you?

    http://www.hellohq.io/octopus-deploy-with-azure-germany/

    Best regards,

    Sebastian

  9. Support Staff 9 Posted by Robert Wagner on 09 Jan, 2017 12:44 AM

    Robert Wagner's Avatar

    Hi Sebastian,

    That looks awesome! I'm planning on finishing that PR merge today. We don't have access to any non-public Azure regions, which hampers us a bit.

    Regards,

    Robert W

  10. Support Staff 10 Posted by Robert Wagner on 10 Jan, 2017 05:02 AM

    Robert Wagner's Avatar

    Hi Sebastian,

    I've added the latest version of Calamari into the main Octopus release, and it will be included in 3.7.14.

    I had to modify your change to add a separate variable, as each region has two different management API endpoints. See this Octopus issue for details.

    Thanks again for your contribution.

    Robert W

  11. 11 Posted by Sebastian on 10 Jan, 2017 08:39 AM

    Sebastian's Avatar

    Hi Robert,

    Any time, thanks a lot for the help. Looking forward to the release.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

20 Jan, 2017 05:23 AM
20 Jan, 2017 04:24 AM
20 Jan, 2017 03:16 AM
20 Jan, 2017 02:36 AM
20 Jan, 2017 02:32 AM