0

In order to run my acceptance tests I need to define a known good state on the database running on SQL Azure. I have the tests running fine locally and have set up the connection string to update my instance of SQL on Azure PaaS. The tests will run after the database is deployed using VSTS. In order for the deploying process to run my accceptance tests I need the process running Visual studio team system tests to have access to the database. VSTS apparently runs in the East US Azure zone. Given there are potentially hundreds of ip addresses I would need to whitelist, is there a more secure way of doing this, grabbing the ip address of the deploying process and then allowing this IP address access to the database as part of the deployment?

johnstaveley
  • 1,400
  • 1
  • 22
  • 46

1 Answers1

3

You can add and remove firewall rule by calling New-AzureRmSqlServerFirewallRule and Remove-AzureRmSqlServerFirewallRule powershell command.

Refer to these thread below to do it during the build/release: Deploy Dacpac packages via power shell script to Azure SQL Server

First, you need to add firewall rule in order to connect to Azure SQL Server.

1.Edit your build definition

2.Select Option tab and check Allow Scripts to Access OAuth Token

3.Add Azure PowerShell step (arguments: -RestAddress https://[account].vsdtl.visualstudio.com/DefaultCollection/_apis/vslabs/ipaddress -Token $(System.AccessToken) -RG [resource group] -Server [server name] -ruleName $(Build.BuildNumber)

Code:

param (
    [string]$RestAddress,
    [string]$Token,
    [string]$RG,
    [string]$Server
    )
$basicAuth = ("{0}:{1}" -f 'test',$Token)
$basicAuth = [System.Text.Encoding]::UTF8.GetBytes($basicAuth)
$basicAuth = [System.Convert]::ToBase64String($basicAuth)
$headers = @{Authorization=("Basic {0}" -f $basicAuth)}
$result = Invoke-RestMethod -Uri $RestAddress -headers $headers -Method Get
Write-Host $result.value
New-AzureRmSqlServerFirewallRule -ResourceGroupName $RG -ServerName $Server -FirewallRuleName "UnitTestRule" -StartIpAddress "$($result.value)" -EndIpAddress "$($result.value)"

Update:

Allow Scripts to Access OAuth Token for release:

  1. Edit release definition
  2. Click Run On Agent
  3. Check Allow Scripts to Access OAuth Token option

enter image description here

Community
  • 1
  • 1
starian chen-MSFT
  • 33,174
  • 2
  • 29
  • 53
  • Hi, I need to run this as part of my deployment. I have done what you said but it fails with 'The term 'System.AccessToken' is not recognized as the name of a cmdlet, function, script file, or operable program'. I presume because I have checked 'Allow Scripts to Access OAuth Token' on build instead of release. Is there anyway to do this on release? I presume I need the sql server to exist before I can grant firewall access to it? – johnstaveley Apr 13 '17 at 14:57
  • @johnstaveley 1.Edit release definition 2.Click Run On Agent 3.Check Allow Scripts to Access OAuth Token option I updated my answer. – starian chen-MSFT Apr 14 '17 at 01:39
  • I've got a problem but Azure gives you such a pathetic limit on the length of the powershell script you can run it is causing problems debugging – johnstaveley Apr 18 '17 at 13:43
  • I think you need to modify your script to include a unique name set for the firewall rule. This way the deployment becomes idempotent. If you redeploy a rule 'UnitTestName' it fails – johnstaveley Apr 18 '17 at 17:01
  • @johnstaveley yes, it should be a unique name, It's just a sample, you can use build nunber, also can delete the rule at the end of build. On the other hand, what the detail error message of pathetic limit on the length of the powershell script? – starian chen-MSFT Apr 19 '17 at 00:42
  • No error message, just stops me typing. I put in your script above and it got truncated so now I have to put it in as part of the build – johnstaveley Apr 19 '17 at 05:01