My customers love to use VSTS to enable their DevOps capabilities, but in some cases they are not able to use the Hosted Agents due to security restrictions. In that case, the alternative is to use Private Agents. For detailed description on differences between the two configurations checkout this article.
In this blog we’ll discuss how to automagically deploy a VSTS Private Agent with Azure Resource Manager (ARM) and some PowerShell.
The example does the following:
- Creates an azure VM based using a gallery image
- Uses a custom script extension via PowerShell to download the latest VSTS extension to the VM
- Installs and configures the VSTS extension
- Registers the Private Agent with an existing VSTS Agent Pool
The scripts referenced below are based on A Visual Studio based Visual Studio Team Services (VSTS) Build Agent Vm, but I’ve made improvements and simplifications to make them more enterprise ready.
Some of the improvements/modification are:
- Removed public IP from VM template
- Used the latest Azure gallery image for Windows Server 2016 with VS 2017 community edition
- Updated ARM APIs to use the latest versions
- Updated the template to use an existing vNet and subnet (private address space)
- Updated the VM to use managed disks (no storage account required)
- An Azure Subscription and an account with permissions to create Azure VMs
- An existing vNet and subnet in your Azure Subscription (private address space)
- A VSTS Account
- A Personal Access Token to register the Private Agent with VSTS
- An existing VSTS Agent Pool to register your Private Agent
Step 1 – Configure the Parameters for the ARM Template
Step 2 – Execute the PowerShell Script to run the ARM Template
Open your favorite editor and run the
deploy.ps1 script. The script does a few basic things:
- Sets the required variables
- Logs in to Azure
- Selects the right Azure Subscription
- Creates the Resource Group for your VM
- Tests the ARM Template
- Executes the ARM Template
The ARM Template
azuredeploy.json file does the following:
- Creates the Azure VM and deploys it into the existing vNet and subnet you provided
- Executes the custom script extension which calls the
installvstsagent.ps1file that does all the heavy lifting. It downloads the latest agent, installs the agent, configures the agent and registers it with the existing VSTS Pool you have specified in the ARM Template parameters file.
Note: the script currently downloads the
installvstsagent.ps1 from a public GitHub URL. To make it more secure you could get the file from an Azure Storage Account. Also, all the parameters/secrets could be tokenized into the configuration file and/or retrieved from Azure Key Vault.
Assuming everything funtions properly, in 5 to 10 minutes you should be able to see the registered Private Agent in your VSTS Agent Pool.