This page details how to use [Azure DevOps](https://azure.microsoft.com/en-us/services/devops/) to manage deploying
stacks based on commits to specific Git branches, and based on the build reason. You may also choose to introduce a
[Manual Intervention](https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/manual-intervention?view=vsts) task to control the preview vs. update step for any Pulumi stack.
Pulumi doesn't require any particular arrangement of stacks or workflow to work in a
continuous integration / continuous deployment system. So the steps described here can be
altered to fit into any existing type of deployment setup.
- To learn more about how to [create a git repo in your DevOps project](https://docs.microsoft.com/en-us/azure/devops/organizations/projects/create-project?view=vsts&tabs=new-nav).
- Optional, but recommended, the [Pulumi Azure DevOps task extension](https://marketplace.visualstudio.com/items?itemName=pulumi.build-and-release-task).
- Optional for VSCode users, configure intellisense for the task extension as per [Task Extension Intellisense](https://github.com/microsoft/azure-pipelines-vscode#specific-schema)
Pulumi provides a task extension that lets you easily use Pulumi in your CI/CD pipelines. It can be used with the Azure Pipelines wizard UI or the YAML config.
The task handles installing the Pulumi CLI and running any commands without the need for any scripts.
> Pulumi Task Extension for Azure Pipelines can be used with [any cloud provider](#other-clouds) that Pulumi supports. You are not limited to using it only with Azure.
| Parameter Name | Required? | Parameter Description |
|----|---|----|
| stack | Yes | Name of stack being managed. Can be of the form `ORG/STACK` or `ORG/PROJECT/STACK`. |
| azureSubscription | No | Optionally reference a service connection. If not used, environment variables can be configured with the credentials needed for the applicable Pulumi providers. |
| command | No | The applicable `pulumi` cli command (e.g. `preview`, `up`, `destroy`) |
| args | No | Option flags (e.g. `--yes`) that can be passed to the given `pulumi` command. Use space to separate multiple args. |
| cwd | No | The working directory to run the Pulumi commands. Use this if your Pulumi app is in a different directory. |
| versionSpec | No | The Pulumi version that should be used. Defaults to the latest version. If you require a specific version then the format is `1.5.0` or if you just need the latest version then `latest` can be used. |
| createStack | No | Set to `true` if the stack should be created if it does not already exist. Defaults to `false`. |
| createPrComment | No | Set to `true` to add a comment to your Pull Request (PR). Can only be used in pipelines driven by PRs. Defaults to `false`. See [Log Pulumi Output as PR Comments](#log-pulumi-output-as-pr-comments).
| useThreadedPrComments | No | Defaults to `true` to always add a comment to the previously-created comments thread. Set to `false` to have each comment added separately.
### Using the Pulumi Task Extension
Install the Pulumi task from the [Visual Studio Marketplace](https://marketplace.visualstudio.com/items?itemName=pulumi.build-and-release-task) to your Azure DevOps organization.
The task requires the use of a service connection, which allows the pipeline to connect to your Azure Subscription. The task also looks for the build variable `pulumi.access.token`, and automatically maps it to the environment variable `PULUMI_ACCESS_TOKEN`, that is used by the CLI for non-interactive logins. You may still use the `env` directive to map any other environment variables you wish to make available to your Pulumi app.
### Log Pulumi Output as PR Comments {#log-pulumi-output-as-pr-comments}
> This feature is only supported for builds triggered by pull requests created in git repositories hosted by Azure DevOps. Repositories hosted by external VCS such as Bitbucket, GitHub, GitLab are not supported at this time.
The Pulumi task supports adding PR comments containing the log output from the Pulumi command that was executed in your build pipeline.
Your project's build service user will need additional permissions to perform that action. Follow these steps to grant the build service user the `Contribute to pull requests` permission:
- Navigate to the **Project Settings** page and select **Repositories** under the **Repos** heading.
- Select the repository where you will be using this feature and then select the **Security** tab.
- Now under the **Users** section find the build service user. If you are using the default build service user,
the naming convention is `<Project name> Build Service` where `<Project name>` is your project's name.
- Change the value of `Contribute to pull requests` to `Allow`.
### Using The Pulumi Task Extension With Other Clouds {#other-clouds}
To use the Pulumi Task Extension for Azure Pipelines with other clouds, you can specify the necessary environment variables
as build variables or link variable groups to your build and release pipelines.
For example, if you are using the [AWS provider](/registry/packages/aws/), you can set the [environment variables](/registry/packages/aws/installation-configuration/)
Build variables are an important aspect of any CI/CD pipeline. We will use some pre-defined [system build variables](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=vsts&tabs=yaml%2Cbatch#system-defined-variables) provided
by the Azure DevOps pipeline to decide whether or not we should run an update on our infrastructure.
> Build variable formats differ based on the agent in which your job is running. See [this](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=vsts&tabs=yaml%2Cbatch#set-in-script) to learn more about how
you can access a build variable correctly depending on your agent OS.
You can set [job-scoped output variables](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=vsts&tabs=yaml%2Cbatch#set-a-job-scoped-variable-from-a-script) or [multi-job variables](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=vsts&tabs=yaml%2Cbatch#set-an-output-multi-job-variable). In this article, we demonstrate the use of multi-job variables with job dependencies, using the `dependsOn` job constraint.
> If you are using the [Pulumi task extension](https://marketplace.visualstudio.com/items?itemName=pulumi.build-and-release-task) for Azure Pipelines, you don't need to manually configure the environment variables in your pipeline builds. You can use [Service Connections](https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops) to centralize access to your Azure subscription(s).
Ubuntu agent, and some on a Windows agent. If not using the task extension, `pulumi` can be installed on these agents by following the directions from [this](/docs/install/) page.
For the YAML-driven DevOps pipeline, the repository must contain the `azure-pipelines.yml` in the root of the repo for Azure DevOps to use it automatically.
The following are samples only. You may choose to structure your configuration any way you like.
### Sample `azure-pipelines.yml`
```yaml
# Node.js with Angular
# Build a Node.js project that uses Angular.
# Add steps that analyze code, save build artifacts, deploy, and more:
This `PowerShell` script builds the UI app, and uploads the `dist/` folder to an Azure Storage blob container. You don't have to use a script like this. You can always use the built-in Azure DevOps task to accomplish the steps in this script. This script is just an example of how `pulumi` can be easily integrated into your existing app.
write-host "All files in $localFolder uploaded to $containerName!"
} else {
Write-Warning "'$storageAccountName' storage account not found."
}
```
## Using Scripts (Manual Approach)
If you prefer to control the installation of the Pulumi CLI and how it runs your Pulumi app, you can use scripts in your pipeline builds. Below are some sample scripts to help you get started in order to install the CLI and run your Pulumi app.
The `run-pulumi.sh` script runs `pulumi preview` for PR builds and the `pulumi up --yes` command with explicit consent,
for master branches.
The following environment variables are set in the build pipeline using the Azure DevOps portal.
The above variables are _mapped-in_ to the job using the `env:` directive as described in [Set secret variables](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=vsts&tabs=yaml%2Cbatch#secret-variables).
