Impact of Evergreen Platforms on Development and how not to handle it

  • Authentication libraries, ADAL has been deprecated.
  • Platform libraries, Azure AD Graph has been deprecated, PnP JS Core has moved from V2 to V3
  • Platform as a Service updates, such as Azure Function V4 and language versions, e.g. Node 10 no longer available.
  • Azure Best Practice, the use of Microsoft’s Cloud Adoption Framework with its Landing Zones or using Managed Identities instead of Azure AD App Registrations.
  • DevOps functionality, such as multi-stage Azure DevOps Pipelines and the deprecation of hosted deployment clients, such as Windows 2012.
  • Credential timeout, for example Azure DevOps PAT and Certificate validity now recommended to be three months or less.

What happened?

What we should have done

  1. Ensure your baseline, we ran a deployment ‘as is’ into the UAT environment and fixed up any issues with certificates and tokens.
  2. We upgraded MSAL to ADAL using existing versions of libraries.
  3. We deployed to production.
  4. We moved onto the next project.

Lessons learned, or how to future proof evergreen

Be Agile — Be Deployable

Refactor — don’t rewrite

Refresh credentials — frequently

  • Use resources that manage their own credentials, Azure Managed Identities are a good example, they roll their own certificates automatically so all you need do is specify which identity to use.
  • We have had some good experiences with generating credentials on the fly, for example changing the password on a SQL Server’s admin account in a pipeline, attaching, performing the work and then setting the password to a random value, which we don’t store.
  • If you have to store credentials put them in a key vault but implement something that will automatically refresh them, we recommend every six weeks or less, then retrieve them as needed. Recently a development team asked us for ‘get’ only permission on a key vault, they didn’t even want list as they know exactly which secret they need and don’t need to be able to scan the vault for all secrets.

Be supported — yes its a hidden cost

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store