Deploy to Azure Container Apps from Azure Pipelines

Azure Container Apps allows you to use Azure Pipelines to publish revisions to your container app. As commits are pushed to your Azure DevOps repository, a pipeline is triggered which updates the container image in the container registry. Azure Container Apps creates a new revision based on the updated container image.

Commits to a specific branch in your repository trigger the pipeline. When creating the pipeline, you decide which branch is the trigger.

Container Apps Azure Pipelines task

The task supports the following scenarios:

  • Build from a Dockerfile and deploy to Container Apps
  • Build from source code without a Dockerfile and deploy to Container Apps. Supported languages include .NET, Java, Node.js, PHP, and Python
  • Deploy an existing container image to Container Apps

With the production release, this task comes with Azure DevOps and no longer requires explicit installation. For the complete documentation, see AzureContainerApps@1 - Azure Container Apps Deploy v1 task.

Usage examples

Here are some common scenarios for using the task. For more information, see the task's documentation.

Build and deploy to Container Apps

The following snippet shows how to build a container image from source code and deploy it to Container Apps.

steps:
- task: AzureContainerApps@1
  inputs:
    appSourcePath: '$(Build.SourcesDirectory)/src'
    azureSubscription: 'my-subscription-service-connection'
    acrName: 'myregistry'
    containerAppName: 'my-container-app'
    resourceGroup: 'my-container-app-rg'

The task uses the Dockerfile in appSourcePath to build the container image. If no Dockerfile is found, the task attempts to build the container image from source code in appSourcePath.

Deploy an existing container image to Container Apps

The following snippet shows how to deploy an existing container image to Container Apps. The task authenticates with the registry using the service connection. If the service connection's identity isn't assigned the AcrPush role for the registry, supply the registry's admin credentials using the acrUsername and acrPassword input parameters.

steps:
  - task: AzureContainerApps@1
    inputs:
      azureSubscription: 'my-subscription-service-connection'
      containerAppName: 'my-container-app'
      resourceGroup: 'my-container-app-rg'
      imageToDeploy: 'myregistry.azurecr.cn/my-container-app:$(Build.BuildId)'

Important

If you're building a container image in a separate step, make sure you use a unique tag such as the build ID instead of a stable tag like latest. For more information, see Image tag best practices.

Authenticate with Azure Container Registry

The Azure Container Apps task needs to authenticate with your Azure Container Registry to push the container image. The container app also needs to authenticate with your Azure Container Registry to pull the container image.

To push images, the task automatically authenticates with the container registry specified in acrName using the service connection provided in azureSubscription. If the service connection's identity isn't assigned the AcrPush role for the registry, supply the registry's admin credentials using acrUsername and acrPassword.

To pull images, Azure Container Apps uses either managed identity (recommended) or admin credentials to authenticate with the Azure Container Registry. To use managed identity, the target container app for the task must be configured to use managed identity. To authenticate with the registry's admin credentials, set the task's acrUsername and acrPassword inputs.

Configuration

Take the following steps to configure an Azure DevOps pipeline to deploy to Azure Container Apps.

  • Create an Azure DevOps repository for your app
  • Create a container app with managed identity enabled
  • Assign the AcrPull role for the Azure Container Registry to the container app's managed identity
  • Install the Azure Container Apps task from the Azure DevOps Marketplace
  • Configure an Azure DevOps service connection for your Azure subscription
  • Create an Azure DevOps pipeline

Prerequisites

Requirement Instructions
Azure account If you don't have one, create a trial subscription. You need the Contributor or Owner permission on the Azure subscription to proceed. Refer to Assign Azure roles using the Azure portal for details.
Azure DevOps project Go to Azure DevOps and select Start free. Then create a new project.
Azure CLI Install the Azure CLI.

Create an Azure DevOps repository and clone the source code

Before creating a pipeline, the source code for your app must be in a repository.

  1. Sign in to Azure DevOps and navigate to your project.

  2. Open the Repos page.

  3. In the top navigation bar, select the repositories dropdown and select Import repository.

  4. Enter the following information and select Import:

    Field Value
    Repository type Git
    Clone URL https://github.com/Azure-Samples/containerapps-albumapi-csharp.git
    Name my-container-app
  5. Select Clone to view the repository URL and copy it.

  6. Open a terminal and run the following command to clone the repository:

    git clone <REPOSITORY_URL> my-container-app
    

    Replace <REPOSITORY_URL> with the URL you copied.

Create a container app and configure managed identity

Create your container app using the az containerapp up command with the following steps. This command creates Azure resources, builds the container image, stores the image in a registry, and deploys to a container app.

After your app is created, you can add a managed identity to your app and assign the identity the AcrPull role to allow the identity to pull images from the registry.

  1. Change into the src folder of the cloned repository.

    cd my-container-app
    cd src
    
  2. Create Azure resources and deploy a container app with the az containerapp up command.

    az containerapp up \
      --name my-container-app \
      --source . \
      --ingress external 
    
  3. In the command output, note the name of the Azure Container Registry.

  4. Get the full resource ID of the container registry.

    az acr show --name <ACR_NAME> --query id --output tsv
    

    Replace <ACR_NAME> with the name of your registry.

  5. Enable managed identity for the container app.

    az containerapp identity assign \
      --name my-container-app \
      --resource-group my-container-app-rg \
      --system-assigned \
      --output tsv
    

    Note the principal ID of the managed identity in the command output.

  6. Assign the AcrPull role for the Azure Container Registry to the container app's managed identity.

    az role assignment create \
      --assignee <MANAGED_IDENTITY_PRINCIPAL_ID> \
      --role AcrPull \
      --scope <ACR_RESOURCE_ID>
    

    Replace <MANAGED_IDENTITY_PRINCIPAL_ID> with the principal ID of the managed identity and <ACR_RESOURCE_ID> with the resource ID of the Azure Container Registry.

  7. Configure the container app to use the managed identity to pull images from the Azure Container Registry.

    az containerapp registry set \
      --name my-container-app \
      --resource-group my-container-app-rg \
      --server <ACR_NAME>.azurecr.io \
      --identity system
    

    Replace <ACR_NAME> with the name of your Azure Container Registry.

Create an Azure DevOps service connection

To deploy to Azure Container Apps, you need to create an Azure DevOps service connection for your Azure subscription.

  1. In Azure DevOps, select Project settings.

  2. Select Service connections.

  3. Select New service connection.

  4. Select Azure Resource Manager.

  5. Select Service principal (automatic) and select Next.

  6. Enter the following information and select Save:

    Field Value
    Subscription Select your Azure subscription.
    Resource group Select the resource group (my-container-app-rg) that contains your container app and container registry.
    Service connection name my-subscription-service-connection

To learn more about service connections, see Connect to Azure.

Create an Azure DevOps YAML pipeline

  1. In your Azure DevOps project, select Pipelines.

  2. Select New pipeline.

  3. Select Azure Repos Git.

  4. Select the repo that contains your source code (my-container-app).

  5. Select Starter pipeline.

  6. In the editor, replace the contents of the file with the following YAML:

    trigger:
      branches:
        include:
          - main
    
    pool:
      vmImage: ubuntu-latest
    
    steps:
      - task: AzureContainerApps@1
        inputs:
          appSourcePath: '$(Build.SourcesDirectory)/src'
          azureSubscription: '<AZURE_SUBSCRIPTION_SERVICE_CONNECTION>'
          acrName: '<ACR_NAME>'
          containerAppName: 'my-container-app'
          resourceGroup: 'my-container-app-rg'
    

    Replace <AZURE_SUBSCRIPTION_SERVICE_CONNECTION> with the name of the Azure DevOps service connection (my-subscription-service-connection) you created in the previous step and <ACR_NAME> with the name of your Azure Container Registry.

  7. Select Save and run.

An Azure Pipelines run starts to build and deploy your container app. To check its progress, navigate to Pipelines and select the run. During the first pipeline run, you might be prompted to authorize the pipeline to use your service connection.

To deploy a new revision of your app, push a new commit to the main branch.