Scripts Catalog

The Devops/azure/scripts/ directory contains PowerShell and Bash scripts that support infrastructure provisioning, service management, secret management, and maintenance tasks. This page catalogs the actual script directories and their key scripts.

---

Directory Structure

Devops/azure/scripts/
├── changelog/          # Changelog generation and release note scripts
├── detect/             # Change detection scripts (services and frontend apps)
│   ├── Detect-ContainerServicesDeployment.ps1
│   └── Detect-FrontendApps.ps1
├── infra/              # Infrastructure provisioning and management
│   ├── Build-BicepParams.ps1
│   ├── Build-BulkSecrets.ps1
│   ├── Get-EnvironmentConfig.ps1
│   ├── Validate-ServicesConfig.ps1
│   ├── Resolve-ServiceConfig.ps1
│   └── Deprovision-Environment.ps1
├── lib/                # Shared PowerShell modules
│   └── PipelineHelpers.psm1
├── notify/             # Notification helper scripts (Teams webhooks, etc.)
├── pipeline/           # Pipeline utility scripts
├── scrum/              # Scrum automation and ADO work item scripts
├── secrets/            # Secret rotation and management
├── sql/                # SQL Server management scripts
└── workitems/          # Azure DevOps work item integration

Actual Directories Only

The scripts directory contains only the directories listed above: changelog, detect, infra, lib, notify, pipeline, scrum, secrets, sql, and workitems. There are no services/, database/, keycloak/, monitoring/, or frontend/ subdirectories.

---

Script Reference

infra/Build-BicepParams.ps1

Converts services-config.json into a Bicep parameter file for infrastructure deployment.

# Usage
./Build-BicepParams.ps1 -Environment dev
./Build-BicepParams.ps1 -Environment stage -OutputPath custom.bicepparam

When to run: Automatically called by provision-infra.stage.yml. Run manually when debugging Bicep parameter generation.

---

infra/Build-BulkSecrets.ps1

Generates the bulk secrets JSON used to seed Key Vault. Combines pipeline variable values with URL template expansion from services-config.json's secretRegistry.

./Build-BulkSecrets.ps1 -Environment dev -OutputPath ./bulk-secrets.json

When to run: Called automatically by the Initialize stage during provisioning.

---

infra/Validate-ServicesConfig.ps1

Validates services-config.json against the JSON schema and applies business logic checks:

• All service repository keys exist in the repositories block
• No duplicate imageName values
• networkProfile is public or private
• imageName matches Azure naming rules (lowercase, alphanumeric, hyphens)

./Validate-ServicesConfig.ps1 -ConfigPath ./config/container-backend/services-config.json

When to run: Before committing any change to services-config.json; automatically run at the start of the Initialize stage.

---

infra/Get-EnvironmentConfig.ps1

Loads and merges the environment-specific section of services-config.json, resolving any per-environment overrides.

$envConfig = ./Get-EnvironmentConfig.ps1 -Environment stage

---

infra/Resolve-ServiceConfig.ps1

Resolves service profile inheritance chains to produce a flat, fully-resolved configuration object for a service. Merges defaults → profile → service-level overrides.

$resolved = ./Resolve-ServiceConfig.ps1 -ServiceName "AppsPortal.Apis" -Environment dev

---

infra/Deprovision-Environment.ps1

Tears down all resource groups for a specified environment in safe order: removes resource locks first, then deletes resource groups.

./Deprovision-Environment.ps1 -Environment sandbox

Destructive

This script permanently deletes Azure resources. Run only with explicit authorization and after verifying data is backed up.

---

detect/Detect-ContainerServicesDeployment.ps1

Determines which services need to be built and deployed in a pipeline run, based on:

1. Git diff of changed files vs each service's projectPath
2. Manual serviceToggles passed as pipeline parameters
3. deployMode (manual, branch, force-all)

./Detect-ContainerServicesDeployment.ps1 \
  -Environment dev \
  -DeployMode branch \
  -ServiceTogglesJson '{"svc_gatewayApi": false, "svc_appsportalApi": true}'

When to run: Automatically called by detect-container-services.job.yml at the start of every pipeline run.

---

detect/Detect-FrontendApps.ps1

Same detection logic for Angular frontend apps. Compares changed files against each app's source directory defined in apps-config.json.

./Detect-FrontendApps.ps1 -Environment dev -DeployMode branch

---

lib/PipelineHelpers.psm1

Shared PowerShell module imported by all other scripts. Provides:

• Write-Banner — Formatted section headers in pipeline logs
• Set-PipelineVariable — Sets an ADO pipeline variable with ##vso[task.setvariable]
• Invoke-AzCli — Wrapper around az CLI with error handling
• Environment and resource name resolution helpers

Import-Module ./lib/PipelineHelpers.psm1
Write-Banner "Deploying to Stage"
Set-PipelineVariable -Name "ENVIRONMENT" -Value "stage"

---

secrets/ Directory

Contains scripts for secret rotation and management. Key operations:

• Rotating the XApiKey / AppApiKey (internal service-to-service key)
• Rotating SQL service account passwords
• Auditing Key Vault secrets (creation date, last accessed, age)

Secret Naming Convention

Key Vault secret names use double-dash (--) for hierarchy separators. Example: ConnectionStrings__Default becomes connectionstrings--default in Key Vault.

---

sql/ Directory

Contains SQL Server management scripts for:

• Tenant database creation and connection string registration
• SQL authentication mode configuration (password vs. Entra ID)
• SQL Server Entra AD external login setup

---

scrum/ and workitems/ Directories

ADO work item integration scripts used by the scrum automation pipeline:

• Updating work items on pipeline completion
• Sprint board hygiene checks
• Release readiness reporting

---

Running Scripts Locally

Prerequisites for running any script locally:

# 1. Install Azure CLI
brew install azure-cli  # macOS

# 2. Log in
az login

# 3. Set the correct subscription
az account set --subscription "Microtec ERP Dev"

# 4. Install PowerShell (for .ps1 scripts)
brew install powershell
pwsh

Import the shared module before running any script:

cd Devops/azure/scripts
Import-Module ./lib/PipelineHelpers.psm1

---

Related Documentation

• Bicep Modules — Scripts used during Bicep provisioning
• Provision Infra — Infrastructure pipeline that calls Build-BicepParams.ps1
• Key Vault — Secret rotation procedures
• Approval Gates — Some scripts require production approval before running