Appearance
DevOps Engineer Onboarding — Day 1
A practical guide to getting productive on the Microtec ERP platform as a DevOps engineer.
Prerequisites: Corporate Azure AD account provisioned, Azure DevOps invitation accepted
Stack: Azure, Bicep, Azure DevOps, Docker, Azure Container Apps, Azure SQL
Day 1 Checklist
- [ ] Azure subscription access verified
- [ ] Azure DevOps access verified
- [ ] Local tools installed (see Step 1)
- [ ] Repository access (all DevOps repos cloned)
- [ ] Pipeline variables walkthrough completed
- [ ] First
azcommand run successfully against thedevenvironment
Step 1 — Install Required Tools
Install all tools before attempting anything else. Every tool listed is required.
Azure CLI
bash
# macOS
brew install azure-cli
# Verify
az --version # Minimum: 2.55.0Bicep CLI
bash
# Install via Azure CLI (recommended — keeps Bicep in sync with az cli)
az bicep install
az bicep upgrade
# Verify
az bicep version # Minimum: 0.26.0Docker
bash
# macOS — install Docker Desktop from https://www.docker.com/products/docker-desktop
# Verify
docker --version # Minimum: 24.0.NET SDK (for local NuGet restore testing)
bash
# macOS
brew install dotnet-sdk
# Verify
dotnet --version # Must be 8.xkubectl and kubelogin (if working with AKS, not required for ACA-only work)
bash
az aks install-cliAzure DevOps CLI extension
bash
az extension add --name azure-devops
# Authenticate ADO CLI
az devops configure --defaults organization=https://dev.azure.com/microtec project=Microtec
az devops login # Paste a PAT when promptedStep 2 — Azure Access
Login
bash
az login
az account list -o table
# Set the ERP subscription as default
az account set --subscription "<ERP Subscription ID>"
# Verify you can list resource groups
az group list --query "[?starts_with(name, 'mic-erp')].[name]" -o tsv | head -20Expected output: a list of resource groups matching mic-erp-be-* and mic-erp-fr-*.
Access Levels
| Resource | Expected Access Level |
|---|---|
| ERP subscription | Contributor |
mic-backend-shared-sql-rg | Contributor |
| Azure DevOps | Project Administrator (Microtec project) |
Key Vault (dev, stage) | Key Vault Secrets Officer |
Key Vault (production) | Key Vault Reader (read-only — changes via pipeline) |
| ACR | AcrPush |
If any access is missing, contact your manager to raise an Azure AD PIM request.
Step 3 — Clone the Repositories
All DevOps configuration lives in the Devops repository:
bash
# Main DevOps config repository
git clone https://dev.azure.com/microtec/Microtec/_git/Devops
cd Devops
# Explore the structure
ls azure/
# config/ ← services-config.json and pipeline variables
# infrastructure/ ← Bicep templates
# pipelines/ ← per-service pipeline YAML
# templates/ ← shared pipeline templates (including 16-stage DevSecOps)
# scripts/ ← utility PowerShell/bash scriptsYou will also need the platform repository for local NuGet testing:
bash
git clone https://dev.azure.com/microtec/Microtec/_git/PlatformsStep 4 — Understand the Key Configuration File
The most important file in the platform is services-config.json. Every pipeline deployment reads from it.
bash
cat Devops/azure/config/container-backend/services-config.json | jq '.services | length'
# Expected: 14 (number of registered services)
cat Devops/azure/config/container-backend/services-config.json | jq '.services[].name'
# Lists all service namesKey fields per service entry:
| Field | Purpose |
|---|---|
name | Container app name suffix; must match pipeline serviceName parameter |
image | ACR image name (without tag or registry prefix) |
networkProfile | public = Public CAE, private = Private CAE |
cpu / memory | Must be a valid ACA pair (see table in deploy-new-service.md) |
environments.{env} | Per-environment override for replicas, secrets, env vars |
Step 5 — Azure DevOps Pipeline Variables Walkthrough
Navigate to Azure DevOps → Pipelines → Library → Variable Groups.
You will see one variable group per environment:
| Variable Group | Scope |
|---|---|
microtec-erp-dev | Dev environment |
microtec-erp-stage | Stage environment |
microtec-erp-preprod | Preprod environment |
microtec-erp-uat | UAT environment |
microtec-erp-production | Production environment |
Key variables (same pattern across all groups)
| Variable | Description |
|---|---|
acr_name | ACR name (e.g., micerpbedevacr) |
resource_group_containers | Container apps resource group |
keyvault_name | Key Vault name for this environment |
azure_subscription_connection | Service connection name in Azure DevOps |
nuget_pat | (Secret) NuGet feed PAT — expires every 90 days |
environment | Environment shortname (dev, stage, etc.) |
nuget_pat expiry
The nuget_pat variable in every variable group expires every 90 days. A calendar alert should fire 2 weeks before expiry. When it does, regenerate the PAT and update all variable groups (or use a shared PAT with a single update point).
Step 6 — Bicep Infrastructure Overview
Infrastructure is defined in Devops/azure/infrastructure/main.bicep. This file is subscription-scoped and creates all 8 resource groups and their contents for a given environment.
bash
# See what a deployment would create (dry run against dev)
az deployment sub what-if \
--location uksouth \
--template-file Devops/azure/infrastructure/main.bicep \
--parameters Devops/azure/infrastructure/parameters/dev.bicepparam
# View the parameter file to understand environment-specific values
cat Devops/azure/infrastructure/parameters/dev.bicepparamKey Bicep modules:
| Module | Path | Creates |
|---|---|---|
| Network | modules/network.bicep | VNet, subnets, NSG, NAT Gateway |
| Container Apps | modules/containerApps.bicep | Public CAE, Private CAE, container apps |
| ACR | modules/acr.bicep | Container registry, managed identity |
| Key Vault | modules/keyVault.bicep | Key Vault, RBAC assignments |
| SQL | modules/sql.bicep | Databases on shared SQL server |
| Monitoring | modules/monitoring.bicep | Log Analytics, App Insights |
Step 7 — Run Your First Pipeline
Trigger the gateway service pipeline against the dev environment:
bash
az pipelines run \
--name "deploy-gateway" \
--parameters "environment=dev" \
--branch mainMonitor via the ADO pipeline UI or:
bash
az pipelines runs list \
--pipeline-name "deploy-gateway" \
--query "[0].{status:status, result:result, createdDate:createdDate}" \
-o tableA successful first run confirms your service connection, ACR access, and ACA deployment permissions are all working.
Step 8 — Key Contacts and Resources
| Topic | Contact / Resource |
|---|---|
| Azure subscription access | DevOps team lead |
| Bicep architecture questions | See Devops/azure/infrastructure/README.md |
| Pipeline template questions | See DevSecOps pipeline stages |
| Networking layout | See Networking |
| Naming conventions | See Naming Conventions |
| Environment details | See Environments |
| On-call runbooks | See Runbooks |
Common Day-1 Gotchas
| Symptom | Cause | Fix |
|---|---|---|
az login redirects but no subscriptions | Wrong tenant | Run az login --tenant microtec.sa |
az group list returns empty | Wrong subscription selected | Run az account set --subscription ... |
Pipeline run: No hosted parallelism | ADO parallel job limit | Request parallel jobs from DevOps admin |
docker push denied | Not logged into ACR | Run az acr login --name micerpbedevacr |
Bicep deployment fails with AuthorizationFailed | Insufficient Azure role | Check Contributor is assigned at RG level |
nuget_pat variable not found | Variable group not linked to pipeline | Link the variable group in pipeline settings |