// Creates Azure DevOps variable groups and environments for dev, test, and production. This skill configures environment-specific variables and approval gates required for CI/CD pipelines.
Creates Azure DevOps CI/CD pipelines from the template YAML files. This skill creates pipelines for agent creation, testing, and deployment automation using the ready-to-use pipeline definitions.
Orchestrates complete Azure AI Foundry deployment to Azure DevOps. Coordinates repository-setup, service-connection-setup, environment-setup, pipeline-setup, and deployment-validation skills. Use when deploying the complete Azure AI Foundry starter template end-to-end.
Cleans up Azure DevOps resources (repositories, service connections, variable groups, pipelines) and resets configuration files. Use when you need to remove Azure DevOps artifacts after testing or to prepare for a fresh deployment of the Azure AI Foundry Starter template.
Safely deletes all Azure resources created by the Azure AI Foundry starter template including resource groups, AI Services, AI Foundry Projects, Service Principal, federated credentials, and RBAC assignments. Use when tearing down environments or starting fresh.
Validates the complete Azure AI Foundry deployment by checking repositories, service connections, variable groups, environments, pipelines, and optionally running the first agent deployment. This skill provides comprehensive verification of the deployment setup.
Manages federated credentials for Azure DevOps service connections using Workload Identity Federation. Retrieves actual issuer/subject from service connections and creates/updates federated credentials on Service Principals.
| name | environment-setup |
| description | Creates Azure DevOps variable groups and environments for dev, test, and production. This skill configures environment-specific variables and approval gates required for CI/CD pipelines. |
This skill handles creating variable groups and environments in Azure DevOps for development, test, and production stages.
Use this skill when you need to:
Before using this skill, ensure:
configuration-management skill first)resource-creation skill)service-connection-setup skill)Variable Groups:
{projectName}-{env}-vars (where projectName is from config.naming.projectName)Environments:
# Load configuration
. ./.github/skills/configuration-management/config-functions.ps1
$config = Get-StarterConfig
# Extract values
$org = $config.azureDevOps.organizationUrl
$project = $config.azureDevOps.projectName
$subscriptionId = $config.azure.subscriptionId
# Derive resource group name from project name
$resourceGroup = "rg-$($config.naming.projectName)"
Write-Host "ā Configuration loaded"
IMPORTANT: Variable group names must match exactly what's referenced in pipeline YAML files!
# Define environment-specific configurations with derived resource groups
$environments = @{
"dev" = @{
projectEndpoint = $config.azure.aiFoundry.dev.projectEndpoint
projectName = $config.azure.aiFoundry.dev.projectName
modelDeployment = "gpt-4o" # or from config if specified
resourceGroup = "$resourceGroup-dev" # rg-{projectName}-dev
}
"test" = @{
projectEndpoint = $config.azure.aiFoundry.test.projectEndpoint
projectName = $config.azure.aiFoundry.test.projectName
modelDeployment = "gpt-4o"
resourceGroup = "$resourceGroup-test" # rg-{projectName}-test
}
"prod" = @{
projectEndpoint = $config.azure.aiFoundry.prod.projectEndpoint
projectName = $config.azure.aiFoundry.prod.projectName
modelDeployment = "gpt-4o"
resourceGroup = "$resourceGroup-prod" # rg-{projectName}-prod
}
}
Write-Host "`nCreating variable groups..."
foreach ($env in $environments.Keys) {
$vgName = "$projectName-$env-vars" # Uses projectName from config
$envConfig = $environments[$env]
# Check if variable group already exists
$existingVg = az pipelines variable-group list --query "[?name=='$vgName'].id" --output tsv
if (-not $existingVg) {
Write-Host "Creating variable group: $vgName"
# Create variable group with environment-specific values
$vgId = az pipelines variable-group create `
--name $vgName `
--variables `
AZURE_AI_PROJECT_ENDPOINT="$($envConfig.projectEndpoint)" `
AZURE_AI_PROJECT_NAME="$($envConfig.projectName)" `
AZURE_AI_MODEL_DEPLOYMENT_NAME="$($envConfig.modelDeployment)" `
AZURE_RESOURCE_GROUP="$($envConfig.resourceGroup)" `
AZURE_SUBSCRIPTION_ID="$subscriptionId" `
--authorize true `
--output json | ConvertFrom-Json | Select-Object -ExpandProperty id
Write-Host "ā Variable group created: $vgName (ID: $vgId)"
# Display created variables
Write-Host " Variables:"
Write-Host " - AZURE_AI_PROJECT_ENDPOINT: $($envConfig.projectEndpoint)"
Write-Host " - AZURE_AI_PROJECT_NAME: $($envConfig.projectName)"
Write-Host " - AZURE_AI_MODEL_DEPLOYMENT_NAME: $($envConfig.modelDeployment)"
Write-Host " - AZURE_RESOURCE_GROUP: $($envConfig.resourceGroup)"
Write-Host " - AZURE_SUBSCRIPTION_ID: $subscriptionId"
} else {
Write-Host "ā Variable group already exists: $vgName (ID: $existingVg)"
}
}
Note: Environments enable deployment tracking, approvals, and checks in pipelines.
Write-Host "`nCreating environments..."
# Create dev, test, production environments using REST API
$envNames = @("dev", "test", "production")
$uri = "$org/$project/_apis/distributedtask/environments?api-version=7.1-preview.1"
foreach ($envName in $envNames) {
# Check if environment exists
$existingEnvs = Invoke-RestMethod -Uri $uri -Headers @{
"Authorization" = "Bearer $env:ADO_TOKEN"
}
$exists = $existingEnvs.value | Where-Object { $_.name -eq $envName }
if (-not $exists) {
Write-Host "Creating environment: $envName"
$body = @{
name = $envName
description = "$envName environment for Azure AI Foundry deployments"
} | ConvertTo-Json
$response = Invoke-RestMethod -Uri $uri -Method Post -Headers @{
"Authorization" = "Bearer $env:ADO_TOKEN"
"Content-Type" = "application/json"
} -Body $body
Write-Host "ā Environment created: $envName (ID: $($response.id))"
} else {
Write-Host "ā Environment already exists: $envName (ID: $($exists.id))"
}
}
Write-Host "`nā
Environment setup complete!"
For production environments, you may want to add approval gates:
Write-Host "`n=== Optional: Configure Approval Gates ==="
Write-Host "To add approvals for production deployments:"
Write-Host "1. Go to: $org/$project/_settings/environments"
Write-Host "2. Select 'production' environment"
Write-Host "3. Click '+ Add resource' > 'Approvals and checks'"
Write-Host "4. Add approvers (users or groups)"
Write-Host "5. Configure approval timeout and policy"
Critical: Pipeline YAML files reference these exact names!
{projectName}-dev-vars - Development environment (where {projectName} is from config.naming.projectName){projectName}-test-vars - Test environment{projectName}-prod-vars - Production environmentNaming rules:
{projectName}-dev-vars (from config.naming.projectName)foundry_dev_varsfoundry dev varsEach variable group contains:
| Variable | Description | Example |
|---|---|---|
AZURE_AI_PROJECT_ENDPOINT | AI Foundry project endpoint URL | https://aif-foundry-dev.cognitiveservices.azure.com |
AZURE_AI_PROJECT_NAME | AI Foundry project name | aif-foundry-dev |
AZURE_AI_MODEL_DEPLOYMENT_NAME | Deployed model name | gpt-4o |
AZURE_RESOURCE_GROUP | Azure resource group (environment-specific) | rg-{projectName}-dev |
AZURE_SUBSCRIPTION_ID | Azure subscription ID | 12345678-1234-1234-1234-123456789012 |
Error: Variable group name contains invalid characters
Solution: Use alphanumeric characters and hyphens only:
# ā
CORRECT
$vgName = "$projectName-dev-vars" # Uses projectName from config
# ā WRONG
$vgName = "foundry_dev_vars" # No underscores
$vgName = "foundry dev vars" # No spaces
$vgName = "foundry-dev-vars" # Don't hardcode - use config.naming.projectName
Error: The pipeline is not valid. Could not find variable group
Solution: Ensure --authorize true flag is used when creating:
az pipelines variable-group create --name $vgName --authorize true ...
Or authorize manually:
$vgId = az pipelines variable-group list --query "[?name=='$vgName'].id" -o tsv
az pipelines variable-group update --id $vgId --authorize true
Error: TF400734: The environment xyz already exists
Solution: The script handles this automatically. If you need to recreate, delete manually:
Error: 401 Unauthorized when creating environment
Solution: Refresh your bearer token:
$env:ADO_TOKEN = az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" -o tsv
$env:AZURE_DEVOPS_EXT_PAT = $env:ADO_TOKEN
Error: Empty values in variable group
Solution: Verify configuration is loaded correctly:
. ./.github/skills/configuration-management/config-functions.ps1
$config = Get-StarterConfig
$config.azure.aiFoundry.dev.projectEndpoint # Should not be empty
--authorize true flag{projectName}-{env}-vars from config.naming.projectNameThis skill works together with: