CI/CD framework in IdentityIQ

White · February 21, 2025, 11:23am

Which IIQ version are you inquiring about?

IdenityIQ 8.2

Hello,

I am trying to create a CI/CD framework for our IdentityIQ 8.2 and searching through the internet, there is no simple way to do it.
We are controlling the config files through SSB and updating it on a Git Repository. However, the file upload is done manually or through IIQAccelerator and this is rather slow and dangerous when uploading/updating numerous files at the same time.

I have found some articles explaining how to accelerate the process like this one from Sailpoint Technologies:

These articles involve building a war file and deploying it, however I have seen other saying it’s simple using the iiq console command and importing the xml directly.

Our ambient is composed by DEV, QUA and PRD and have several application servers for environment. Each environment has one database.

Has anyone ever created a CI/CD framework for IIQ? If so, can you help.

raju_jadhav · February 21, 2025, 11:35pm

check this out

hope it helps

paul_hilchey · February 23, 2025, 6:54am

Hi Rodrigo,

Our CI/CD process looks like this:

Jenkins

select what to deploy
checkout build environment from git
build with maven and package customizations as zip file
upload zip file to Nexus
run Ansible job to deploy on the application servers

Ansible

stop tomcat on each application server
download base war from Nexus and unpack
download custom zip from Nexus and unpack
deploy plugins
save delta aggregation state
import xml configuration artifacts
restore delta aggregation state
start tomcat on each application server

We use this for our development, pre-production and production environments. Sandbox deploys are less automated.

It was a bit of work to set up, but absolutely worthwhile. Let me know if you want more info.

phodgdon · February 25, 2025, 4:08am

You can check out our upcoming webinar: Instrumental Identity Government IT Events | Carahsoft

Arpitha1 · February 25, 2025, 4:31am

Could we get a recorded link of the webinar afterward? I’m interested in watching it, but it takes place at midnight in my time zone.

White · February 25, 2025, 11:07am

First of all, thank you for your help. I have a little question, in Ansible you download the base war and the custom zip from Nexus. Why both and not only the base war?

Another question is about the delta aggregation states. Are these related to the Delta Aggregation (Delta Aggregation) and why do you need to save these states before importing the xml files?

paul_hilchey · February 25, 2025, 5:55pm

The base war doesn’t have any of our customizations, those are in the zip file. The base war is only downloaded and unpacked if that option was selected in Jenkins. In practice, we only need to install the base war when upgrading IIQ or applying an efix. That is one of the differences between DevSecOps toolkit and SSB (where the customizations are packaged into the war file).

The delta aggregation state is saved in the application object. When a deploy imports the application object, the delta aggregation state is “lost”. Depending on the application, delta aggregation won’t work again until a full aggregation is done. The save/restore is a work-around for that.

phodgdon · February 26, 2025, 3:46am

We’ve done similar things using IIQ to restore the application object data for deltas just using a service definition and keeping track of the deltas in a custom object so they can be referenced after a deploy and restored.

paul_hilchey · February 26, 2025, 5:47am

I hadn’t thought of using a service, that’s an interesting approach.

We are also saving/restoring oauth tokens, subscribedSkus, and appRoles.

paul_hilchey · March 1, 2025, 2:39am

Attached are rules for saving and restoring the delta state. They’ll need to be customized for your applications
Rule-UVic_Save_Delta.xml (4.9 KB)
Rule-UVic_Restore_Delta.xml (7.5 KB)