AI-Driven Quality Engineering Architect · Available for new engagements · Australia

SNK
SNK Digital
Back to Work
Reference PatternAPI Automation

API Automation CI/CD in Azure DevOps

RestAssuredAzure DevOps PipelinesAzure Key VaultYAML pipelinesself-hosted agents

Reference architecture. This page demonstrates the design I apply to engagements in this problem class. It is illustrative — not a claim of a specific client engagement. See Case Studies for real anonymised work.

Problem class — when this pattern applies

Enterprise API test programmes running inside Azure DevOps share a recognisable shape: the test suite started small, probably as a Postman collection or a handful of RestAssured tests, and has grown to cover hundreds of endpoints across multiple environments.

Two cards comparing fits and skip conditions. Fits when: already on Azure DevOps, suite has grown past a flat mvn test call, secret management is a compliance requirement in financial services or government or healthcare, complex OAuth2 auth flows or multi-step request chaining are present, and the API contract is the primary interface. Skip when: not on Azure DevOps (GitHub Actions follows the same shape with different primitives), suite is still small, organisation uses Postman collections as the living contract and Newman as the gate, team is mixed-skill and prefers Karate's readable DSL, or UI is the primary interface.

The tightest fit is a regulated enterprise team already invested in Azure DevOps with a non-trivial API surface. The investment in Key Vault scoping and per-environment service connections only pays off when compliance or multi-environment isolation is a real requirement.

At some point the pipeline stops being a flat mvn test call and starts needing real architecture decisions: how to run in parallel without resource contention, how to manage environment credentials without hardcoding them, how to scope service connections to the right environments, and how to make the gate meaningful without it blocking every PR for ten minutes.

The problem class has four components. First, parallelising a large API suite across pipeline agents in a way that distributes load evenly and produces a merged test report. Second, scoping service connections in Azure DevOps so the pipeline can authenticate to test environments without leaking production credentials. Third, pulling secrets at pipeline runtime from Azure Key Vault rather than storing them in variable groups or pipeline YAML. Fourth, keeping the gate time budget within a ceiling that development teams will actually respect — because an API gate that exceeds that ceiling trains engineers to route around it.

I reach for this pattern on enterprise teams that are already invested in Azure DevOps and have a non-trivial REST API surface requiring systematic regression coverage. Regulated environments where audit-traceability on secret access matters are the tightest fit.

Architecture / design decisions

Four architecture decision cards. Decision 1 RestAssured for Java-ecosystem teams: Maven and Gradle native, JUnit XML output requires no adapter, full programmatic control for OAuth2 flows and request chaining; Karate is a defensible alternative for mixed-skill teams and Newman for Postman-first organisations. Decision 2 matrix strategy with parallel tag-group execution: tag groups smoke, contract, functional, regression with smoke and contract on every PR and full regression on merge to release; self-hosted agents for VNet-bound APIs and Microsoft-hosted otherwise. Decision 3 per-environment service connections: one connection per environment dev UAT production, scope enforced at connection level not YAML convention, UAT and production require one-time human approval for audit trail. Decision 4 Key Vault secrets not variable groups: AzureKeyVault task retrieves at runtime, secrets auto-masked in pipeline logs, nothing credential-adjacent in the repository; variable groups rejected as not auditable.

These four decisions determine whether the gate is trusted or routed around. The service connection scoping and Key Vault discipline are what separate a compliant pipeline from one that passes security review on paper and fails it in practice.

Architecture at a glance — RestAssured on Azure DevOps

Tool selection

  • RestAssured for Java-ecosystem teams (Maven/Gradle native, JUnit XML output)
  • Karate or Postman+Newman considered for mixed-skill or contract-first teams

Pipeline shape

  • Matrix strategy across tag groups: @smoke, @contract, @functional, @regression
  • Smoke + contract on every PR; full regression on merge to release
  • Self-hosted agents for VNet-bound APIs; Microsoft-hosted otherwise

Service connections

  • One Azure DevOps service connection per environment (dev, UAT, prod)
  • UAT + production connections gated with one-time human approval

Secrets

  • Azure Key Vault as single source of truth, retrieved via AzureKeyVault@2 task
  • Mapped to pipeline variables (auto-masked in logs); nothing credential-adjacent in the repo

Reporting

  • Per-leg JUnit XML published as artefacts
  • Downstream merge job aggregates into a unified test result

Tool selection: RestAssured

For Java-ecosystem teams on Azure DevOps, RestAssured is the natural choice. It integrates cleanly into Maven or Gradle build lifecycles, which aligns with the existing pipeline toolchain. It gives full programmatic control over request construction, response assertion, and test data setup — important when the API surface has complex authentication flows (OAuth2, service principal tokens) or requires non-trivial request chaining between test steps. It also produces JUnit XML output natively, which Azure DevOps's PublishTestResults task consumes directly without any adapter.

Karate is a defensible alternative when the team is mixed-skill and readable DSL matters more than programmatic flexibility — its built-in JSON path validation and BDD structure lower the authoring bar for non-developer testers. Postman with Newman is the right call when the organisation already manages a Postman collection as a living API contract document and wants that artefact to be the test gate rather than maintaining a separate code layer. For a Java-development team on a complex service surface, RestAssured is the default.

YAML pipeline design: parallel matrix execution

The pipeline uses a matrix strategy to distribute the test suite across agents. Each agent receives a tag filter — I define tag groups at the test suite level (smoke, contract, functional, regression) — and runs the scoped subset. A downstream merge step collects the JUnit XML artefacts and publishes a unified test result. This keeps per-PR feedback fast: smoke and contract tags run on every PR; the full regression matrix runs on merge to the release branch.

Four-stage pipeline execution flow. Stage 1 Key Vault secret retrieval: AzureKeyVault task runs as a pre-job, retrieving API-BASE-URL, CLIENT-ID, and CLIENT-SECRET from the environment-scoped Key Vault via the service connection; secrets are auto-masked in logs. Stage 2 parallel matrix: three agents run concurrently with smoke tag filter, contract tag filter, and functional tag filter; Maven receives secrets as system properties. Stage 3 JUnit XML artefacts: each leg publishes surefire reports as distinct named artefacts for per-tag investigation. Stage 4 unified test result: downstream merge job downloads all artefacts and publishes to the Tests tab producing a single quality gate signal where all legs must pass.

The pool name is the only thing that changes between a Microsoft-hosted and a self-hosted agent configuration. The YAML is otherwise identical — which means the same pipeline YAML works in open environments and in VNet-bound regulated environments.

The agent strategy decision is between Microsoft-hosted and self-hosted agents. Microsoft-hosted agents are simpler to operate but cannot reach internal API surfaces behind a corporate network boundary. For regulated environments where the API under test lives inside a VNet, self-hosted agents registered to an Azure DevOps agent pool are the only viable path. The pipeline YAML is identical in both cases; the pool name is parameterised.

Pipeline run — secret retrieval, parallel agents, unified gate
Loading diagram…

The pipeline never holds secrets in YAML or variable groups. Key Vault is the single runtime source of truth. The merge job is the only signal the PR author sees — all-legs-pass or not.

Service connection scoping

Azure DevOps service connections are the mechanism for authenticating the pipeline to Azure resources — specifically the Key Vault where test secrets live and, where applicable, the Azure environment where the API under test is deployed. The architectural decision is service connection scope: one connection per environment (dev, UAT, production) rather than a single broad connection. Per-environment scoping means a PR pipeline running against dev cannot incidentally access production Key Vault secrets. The scope boundary is enforced at the service connection level, not just by convention in the YAML.

I always request service connection approval gates on the UAT and production connections — a human approval step before the pipeline can use a connection targeting those environments. This is a one-time gate (the connection is approved at pipeline setup, not per-run), but the approval audit trail satisfies compliance requirements without adding per-run latency.

Secret management via Azure Key Vault

Test environment credentials — API base URLs, client IDs, client secrets, bearer token endpoints — are stored as secrets in environment-scoped Azure Key Vaults, not in Azure DevOps variable groups or pipeline YAML. The pipeline retrieves them at runtime using the AzureKeyVault task, maps them to pipeline variables, and passes them to the test runner as environment variables. Secrets are masked in pipeline logs automatically once mapped to pipeline variables.

Three-row comparison of secret storage approaches. Row 1 hardcoded in repo or YAML: credentials in source control, no audit trail, no scope control, no log masking — verdict never acceptable. Row 2 Azure DevOps variable groups: stored in the DevOps platform, partial audit trail, scope controlled by convention only, logs masked — verdict acceptable for non-secret config like base URLs and feature flags but not for secrets. Row 3 Azure Key Vault with per-environment service connections: secrets stored only in Key Vault, per-access audit log, scope enforced at service connection level not by convention, auto-masked in pipeline logs — verdict the correct approach.

The distinction between variable groups and Key Vault is not aesthetic. Variable groups do not produce a per-access audit record and their scope cannot be enforced at the platform level. In a regulated environment, that distinction is the difference between passing and failing an audit.

The discipline I hold here is: nothing credential-adjacent touches the repository. Variable groups in Azure DevOps are acceptable for non-secret config (base URLs, feature flags) but not for secrets. Key Vault is the single source of truth for secrets, and access to it is controlled by the service principal tied to the service connection — auditable, revocable, scoped.

Parallel matrix execution and report merging

The JUnit XML artefacts from each matrix leg are published as pipeline artefacts with distinct names. A downstream job depends on all matrix legs, downloads the artefacts, and publishes a unified test result to the pipeline's Tests tab. This gives a single quality gate signal — all legs must pass — while the per-leg granularity remains available in the artefacts if a specific tag group needs investigation.

Code snippets

1. Azure DevOps YAML — parallel matrix execution with Key Vault

# azure-pipelines.yml
trigger:
  branches:
    include: [main, develop]

variables:
  MAVEN_OPTS: '-Xmx1024m'
  KEY_VAULT_NAME: 'kv-api-test-$(environment)'

stages:
  - stage: API_Tests
    jobs:
      - job: RunApiTests
        strategy:
          matrix:
            smoke:
              TAG_FILTER: '@smoke'
            contract:
              TAG_FILTER: '@contract'
            functional:
              TAG_FILTER: '@functional'
          maxParallel: 3
        pool:
          name: 'api-test-agents'   # self-hosted pool; swap for 'ubuntu-latest' if Microsoft-hosted

        steps:
          - task: AzureKeyVault@2
            inputs:
              azureSubscription: 'sc-api-test-$(environment)'
              KeyVaultName: $(KEY_VAULT_NAME)
              SecretsFilter: 'API-BASE-URL,CLIENT-ID,CLIENT-SECRET'
              RunAsPreJob: true

          - task: Maven@3
            displayName: 'Run API tests — $(TAG_FILTER)'
            inputs:
              goals: 'test'
              options: '-Dgroups="$(TAG_FILTER)" -Dbase.url=$(API-BASE-URL) -Dclient.id=$(CLIENT-ID) -Dclient.secret=$(CLIENT-SECRET)'
              publishJUnitResults: true
              testResultsFiles: '**/surefire-reports/TEST-*.xml'
              testRunTitle: 'API Tests — $(TAG_FILTER)'

2. RestAssured — authenticated API test class (Java)

// src/test/java/com/example/api/OrderApiTest.java
@Tag("functional")
class OrderApiTest extends ApiTestBase {

    @Test
    void createOrder_withValidPayload_returns201AndLocationHeader() {
        var payload = OrderPayload.builder()
            .customerId(TestData.validCustomerId())
            .items(List.of(new LineItem("SKU-001", 2)))
            .build();

        given()
            .spec(authSpec())          // injects Bearer token from env; resolved in ApiTestBase
            .contentType(ContentType.JSON)
            .body(payload)
        .when()
            .post("/orders")
        .then()
            .statusCode(201)
            .header("Location", matchesPattern(".*/orders/[a-f0-9-]{36}"))
            .body("status", equalTo("PENDING"));
    }
}

3. Azure Key Vault — variable mapping in pipeline (reference)

# In the AzureKeyVault@2 task output, secrets are mapped as pipeline variables.
# Reference them in subsequent steps using the secret name as the variable name:
#   $(API-BASE-URL)   ← mapped from Key Vault secret 'API-BASE-URL'
#   $(CLIENT-ID)      ← mapped from Key Vault secret 'CLIENT-ID'
#   $(CLIENT-SECRET)  ← mapped from Key Vault secret 'CLIENT-SECRET'
#
# Pass to Maven via -D system properties, or as environment variables:
env:
  BASE_URL: $(API-BASE-URL)
  CLIENT_SECRET: $(CLIENT-SECRET)
# These are masked automatically in pipeline logs once set as pipeline variables.

When I'd brief this

This pattern fits three contexts. First, enterprise teams already running on Azure DevOps who need to move their API test suite from a developer's machine or a shared CI job into a proper gated pipeline with environment parity. The investment is proportionate because the CI platform is already there; this pattern adds the quality layer on top without introducing a new tool ecosystem.

Three cards for the three briefing contexts. Context 1 pipeline maturity: enterprise teams on Azure DevOps whose suite has grown past a flat mvn test call on a developer's machine or shared CI job, needing a proper gated pipeline with environment parity without introducing a new tool ecosystem. Context 2 regulated environments: financial services, government, and healthcare where secret management and access audit trails are compliance requirements, not nice-to-haves — Key Vault with service connection scoping provides the audit record that variable groups cannot. Context 3 API-first surfaces: products where the API contract is the primary interface, UI automation is secondary or absent, and the API test gate is the release confidence mechanism — smoke plus contract on every PR and full regression on merge earns and maintains that trust.

These three contexts share a common property: the API gate is load-bearing, not cosmetic. The architecture is overkill for a small suite on a single environment — but proportionate when the gate is what the team actually relies on for release confidence.

Second, regulated environments — financial services, government, healthcare — where secret management and access audit trails are compliance requirements, not nice-to-haves. Azure Key Vault with service connection scoping gives the audit record that a variable group or a CI environment secret does not. The regulatory compliance pressures and multi-environment isolation requirements that make this architecture proportionate are documented across the government and enterprise programmes in the Enterprise QA Leadership — 6-Year Multi-Programme Tenure, where API testing was one of the disciplines run under this level of pipeline rigour.

Third, API-first product surfaces where the API contract is the primary interface and UI automation is secondary or non-existent. In those contexts the API test gate is the release confidence mechanism, and it needs to be robust, fast, and trusted. A matrix that runs smoke and contract tags on every PR and full regression on merge is the architecture that earns that trust.

The same problem class on GitHub Actions follows the same shape with platform-native primitives — workflow matrix execution, reusable workflows via workflow_call, and OIDC federation into cloud KMS instead of service-connection-backed Key Vault. I treat the architecture as portable; the CI orchestrator is implementation detail.

Matching your brief? Get in touch.

Back to all work