Architecture Document: DevOps for RPA & Power Platform

Project: Automated Lifecycle Management (ALM) for UiPath & Power Platform
Date: December 2025
Based on: Proposta Técnica Ball DevOps - 2025.1440.01

1. Executive Summary

The objective of this architecture is to transition from manual deployment processes to a governed, automated CI/CD pipeline using Azure DevOps. The solution covers UiPath (RPA) and Power Platform (Low-Code), ensuring traceability, security, and operational efficiency.

Key goals:

Standardized YAML pipelines for consistent delivery.
Strict Quality Gates (Solution Checker, Secret Scanning).
Idempotency in connection references using custom automation scripts.

2. High-Level Architecture & Branching Strategy

The solution adopts a simplified GitFlow strategy. The environment promotion is strictly one-way, ensuring that Production environments only contain Managed (immutable) artifacts.

2.1 GitFlow & Environment Mapping

Dev (develop): Development environment. Unmanaged solutions allowed.
UAT (release/*): User Acceptance Testing. Managed solutions only.
Prod (main): Production. Managed solutions only.

2.2 Architectural Diagram

Erro ao renderizar diagrama Mermaid: No input file specified, reading from stdin. If you want to specify an input file, please use `-i .` You can use `-i -` to read from stdin and to suppress this warning. Error: Failed to launch the browser process! [0121/135828.748334:FATAL:zygote_host_impl_linux.cc(128)] No usable sandbox! If you are running on Ubuntu 23.10+ or another Linux distro that has disabled unprivileged user namespaces with AppArmor, see https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md. Otherwise see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the (older) SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox. TROUBLESHOOTING: https://pptr.dev/troubleshooting at Interface.onClose (file:///opt/hostedtoolcache/node/20.19.6/x64/lib/node_modules/@mermaid-js/mermaid-cli/node_modules/@puppeteer/browsers/lib/esm/launch.js:303:24) at Interface.emit (node:events:536:35) at Interface.close (node:internal/readline/interface:530:10) at Socket.onend (node:internal/readline/interface:256:10) at Socket.emit (node:events:536:35) at endReadableNT (node:internal/streams/readable:1698:12) at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

3. Power Platform ALM Strategy

This section details the lifecycle for Low-Code solutions. The core principle is "Build Once, Deploy Many". The artifact is generated in the Build stage and promoted to subsequent environments.

3.1 CI/CD Pipeline Flow

Build/CI: Exports the Unmanaged solution from Dev, runs pac solution checker (Quality Gate), and packages it as Managed.
Deploy/CD: Imports the Managed solution using environment-specific configuration files (deployment-settings.json).

3.2 Pipeline Diagram

Erro ao renderizar diagrama Mermaid: No input file specified, reading from stdin. If you want to specify an input file, please use `-i .` You can use `-i -` to read from stdin and to suppress this warning. Error: Failed to launch the browser process! [0121/135829.375359:FATAL:zygote_host_impl_linux.cc(128)] No usable sandbox! If you are running on Ubuntu 23.10+ or another Linux distro that has disabled unprivileged user namespaces with AppArmor, see https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md. Otherwise see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the (older) SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox. TROUBLESHOOTING: https://pptr.dev/troubleshooting at Interface.onClose (file:///opt/hostedtoolcache/node/20.19.6/x64/lib/node_modules/@mermaid-js/mermaid-cli/node_modules/@puppeteer/browsers/lib/esm/launch.js:303:24) at Interface.emit (node:events:536:35) at Interface.close (node:internal/readline/interface:530:10) at Socket.onend (node:internal/readline/interface:256:10) at Socket.emit (node:events:536:35) at endReadableNT (node:internal/streams/readable:1698:12) at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

4. Automation Logic: Idempotency & Connection Mapping (Python)

A critical component of this architecture is the handling of Connection References. To prevent the creation of duplicate connections or breaking changes during deployment, a custom Python script is used to map references to existing connection IDs in the target environment.

4.1 Logic Flow

This logic runs before the pac solution import command. It parses the solution's configuration and queries the Dataverse API (or uses PAC CLI) to find matching connections.

Erro ao renderizar diagrama Mermaid: No input file specified, reading from stdin. If you want to specify an input file, please use `-i .` You can use `-i -` to read from stdin and to suppress this warning. Error: Failed to launch the browser process! [0121/135829.933436:FATAL:zygote_host_impl_linux.cc(128)] No usable sandbox! If you are running on Ubuntu 23.10+ or another Linux distro that has disabled unprivileged user namespaces with AppArmor, see https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md. Otherwise see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the (older) SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox. TROUBLESHOOTING: https://pptr.dev/troubleshooting at Interface.onClose (file:///opt/hostedtoolcache/node/20.19.6/x64/lib/node_modules/@mermaid-js/mermaid-cli/node_modules/@puppeteer/browsers/lib/esm/launch.js:303:24) at Interface.emit (node:events:536:35) at Interface.close (node:internal/readline/interface:530:10) at Socket.onend (node:internal/readline/interface:256:10) at Socket.emit (node:events:536:35) at endReadableNT (node:internal/streams/readable:1698:12) at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

5. UiPath (RPA) Delivery Pipeline

The RPA pipeline focuses on package integrity and Orchestrator asset management.

5.1 Workflow Steps

Pack (CI): Compiles the UiPath project into a .nupkg file.
Lint: Validates naming conventions and code standards.
Deploy (CD): Uploads the package to Orchestrator and updates the Process version.
Smoke Test: Triggers a quick job to verify the robot is responsive.

5.2 UiPath Pipeline Diagram

Erro ao renderizar diagrama Mermaid: No input file specified, reading from stdin. If you want to specify an input file, please use `-i .` You can use `-i -` to read from stdin and to suppress this warning. Error: Failed to launch the browser process! [0121/135830.489975:FATAL:zygote_host_impl_linux.cc(128)] No usable sandbox! If you are running on Ubuntu 23.10+ or another Linux distro that has disabled unprivileged user namespaces with AppArmor, see https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md. Otherwise see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the (older) SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox. TROUBLESHOOTING: https://pptr.dev/troubleshooting at Interface.onClose (file:///opt/hostedtoolcache/node/20.19.6/x64/lib/node_modules/@mermaid-js/mermaid-cli/node_modules/@puppeteer/browsers/lib/esm/launch.js:303:24) at Interface.emit (node:events:536:35) at Interface.close (node:internal/readline/interface:530:10) at Socket.onend (node:internal/readline/interface:256:10) at Socket.emit (node:events:536:35) at endReadableNT (node:internal/streams/readable:1698:12) at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

6. Infrastructure & Security

6.1 Secret Management

Azure Key Vault: Stores all sensitive data (client secrets, connection strings, API keys).
Variable Groups: Azure DevOps Variable Groups link to Key Vaults (vg-dev, vg-hom, vg-prod).

6.2 Access Control

Service Connections: Least-privilege connections created for each environment (sc-powerplatform-prod, sc-uipath-prod).
Policies: allowCreateConnection=false is enforced in Hom/Prod to prevent unauthorized connections via the pipelines.

6.3 Infrastructure Communication Flow

This diagram illustrates how Azure DevOps orchestrates the deployment pipeline by securely accessing secrets from Azure Key Vault and authenticating to target platforms (Power Platform and UiPath Orchestrator).

Erro ao renderizar diagrama Mermaid: No input file specified, reading from stdin. If you want to specify an input file, please use `-i .` You can use `-i -` to read from stdin and to suppress this warning. Error: Failed to launch the browser process! [0121/135831.046850:FATAL:zygote_host_impl_linux.cc(128)] No usable sandbox! If you are running on Ubuntu 23.10+ or another Linux distro that has disabled unprivileged user namespaces with AppArmor, see https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md. Otherwise see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the (older) SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox. TROUBLESHOOTING: https://pptr.dev/troubleshooting at Interface.onClose (file:///opt/hostedtoolcache/node/20.19.6/x64/lib/node_modules/@mermaid-js/mermaid-cli/node_modules/@puppeteer/browsers/lib/esm/launch.js:303:24) at Interface.emit (node:events:536:35) at Interface.close (node:internal/readline/interface:530:10) at Socket.onend (node:internal/readline/interface:256:10) at Socket.emit (node:events:536:35) at endReadableNT (node:internal/streams/readable:1698:12) at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

Key Communication Patterns:

Secret Management: Variable Groups in Azure DevOps link directly to Azure Key Vault, pulling secrets at runtime without exposing them in pipeline logs.
Authentication: Service Connections use Service Principal credentials (stored in Key Vault) to authenticate to Power Platform and UiPath Orchestrator.
Deployment Flow: The pipeline retrieves code from Azure Repos, uses secrets from Key Vault via Variable Groups, and deploys through Service Connections to target environments.
Environment Isolation: Each environment (Dev, Hom, Prod) has dedicated Variable Groups and Key Vault instances, ensuring complete separation of credentials.

6.4 Network Architecture & Security Boundaries

This section details the actual infrastructure components, communication protocols, and security controls as defined in the project scope. Two deployment options are available for build agents.

6.4.1 Option A: Microsoft-Hosted Agents (Recommended)

This is the recommended architecture with zero infrastructure overhead, automatic updates, and ephemeral build environments.

Erro ao renderizar diagrama Mermaid: No input file specified, reading from stdin. If you want to specify an input file, please use `-i .` You can use `-i -` to read from stdin and to suppress this warning. Error: Failed to launch the browser process! [0121/135831.598850:FATAL:zygote_host_impl_linux.cc(128)] No usable sandbox! If you are running on Ubuntu 23.10+ or another Linux distro that has disabled unprivileged user namespaces with AppArmor, see https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md. Otherwise see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the (older) SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox. TROUBLESHOOTING: https://pptr.dev/troubleshooting at Interface.onClose (file:///opt/hostedtoolcache/node/20.19.6/x64/lib/node_modules/@mermaid-js/mermaid-cli/node_modules/@puppeteer/browsers/lib/esm/launch.js:303:24) at Interface.emit (node:events:536:35) at Interface.close (node:internal/readline/interface:530:10) at Socket.onend (node:internal/readline/interface:256:10) at Socket.emit (node:events:536:35) at endReadableNT (node:internal/streams/readable:1698:12) at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

Characteristics:
- ✅ Zero infrastructure management required
- ✅ Always up-to-date with latest tools and security patches
- ✅ Ephemeral environments (clean slate for every build)
- ✅ Auto-scaling based on pipeline demand
- ✅ PAC CLI and UiPath CLI installed via pipeline tasks
- ✅ No firewall configuration needed (outbound only)
- ✅ Suitable for 95% of scenarios

6.4.2 Option B: Self-Hosted Agents (Optional)

This option is only required for specific scenarios such as on-premise UiPath Orchestrator without internet access or special network requirements.

Erro ao renderizar diagrama Mermaid: No input file specified, reading from stdin. If you want to specify an input file, please use `-i .` You can use `-i -` to read from stdin and to suppress this warning. Error: Failed to launch the browser process! [0121/135832.159318:FATAL:zygote_host_impl_linux.cc(128)] No usable sandbox! If you are running on Ubuntu 23.10+ or another Linux distro that has disabled unprivileged user namespaces with AppArmor, see https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md. Otherwise see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the (older) SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox. TROUBLESHOOTING: https://pptr.dev/troubleshooting at Interface.onClose (file:///opt/hostedtoolcache/node/20.19.6/x64/lib/node_modules/@mermaid-js/mermaid-cli/node_modules/@puppeteer/browsers/lib/esm/launch.js:303:24) at Interface.emit (node:events:536:35) at Interface.close (node:internal/readline/interface:530:10) at Socket.onend (node:internal/readline/interface:256:10) at Socket.emit (node:events:536:35) at endReadableNT (node:internal/streams/readable:1698:12) at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

Characteristics:
- ⚠️ Customer must provision and maintain Windows VM
- ⚠️ Manual installation required: Azure DevOps Agent, PAC CLI, UiPath CLI, .NET SDK
- ⚠️ Customer responsible for patching and updates
- ⚠️ Firewall rules must allow outbound HTTPS to all services
- ✅ Can access on-premise UiPath Orchestrator
- ✅ Can work with special network requirements
- ⚠️ Only use when Microsoft-Hosted Agents cannot meet requirements

Infrastructure Components & Network Details:

Component	Protocol/Port	Authentication	Location	Security Controls
Azure DevOps	HTTPS/443	Azure AD + PAT	SaaS	Conditional Access, IP Restrictions (optional)
Azure Key Vault (per env)	HTTPS/443	Service Principal	Azure Cloud	RBAC, Firewall (optional), Audit Logs
Power Platform (DEV/HOM/PROD)	HTTPS/443	OAuth 2.0 (App Registration)	SaaS	Service Principal, DLP Policies, Environment Security Roles
UiPath Orchestrator (per env)	HTTPS/443	API Key + Client ID	Cloud or On-Premise	TLS 1.2+, API Authentication, Folder Permissions
Microsoft-Hosted Agent	HTTPS/443 (outbound only)	Managed by Azure DevOps	Azure Infrastructure	No inbound access, automatic patching, ephemeral
Self-Hosted Agent (optional)	HTTPS/443 (outbound only)	Azure DevOps PAT	Customer Network	Firewall rules, agent maintenance, outbound-only

Required Network Access (Firewall Whitelist):

Source	Destination	Purpose
Build Agents	`dev.azure.com`, `*.visualstudio.com`	Azure DevOps access
Build Agents	`*.vault.azure.net`	Azure Key Vault secrets retrieval
Build Agents	`.crm.dynamics.com`, `.powerapps.com`, `api.powerplatform.com`	Power Platform deployment
Build Agents	UiPath Orchestrator URL (cloud or on-prem)	UiPath package deployment
Build Agents	`api.nuget.org`, `*.nuget.org`	NuGet package restore
Development Team	`dev.azure.com`	Repository and pipeline management

Security Layers:

Identity & Access Management
- Azure AD authentication for all user access with MFA enforcement
- Service Principals with least-privilege RBAC for automated deployments
- App Registrations for Power Platform with environment-specific permissions
- API Keys and Client IDs for UiPath Orchestrator access
Secret Management
- Azure Key Vault per environment (DEV, HOM, PROD) with complete separation
- Variable Groups in Azure DevOps linked to respective Key Vaults
- Automatic secret injection at pipeline runtime (no hardcoded credentials)
- Periodic credential rotation (recommended: quarterly)
Encryption in Transit
- TLS 1.2+ enforced for all HTTPS communications
- OAuth 2.0 for Power Platform authentication
- Secure API authentication for UiPath Orchestrator
Network Security
- Build agents use outbound-only connections (no inbound ports required)
- Optional: Key Vault firewall with IP whitelisting for additional protection
- Optional: Azure DevOps IP restrictions for organization access
Audit & Monitoring
- Azure DevOps audit logs for pipeline executions and approvals
- Key Vault diagnostic logs for secret access tracking
- Service Connection usage monitoring
- Pipeline execution history and artifact traceability
Build Agent Security
- Microsoft-Hosted Agents (recommended): Zero maintenance, always patched, ephemeral
- Self-Hosted Agents (if used): Customer-managed, requires patching, persistent
- Agent pools with specific permissions per environment

Build Agent Options:

Option A: Microsoft-Hosted Agents (Recommended)
- Zero infrastructure overhead
- Automatically updated with latest tools
- Ephemeral environments (clean slate per build)
- PAC CLI and UiPath CLI installed via pipeline tasks
- Suitable for most scenarios

Option B: Self-Hosted Agents (Optional)
- Required only for specific scenarios (e.g., on-premise UiPath Orchestrator without internet access)
- Customer must provision Windows Server/Windows 10/11 VM
- Requires manual installation: Azure DevOps Agent, PAC CLI, UiPath CLI, .NET SDK, Git
- Customer responsible for patching and maintenance
- Firewall rules must allow outbound HTTPS to all required services

7. Rollback Strategy

A mass rollback plan is defined for disaster recovery.

Snapshot: Before deployment, a snapshot of current versions is recorded in the release logs.
Power Platform: Re-import the previous Managed solution version ($v_{x-1}$) using the stored settings.
UiPath: Use the Orchestrator API to set the Process Version back to the previous package.