使用KeyVault的Azure App Service JSON转换 [英] Azure App Service JSON Transform using KeyVault
问题描述
我正在考虑将.Net Core WebApi服务部署到Azure应用服务,作为部署的一部分,我希望使用CosmosDb连接字符串更新 appsettings.json
中的连接字符串..我有一个Azure KeyVault,其中将连接字符串作为秘密存储在其中.
I am looking at deploying a .Net Core WebApi service to an Azure App Service and as part of the deployment I am keen to update the connection string in the appsettings.json
with the CosmosDb connection string. I have a Azure KeyVault which has the connection string stored in there as a secret.
使用用于CI/CD的YAML构建管道,我从管道中获得了以下内容(摘录)
Using the YAML build pipeline for CI/CD I have the following (snippet) from my pipeline
- task: AzureKeyVault@1
inputs:
azureSubscription: '<service-principal>'
KeyVaultName: '<keyvault-name>'
SecretsFilter: '*'
RunAsPreJob: true
- task: AzureRmWebAppDeployment@4
inputs:
ConnectionType: 'AzureRM'
azureSubscription: '<service-principal>'
appType: 'webApp'
WebAppName: '<ci-resource-group>'
VirtualApplication: '/'
packageForLinux: '$(System.DefaultWorkingDirectory)/**/*.zip'
JSONFiles: '**/appsettings.json'
这两个任务处于一个阶段,首先要从上一个阶段下载发布的工件.
These two tasks are in a stage which starts with downloading the published artifact from a previous stage.
因此,Azure App Service Deploy任务可以进行JSON转换,但是我需要定义格式为 ConnectionStrings:CosmosDb
的变量,并使用密钥库中存储的密钥中的值确定我不确定怎么做!
So the Azure App Service Deploy task can do JSON transformation but I need to define a variable in the format ConnectionStrings:CosmosDb
with the value from the secret stored in the keyvault and that I am not certain of how to do!
- 首先,这是正确的方法吗?我看过有关在密钥库中使用对机密的引用的文章,这是正确的方法吗?
- 可以使用
$(secret)
将密钥仓库秘密提供给管道,如何为上述AzureRmWebAppAppDeployment @ 4
任务创建变量?
- Firstly, is this the correct way? I have seen articles about using a reference to the secret in the keyvault, is that the correct way?
- The keyvault secrets are available to the pipeline using
$(secret)
, how can I create a variable for theAzureRmWebAppDeployment@4
task as above?
到目前为止,我发现的所有内容都指向Classic发布管道,并使用了变量组,但这需要成为YAML管道的一部分.
Everything I have found so far points to the Classic release pipelines, and using variable groups but this needs to be part of the YAML pipeline.