带有Vault机密的Azure DevOps文件转换 [英] Azure DevOps file transform with vault secrets
问题描述
我需要通过azure devops部署linux azure应用服务.我的配置存储在appsettings文件中,我需要将配置值替换为存储在Azure Vault中的值.
I need to deploy linux azure app service via azure devops. My configuration is stored in appsettings file and I need to substitute configuration values to the values stored in azure vault.
因此,我在工件中创建了变量组,将其链接到管道中的变量,并使用FileTransform @ 2替代了appsettings值.
So I created variable group in artifacts, linked it to variables in pipeline and used FileTransform@2 to substitute appsettings values.
但是它替代了空值.如果我通过分配一些字符串值在管道中显式定义变量值,则可以正常工作.
But it substitutes to null values. If I explicitly define variable value in pipeline by assigning some string value - it works fine.
我也无法将AzureRmWebAppDeployment @ 4与JSONFiles一起使用,它不适用于Linux部署
Also I cannot use AzureRmWebAppDeployment@4 with JSONFiles, it does not work for linux deployment
解决这个问题的方法是什么?
What is the way of solving this?
这是管道代码:
trigger:
branches:
include:
- master
- develop
- release/*
paths:
include:
- src/ConsumerBackEnd/*
- src/ConsumerShared/*
variables:
- name: poolName
value: 'Private-Windows10'
- name: azureRegisteredApp
value: 'portal-devops'
- name: workingDirectory
value: '$(System.DefaultWorkingDirectory)/src/ConsumerBackEnd'
- name: solutionDirectory
value: '$(System.DefaultWorkingDirectory)/src'
stages:
- stage: Build
displayName: Build stage
jobs:
- job: Build
displayName: Build
pool:
name: $(poolName)
variables:
- group: ConsumerDevVariableGroup
- name: 'Graph.GraphAppTenantId'
value: '**************' #works fine
- name: 'Graph.GraphAppClientId'
value: '$[variables.GraphAppClientId]' #should take value from vault but injects null
- task: FileTransform@2
inputs:
folderPath: '$(workingDirectory)'
xmlTransformationRules:
jsonTargetFiles: '**/appsettings.json'
- task: DotNetCoreCLI@2
displayName: Nuget Restore
inputs:
command: 'restore'
projects: '$(workingDirectory)/*.csproj'
feedsToUse: 'config'
nugetConfigPath: '$(solutionDirectory)/NuGet.config'
- task: DotNetCoreCLI@2
displayName: Build
inputs:
command: 'build'
projects: |
$(workingDirectory)/ConsumerBackEnd.csproj
arguments: --output $(System.DefaultWorkingDirectory)/output
- task: DotNetCoreCLI@2
displayName: Publish
inputs:
command: 'publish'
publishWebProjects: false
projects: '$(workingDirectory)/ConsumerBackEnd.csproj'
arguments: '-c Release -r linux-x64 --self-contained true --output $(System.DefaultWorkingDirectory)/publish_output'
#requires approval on pipeline
- stage: DeployDev
displayName: DeployDev
dependsOn: Build
condition: succeeded()
jobs:
- deployment: DeployConsumerBackendAPIDev
displayName: DeployConsumerBackendAPIDev
environment: ConsumerBackendAPIDev
pool:
name: $(poolName)
strategy:
runOnce:
deploy:
steps:
- task: AzureRmWebAppDeployment@4
inputs:
ConnectionType: 'AzureRM'
azureSubscription: '$(azureRegisteredApp)'
appType: 'webAppLinux'
WebAppName: 'my-backend-dev'
packageForLinux: '$(System.DefaultWorkingDirectory)/publish_output/**/*.zip'
RuntimeStack: 'DOTNETCORE|LTS --configuration Release'
推荐答案
看来,使用运行时表达式引用组变量不适用于文件转换任务,但宏语法可以正常工作
it appears that referencing group variable using runtime expression does not work with file transform task but macro syntax works fine
Microsoft文档描述得不好
所以这是应该如何定义:
so here is how it should be defined:
variables:
#secrets
- group: ConsumerDevVariableGroup
- name: Graph.GraphAppTenantId
value: $(GraphAppTenantId) #works fine
- name: 'Graph.GraphAppClientId'
value: '$[variables.GraphAppClientId]' #does not work
这篇关于带有Vault机密的Azure DevOps文件转换的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
