Azure DevOps CI/CD 和从源代码管理中分离连接字符串 [英] Azure DevOps CI/CD and Separating Connection Strings from Source Control
问题描述
所以我一直在通过许多博客/SO 帖子关注许多不同的想法/策略,但我一直无法找到我的想法解决方案.
So I've been following many different idea/strategies through many blogs/SO posts but I haven't been able to find my idea solution.
- Visual Studio 2017 v15.9.6
- Git(源代码控制)
- Azure DevOps CI/CD
- Azure 应用服务(用于托管 Web API)
目标是使用 Azure DevOps 工具提交我的项目更改,将更改(通过 Git)推送到 Azure DevOps 存储库,让 CI/CD 构建项目遵循管道规则部署到开发/生产/等.在此期间,请将连接字符串置于源代码控制之外.
The goal is to use the Azure DevOps tools to commit my project changes, push (via Git) the changes to Azure DevOps repo, have the CI/CD build the projected follow the pipeline rules to deploying to dev/production/etc. All this while, keep connection strings out of source control.
目前,我有一个网站(旧版 Web 应用程序),它在外部连接字符串文件上有本地连接字符串定义(基于这篇文章 连接字符串和配置文件).它作为应用服务托管在 Azure 上.在我的 .gitignore 文件中,我让 Git 忽略了特定的连接字符串文件,因此它不在源代码管理中.使用 Azure 的 GitHub 部署功能,该站点使用 GitHub 中的源进行更新.但是,我不得不手动上传带有错误/错误数据的连接字符串文件.我使用 Azure 的应用程序设置来定义连接字符串本身.这个过程工作得很好.
Currently, I got a website (legacy Web Application) that has local connection string definitions on an external connection string file (based on this article Connection Strings and Configuration Files). It's hosted as an App Service on Azure. Within my .gitignore file I made Git ignore the specific connection strings file so that it's not in source control. Using Azure's deployment from GitHub feature, the site gets updated with the source in GitHub. However, I had to manually upload the connection string file with false/bad data. I use Azure's application settings to define the connection strings themselves. This process works perfectly fine.
我在 .Net Framework 4.7.2 上启动了一个新的 .Net Web API 项目.我也跟着文章把连接字符串分成单独的文件,这样我也可以在源代码管理中忽略该文件.当 Azure DevOps 构建项目时,它失败说:
I have a new .Net Web API project started at .Net Framework 4.7.2. I also followed the article to separate the connection strings into a separate files so that I can also ignore the file in source control. When the Azure DevOps builds the project it fails saying:
C:Program Files (x86)Microsoft VisualStudio2017EnterpriseMSBuildMicrosoftVisualStudiov15.0WebMicrosoft.Web.Publishing.targets(2603,5):错误:将文件 ConnectionStrings.config 复制到objReleasePackagePackageTmpConnectionStrings.config 失败.可以找不到文件ConnectionStrings.config".
C:Program Files (x86)Microsoft Visual Studio2017EnterpriseMSBuildMicrosoftVisualStudiov15.0WebMicrosoft.Web.Publishing.targets(2603,5): Error : Copying file ConnectionStrings.config to objReleasePackagePackageTmpConnectionStrings.config failed. Could not find file 'ConnectionStrings.config'.
显然,因为我没有将此文件添加到源代码管理中.主要是因为即使在开发过程中我也需要输入实际的连接字符串用户名/密码.
Obviously, because I'm not adding this file to source control. Mainly because even during development I need to put actual connection string usernames/password.
还有哪些其他解决方案/功能可以帮助实现这种情况?
What other solutions/features exist that can help accomplish this scenario?
推荐答案
简短回答:不要将机密放在配置文件中.
Short answer: Don't put secrets in configuration files.
如果您的所有资源都驻留在 Azure 中,请使用托管服务标识,这样您就无需为连接字符串烦恼.
If all your resources reside in Azure, use Managed Service Identities so that you don't need to bother with connection strings.
如果没有,请使用 ARM 模板和与密钥库相关的参数来管理您的 Azure 基础结构.Azure Web Apps 允许你在 Web 应用程序中使用应用程序设置/连接字符串覆盖配置文件.因此,只需使用密钥保管库来管理这些内容,然后告诉网络应用从密钥保管库中提取值.
If not, use ARM templates and key vault-linked parameters to manage your Azure infrastructure. Azure Web Apps allow you to override configuration files with app settings/connection strings within the web app. So simply use key vault to manage that stuff, and tell the web app to pull the values from key vault.
这篇关于Azure DevOps CI/CD 和从源代码管理中分离连接字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
