azure devops - Passing a secret variable output from the arm template task to a second arm template task (in the same job) - Sta

admin管理员组

文章数量:1125399

I am testing the deployment for arm template tasks with securestring outputs and securestring inputs.

The first task outputs a securestring of a cosmosdb.

  - task: AzureResourceManagerTemplateDeployment@3
    displayName: "Create CosmosDB"
    inputs:
       deploymentScope: 'Resource Group'
       azureResourceManagerConnection: ${{ parameters['ServiceConnection']}}
       subscriptionId: $(SubscriptionID)
       action: 'Create Or Update Resource Group'
       resourceGroupName: '$(ResourceGroup)'
       location: 'West Europe'
       templateLocation: 'Linked artifact'
       csmFile: '$(Pipeline.Workspace)/drop/armtemplates/cosmosdb_deployment.json'
       csmParametersFile: '$(Pipeline.Workspace)/drop/armtemplates/cosmosdb_parameters.json'
       deploymentMode: 'Incremental'
       deploymentOutputs: 'ArmOutputsCMDB'
       overrideParameters: '-SubscriptionName $(subname) -VersionToDeploy $(VersionToDeploy) -CosmosResourceName $(CosmosResourceName) -DatabaseID $(DatabaseID) -ContainerID $(ContainerID) -PartitionKey $(PartitionKey) -CosmosDBmaxThroughput $(CosmosDBmaxThroughput)'
     continueOnError: false

In the second task I want to use the output from the first task also as a type of securestring. Unforntunately the string gives an empty value back.

The parameter I want to override in the second task is: -CosmosDbConnectionString $(ArmOutputsCMDBPrimaryConnectionStringCosmos)

I tried to use a powershell script to output the secure string and make it a variable with the option issecret=true , but this also does not give me the correct input in the second task it is still an empty value.

Powershell

- task: PowerShell@2
  displayName: "Create variables from Cosmos output"
  inputs:
    targetType: 'inline'
    script: |
       $outputs = ConvertFrom-Json $($env:ArmOutputsCMDB)
       foreach ($output in $outputs.PSObject.Properties) {
        Write-Host "##vso[task.setvariable           
        variable=$($output.Name);issecret=true]$($output.Value.value)"
      }
  continueOnError: false  

When I make use of the azure devops library for secrets, the secret is passed to the arm template and it uses as a secure string.

I was not able to find the reason for this.

The variable is not empty when I make the parameter in the second task as string type. When I change it to securestring the value is empty.

I am testing the deployment for arm template tasks with securestring outputs and securestring inputs.

The first task outputs a securestring of a cosmosdb.

  - task: AzureResourceManagerTemplateDeployment@3
    displayName: "Create CosmosDB"
    inputs:
       deploymentScope: 'Resource Group'
       azureResourceManagerConnection: ${{ parameters['ServiceConnection']}}
       subscriptionId: $(SubscriptionID)
       action: 'Create Or Update Resource Group'
       resourceGroupName: '$(ResourceGroup)'
       location: 'West Europe'
       templateLocation: 'Linked artifact'
       csmFile: '$(Pipeline.Workspace)/drop/armtemplates/cosmosdb_deployment.json'
       csmParametersFile: '$(Pipeline.Workspace)/drop/armtemplates/cosmosdb_parameters.json'
       deploymentMode: 'Incremental'
       deploymentOutputs: 'ArmOutputsCMDB'
       overrideParameters: '-SubscriptionName $(subname) -VersionToDeploy $(VersionToDeploy) -CosmosResourceName $(CosmosResourceName) -DatabaseID $(DatabaseID) -ContainerID $(ContainerID) -PartitionKey $(PartitionKey) -CosmosDBmaxThroughput $(CosmosDBmaxThroughput)'
     continueOnError: false

In the second task I want to use the output from the first task also as a type of securestring. Unforntunately the string gives an empty value back.

The parameter I want to override in the second task is: -CosmosDbConnectionString $(ArmOutputsCMDBPrimaryConnectionStringCosmos)

I tried to use a powershell script to output the secure string and make it a variable with the option issecret=true , but this also does not give me the correct input in the second task it is still an empty value.

Powershell

- task: PowerShell@2
  displayName: "Create variables from Cosmos output"
  inputs:
    targetType: 'inline'
    script: |
       $outputs = ConvertFrom-Json $($env:ArmOutputsCMDB)
       foreach ($output in $outputs.PSObject.Properties) {
        Write-Host "##vso[task.setvariable           
        variable=$($output.Name);issecret=true]$($output.Value.value)"
      }
  continueOnError: false  

When I make use of the azure devops library for secrets, the secret is passed to the arm template and it uses as a secure string.

I was not able to find the reason for this.

The variable is not empty when I make the parameter in the second task as string type. When I change it to securestring the value is empty.

• azure-devops
• azure-pipelines-yaml
• azure-rm-template

Share Improve this question Follow edited 2 days ago Sergio asked 2 days ago SergioSergio 14311 silver badge1515 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

I found an article of Microsoft.

Don't use secure strings or objects as output values. If you include a secure value as an output value, the value isn't displayed in the deployment history and can't be retrieved from another template. Instead, save the secure value in a key vault, and pass as a parameter from the key vault.

In this case I am changing the way of deployment and doing it this way.

1. Get the secret from the key vault (if exists).
2. Disable the current version if step 1 is true.
3. Deploy the arm template.
4. Set the secret in the key vault from the arm template in step 3.
5. Download the secret in the next task from the key vault with the key vault task and use the variable in the second arm template.

For step 5 the property RunAsPreJob must set to false on the AzureKeyVault@2 task. So you can download the secret after defined in step 3/4.

For me this workaround/option/solution works now.

本文标签：