vso-agent-tasks icon indicating copy to clipboard operation
vso-agent-tasks copied to clipboard

Published 20 hours ago verified publisher icon johanclasson

DbUpMigration - Secret (environment) variables not accessible

Open SebastiaanPolfliet opened this issue 5 years ago • 2 comments

Hi

First of all thank you for the AzureDevops Task!

I encounter the following issue:

DbUp does not pick-up variables that are marked as secret.

Looking to the source code it seems that the values are directly read from environment variables in powershell but (by design) secrets aren't mapped to environment variables (see documentation).

In the following issue they suggest to use input fields.

Is this something that can be considered?

SebastiaanPolfliet avatar Sep 03 '19 19:09 SebastiaanPolfliet

Thank you!

Yes. I am aware of the issue.

I think that the hardest problem to solve is how to make the GUI. The only thing I can think of is to have a multi-line textbox where each line needs to be in the format myname=myvalue. But is that good enough? Do you have any other suggestion?

Meanwhile, I think a workaround would be to use a PowerShell task before the DbUp task where you use the a logging command such as:

Write-Host "##vso[task.setvariable variable=MYNAME;]($mysecret)"

johanclasson avatar Sep 03 '19 20:09 johanclasson

Thank you for the suggested workaround.

I would base my UI on one of the following tasks

  • Azure Resource Group Deployment Task The task has an input field called overrideParameters which has the same problem. Microsoft uses the following task.json input field configuration:
{
    "name": "overrideParameters",
    "type": "multiLine",
    "label": "Override template parameters",
    "defaultValue": "",
    "required": false,
    "groupName": "Template",
    "helpMarkDown": ".. ",
    "properties": {
        "editorExtension": "ms.vss-services-azure.azurerg-parameters-grid"
    }
}

However I don't know if you can use the editorExtension yourself (something to test).

See https://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/AzureResourceGroupDeploymentV2/task.json

  • Powershell task

image

Microsoft uses the following setting for this in it's task.json.

"showEnvironmentVariables": true

See https://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/PowerShellV2/task.json

I think I prefer the second UI, also I suspect it allows you to use the same code as you have now. If you add an entry like DBUP_SECRET with value $(SECRET) I'd expect it to be available in your powershell script.

If I come up with other tasks that try to solve the same issue I'll let you know.

SebastiaanPolfliet avatar Sep 04 '19 19:09 SebastiaanPolfliet