0

I'm setting up my production environment and would like to secure my environment-related variables. For the moment, every environment has its own application parameters file, which works well, but I don't want every dev in my team knowing the production connection strings and other sensitive stuffs that could appear in there.

So I'm looking for every possibility available. I've seen that in Azure DevOps, which I'm using at the moment for my CI/CD, there is some possible variable substitution (xml transformation). Is it usable in a SF project? I've seen in another project something similar through Octopus. Are there any other tools that would help me manage my variables by environment safely (and easily)? Can I do that with my KeyVault eventually? Any recommendations? Thanks

EDIT: an example of how I'd like to manage those values; this is a screenshot from octopus : enter image description here

so something similar to this that separates and injects the values is what I'm looking for.

Xav Sc
  • 489
  • 1
  • 5
  • 23

1 Answers1

2

You can do XML transformation to the ApplicationParameter file to update the values in there before you deploy it.

The other option is use Powershell to update the application and pass the parameters as argument to the script.

The Start-ServiceFabricApplicationUpgrade command accept as parameter a hashtable with the parameters, technically, the builtin task in VSTS\DevOps transform the application parameters in a hashtable, the script would be something like this:

#Get the existing parameters
$app = Get-ServiceFabricApplication -ApplicationName "fabric:/AzureFilesVolumePlugin"

#Create a temp hashtable and populate with existing values
$parameters = @{ } 
$app.ApplicationParameters | ForEach-Object { $parameters.Add($_.Name, $_.Value) }

#Replace the desired parameters
$parameters["test"] = "123test" #Here you would replace with your variable, like  $env:username 

#Upgrade the application
Start-ServiceFabricApplicationUpgrade -ApplicationName "fabric:/AzureFilesVolumePlugin" -ApplicationParameter $parameters -ApplicationTypeVersion "6.4.617.9590" -UnmonitoredAuto

Keep in mind that the existing VSTS Task also has other operations, like copy the package to SF and register the application version in the image store, you will need to replicate it. You can copy the full script from Deploy-FabricApplication.ps1 file in the service fabric project and replace it with your changes. The other approach is get the source for the VSTS Task here and add your changes.

If you are planning to use KeyVault, I would recommend the application access the values direct on KeyVault instead of passing it to SF, this way, you can change the values in KeyVault without redeploying the application. In the deployment, you would only pass the KeyVault credentials\configuration.

Diego Mendes
  • 10,631
  • 2
  • 32
  • 36
  • Thank you, how would you do xml transformation? I've seen in vsts/devops an extension "token replace" is this it? but how would you organize it? Same question for the keyvault, can I in my Cloud.xml applicationparams file access those values directly from keyvault in some way or does it have to be in my .cs files? I've added a screenshot of an example of how I'd like to manage it. – Xav Sc Jan 31 '19 at 09:36
  • There are many solutions, I generally use Powershell, you can also use the `Replace Token` task in VSTS, depends how you are managing it. For Key vault you add the keyvault details in the config and the application load at runtime direct from keyvault. – Diego Mendes Jan 31 '19 at 10:03
  • ok, thank you for your insights, will have to think about it a bit – Xav Sc Jan 31 '19 at 11:31