4

So I've been following many different idea/strategies through many blogs/SO posts but I haven't been able to find my idea solution.

What I'm Using

  • Visual Studio 2017 v15.9.6
  • Git (source control)
  • Azure DevOps CI/CD
  • Azure App Service (to host the Web API)

Goal

The goal is to use the Azure DevOps tools to commit my project changes, push (via Git) the changes to Azure DevOps repo, have the CI/CD build the projected follow the pipeline rules to deploying to dev/production/etc. All this while, keep connection strings out of source control.

Currently, I got a website (legacy Web Application) that has local connection string definitions on an external connection string file (based on this article Connection Strings and Configuration Files). It's hosted as an App Service on Azure. Within my .gitignore file I made Git ignore the specific connection strings file so that it's not in source control. Using Azure's deployment from GitHub feature, the site gets updated with the source in GitHub. However, I had to manually upload the connection string file with false/bad data. I use Azure's application settings to define the connection strings themselves. This process works perfectly fine.

The Problem

I have a new .Net Web API project started at .Net Framework 4.7.2. I also followed the article to separate the connection strings into a separate files so that I can also ignore the file in source control. When the Azure DevOps builds the project it fails saying:

C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\Microsoft\VisualStudio\v15.0\Web\Microsoft.Web.Publishing.targets(2603,5): Error : Copying file ConnectionStrings.config to obj\Release\Package\PackageTmp\ConnectionStrings.config failed. Could not find file 'ConnectionStrings.config'.

Obviously, because I'm not adding this file to source control. Mainly because even during development I need to put actual connection string usernames/password.

Question

What other solutions/features exist that can help accomplish this scenario?

RoLYroLLs
  • 3,113
  • 4
  • 38
  • 57

3 Answers3

6

Short answer: Don't put secrets in configuration files.

If all your resources reside in Azure, use Managed Service Identities so that you don't need to bother with connection strings.

If not, use ARM templates and key vault-linked parameters to manage your Azure infrastructure. Azure Web Apps allow you to override configuration files with app settings/connection strings within the web app. So simply use key vault to manage that stuff, and tell the web app to pull the values from key vault.

Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
  • This "key vault" sounds interesting and something I was about to look into but wasn't sure yet. I'll be looking into it now. – RoLYroLLs Feb 18 '19 at 21:22
  • After much review and trying to set this up, I'm stuck at about 75% implementing the key vault references. Mainly stuck on how to properly get the `connectionStrings` section on my `Web.config` file or figure out how to properly send the connection through to the `DbContext`. Though my question does not ask these details, this answer is the best answer as of now. Thank you. – RoLYroLLs Feb 19 '19 at 18:25
2

VSRM task to publish Web Apps supports overriding values in Web.config. You can keep your secrets in VSRM and replace them in the deployment time. See File transforms and variable substitution reference # XML variable substitution

abatishchev
  • 98,240
  • 88
  • 296
  • 433
  • Hi! Thanks. I was actually already using this, but I think you missed the part where I said *I need to put actual connection string usernames/password* on my local/debug files too and I don't want to commit these... or am I misunderstanding something? – RoLYroLLs Feb 18 '19 at 21:20
  • @RoLYroLLs: don't to that, or put only *test* (or local) connection string usernames/password, not the real ones. – abatishchev Feb 19 '19 at 22:03
  • I don't want to, but even for development of this particular task I have to. which is why I don't want to commit the file and figure out a way to transform or reference something for it. Like how I think Key Vault works, but still trying to figure out how to get it to work. =) – RoLYroLLs Feb 19 '19 at 22:23
2

If you do need to put your actual connectionstring-file in your project for debug, and therefore add your path for connectionString in .gitignore, you could let Pipeline create a dummy connectionstring before the task VSBuild. This can be done with the File Creator who is available at Visual Studio Marketplace. After that, you simply insert the actual connectionstring into the Configuration for the App Service in Azure.

JayPi
  • 432
  • 5
  • 8