Azure DevOps CI/CD and Separating Connection Strin

2020-04-10 23:28发布

So I've been following many different idea/strategies through many blogs/SO posts but I haven't been able to find my idea solution.

What I'm Using

  • Visual Studio 2017 v15.9.6
  • Git (source control)
  • Azure DevOps CI/CD
  • Azure App Service (to host the Web API)

Goal

The goal is to use the Azure DevOps tools to commit my project changes, push (via Git) the changes to Azure DevOps repo, have the CI/CD build the projected follow the pipeline rules to deploying to dev/production/etc. All this while, keep connection strings out of source control.

Currently, I got a website (legacy Web Application) that has local connection string definitions on an external connection string file (based on this article Connection Strings and Configuration Files). It's hosted as an App Service on Azure. Within my .gitignore file I made Git ignore the specific connection strings file so that it's not in source control. Using Azure's deployment from GitHub feature, the site gets updated with the source in GitHub. However, I had to manually upload the connection string file with false/bad data. I use Azure's application settings to define the connection strings themselves. This process works perfectly fine.

The Problem

I have a new .Net Web API project started at .Net Framework 4.7.2. I also followed the article to separate the connection strings into a separate files so that I can also ignore the file in source control. When the Azure DevOps builds the project it fails saying:

C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\Microsoft\VisualStudio\v15.0\Web\Microsoft.Web.Publishing.targets(2603,5): Error : Copying file ConnectionStrings.config to obj\Release\Package\PackageTmp\ConnectionStrings.config failed. Could not find file 'ConnectionStrings.config'.

Obviously, because I'm not adding this file to source control. Mainly because even during development I need to put actual connection string usernames/password.

Question

What other solutions/features exist that can help accomplish this scenario?

2条回答
Anthone
2楼-- · 2020-04-10 23:31

VSRM task to publish Web Apps supports overriding values in Web.config. You can keep your secrets in VSRM and replace them in the deployment time. See File transforms and variable substitution reference # XML variable substitution

查看更多
太酷不给撩
3楼-- · 2020-04-10 23:43

Short answer: Don't put secrets in configuration files.

If all your resources reside in Azure, use Managed Service Identities so that you don't need to bother with connection strings.

If not, use ARM templates and key vault-linked parameters to manage your Azure infrastructure. Azure Web Apps allow you to override configuration files with app settings/connection strings within the web app. So simply use key vault to manage that stuff, and tell the web app to pull the values from key vault.

查看更多
登录 后发表回答