我一直在尝试制作一个 YAML 模板,该模板首先使用 AzureKeyVault@1 任务来获取一些 Azure KeyVault 机密的值,然后将这些机密用于 asqlAzureDacpacDeployment@1 任务中的 sqlUsername 和 sqlPassword。
我想将 KeyVault 机密的名称作为参数,以便此模板可用于许多不同的情况。
我之前已经成功地使用过这种技术,先使用 AzureKeyVault@1 任务,然后再使用 AzurePowerShell@4 任务,其中秘密作为 PowerShell 脚本的环境变量被注入。
这是工作模板的简化版本:
parameters:
- name: subscription
type: string
- name: keyVaultSecretName
type: string
- name: keyVault
type: string
jobs:
- job: Run_PowerShell_With_Secret
pool:
name: Azure Pipelines
vmImage: windows-latest
steps:
- task: AzureKeyVault@1
inputs:
azureSubscription: ${{ parameters.subscription }}
keyVaultName: ${{ parameters.keyVault }}
secretsFilter: ${{ parameters.keyVaultSecretName }}
- task: AzurePowerShell@4
inputs:
azureSubscription: ${{ parameters.subscription }}
ScriptPath: 'some_script.ps1'
azurePowerShellVersion: LatestVersion
env:
SECRETVALUE: $(${{ parameters.keyVaultSecretName }})
这是我无法使用相同技术的模板:
parameters:
- name: subscription
type: string
- name: keyVault
type: string
- name: sqlServerName
type: string
- name: sqlDatabaseName
type: string
- name: sqlServerAdminSecretName
type: string
- name: sqlServerPasswordSecretName
type: string
- name: dacpacName
type: string
- name: artifactName
type: string
jobs:
- job: Deploy_SQL_Database
pool:
name: Azure Pipelines
vmImage: windows-latest
steps:
- task: DownloadPipelineArtifact@2
inputs:
artifact: ${{ parameters.artifactName }}_artifacts
- task: AzureKeyVault@1
inputs:
azureSubscription: ${{ parameters.subscription }}
keyVaultName: ${{ parameters.keyVault }}
secretsFilter: '${{ parameters.sqlServerAdminSecretName }}, ${{ parameters.sqlServerPasswordSecretName }}'
- task: sqlAzureDacpacDeployment@1
inputs:
azureSubscription: ${{ parameters.subscription }}
ServerName: ${{ parameters.sqlServerName }}.database.windows.net
DatabaseName: ${{ parameters.sqlDatabaseName }}
sqlUsername: $(${{ parameters.sqlServerAdminSecretName }})
sqlPassword: $(${{ parameters.sqlServerPasswordSecretName }})
DacpacFile: $(Pipeline.Workspace)\${{ parameters.dacpacName }}.dacpac
如果我硬编码秘密名称,我可以让模板工作:
parameters:
- name: subscriptionName
type: string
- name: keyVault
type: string
- name: sqlServerName
type: string
- name: sqlDatabaseName
type: string
- name: dacpacName
type: string
- name: artifactName
type: string
jobs:
- job: Deploy_${{ parameters.sqlDatabaseName }}_Database
pool:
name: Azure Pipelines
vmImage: windows-latest
steps:
- checkout: none
- task: AzureKeyVault@1
inputs:
azureSubscription: ${{ parameters.subscriptionName }}
keyVaultName: ${{ parameters.keyVault }}
secretsFilter: 'SQLServerAdmin, SQLServerPassword'
- task: DownloadPipelineArtifact@2
inputs:
artifact: ${{ parameters.artifactName }}_artifacts
- task: sqlAzureDacpacDeployment@1
inputs:
azureSubscription: ${{ parameters.subscriptionName }}
ServerName: ${{ parameters.sqlServerName }}.database.windows.net
DatabaseName: ${{ parameters.sqlDatabaseName }}
sqlUsername: $(sqlServerAdmin)
sqlPassword: $(sqlServerPassword)
DacpacFile: $(Pipeline.Workspace)\${{ parameters.dacpacName }}.dacpac
虽然这对我们现在有用,但我发现这不是最理想的。有什么方法可以使这些参数化变量名起作用吗?