1

我一直在尝试制作一个 YAML 模板,该模板首先使用 AzureKeyVault@1 任务来获取一些 Azure KeyVault 机密的值,然后将这些机密用于 asqlAzureDacpacDeployment@1 任务中的 sqlUsername 和 sqlPassword。

我想将 KeyVault 机密的名称作为参数,以便此模板可用于许多不同的情况。

我之前已经成功地使用过这种技术,先使用 AzureKeyVault@1 任务,然后再使用 AzurePowerShell@4 任务,其中秘密作为 PowerShell 脚本的环境变量被注入。

这是工作模板的简化版本:

parameters:
- name: subscription
  type: string
- name: keyVaultSecretName
  type: string
- name: keyVault
  type: string
jobs:
- job: Run_PowerShell_With_Secret
  pool:
    name: Azure Pipelines
    vmImage: windows-latest
  steps:
  - task: AzureKeyVault@1
    inputs:
      azureSubscription: ${{ parameters.subscription }}
      keyVaultName:  ${{ parameters.keyVault }}
      secretsFilter: ${{ parameters.keyVaultSecretName }}
  - task: AzurePowerShell@4
    inputs:
      azureSubscription: ${{ parameters.subscription }}
      ScriptPath: 'some_script.ps1'
      azurePowerShellVersion: LatestVersion
    env: 
      SECRETVALUE: $(${{ parameters.keyVaultSecretName }})

这是我无法使用相同技术的模板:

parameters:
- name: subscription
  type: string
- name: keyVault
  type: string
- name: sqlServerName
  type: string
- name: sqlDatabaseName
  type: string
- name: sqlServerAdminSecretName
  type: string
- name: sqlServerPasswordSecretName
  type: string
- name: dacpacName
  type: string
- name: artifactName
  type: string
jobs:
- job: Deploy_SQL_Database
  pool:
    name: Azure Pipelines
    vmImage: windows-latest
  steps:
  - task: DownloadPipelineArtifact@2
    inputs:
      artifact: ${{ parameters.artifactName }}_artifacts
  - task: AzureKeyVault@1
    inputs:
      azureSubscription: ${{ parameters.subscription }}
      keyVaultName:  ${{ parameters.keyVault }}
      secretsFilter: '${{ parameters.sqlServerAdminSecretName }}, ${{ parameters.sqlServerPasswordSecretName }}'
  - task: sqlAzureDacpacDeployment@1
    inputs:
      azureSubscription: ${{ parameters.subscription }}
      ServerName: ${{ parameters.sqlServerName }}.database.windows.net
      DatabaseName: ${{ parameters.sqlDatabaseName }}
      sqlUsername: $(${{ parameters.sqlServerAdminSecretName }})
      sqlPassword: $(${{ parameters.sqlServerPasswordSecretName }})
      DacpacFile:  $(Pipeline.Workspace)\${{ parameters.dacpacName }}.dacpac

如果我硬编码秘密名称,我可以让模板工作:

parameters:
- name: subscriptionName
  type: string
- name: keyVault
  type: string
- name: sqlServerName
  type: string
- name: sqlDatabaseName
  type: string
- name: dacpacName
  type: string
- name: artifactName
  type: string
jobs:
- job: Deploy_${{ parameters.sqlDatabaseName }}_Database
  pool:
    name: Azure Pipelines
    vmImage: windows-latest
  steps:
  - checkout: none
  - task: AzureKeyVault@1
    inputs:
      azureSubscription: ${{ parameters.subscriptionName }}
      keyVaultName:  ${{ parameters.keyVault }}
      secretsFilter: 'SQLServerAdmin, SQLServerPassword'
  - task: DownloadPipelineArtifact@2
    inputs:
      artifact: ${{ parameters.artifactName }}_artifacts
  - task: sqlAzureDacpacDeployment@1
    inputs:
      azureSubscription: ${{ parameters.subscriptionName }}
      ServerName: ${{ parameters.sqlServerName }}.database.windows.net
      DatabaseName: ${{ parameters.sqlDatabaseName }}
      sqlUsername: $(sqlServerAdmin)
      sqlPassword: $(sqlServerPassword)
      DacpacFile:  $(Pipeline.Workspace)\${{ parameters.dacpacName }}.dacpac

虽然这对我们现在有用,但我发现这不是最理想的。有什么方法可以使这些参数化变量名起作用吗?

4

0 回答 0