0

I have projects in octopus which deploys various infrastructure including azure arm templates, some of the templates require passwords from Azure Key Vault, is there a way to automate this ?

itye1970
  • 1,654
  • 7
  • 31
  • 62

1 Answers1

0

sure, just use powershell, something like this will work (assuming you are authenticated to azure with enough permissions):

$certPassword = (Get-AzureKeyVaultSecret -VaultName vaultname -Name passwordsecretName).SecretValueText
$certBase64 = (Get-AzureKeyVaultSecret -VaultName vaultname -Name base64secretName).SecretValueText

$body = @{
    Name            = $certName
    CertificateData = @{
        HasValue = "True"
        NewValue = $certBase64
    }
    Password        = @{
        NewValue = $certPassword
    }
}

and then you would just call octopus api with a rest call:

$datota = @{
    Uri         = $octopus_uri + "/api/certificates/" + '?skip=0&take=2147483647'
    Headers     = @{ "X-Octopus-ApiKey" = your_api_key }
    ErrorAction = "Stop"
    Body        = $body | ConvertTo-Json -Depth 4 -Compress
    Method      = "Post
}

Invoke-RestMethod @datota

you'd have to be a bit more clever if you store certificates as certificates, not as base64 encoded strings. but the idea is the same

ps. if you want to place them into variable sets you just need to use a slightly different rest call. pps. another option, just use powershell script to deploy arm template and have powershell script retrieve KV value and pass it to the template as parameter

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • I would need just passwords etc from the key vault not really certificates,im not sure what the certificate data is for in the code? – itye1970 Jan 10 '19 at 15:44
  • doesnt matter, you would just need to pull those as in my code and upload to octopus as variables, not as certificates – 4c74356b41 Jan 10 '19 at 15:50
  • how would i get a username and password rather than a certificate as in the code above – itye1970 Jan 14 '19 at 09:16
  • well from the key vault? just reference the secrets you need to reference – 4c74356b41 Jan 14 '19 at 09:24
  • ok manages to extract tfrom vault however how can you place them into variable sets in octopus? – itye1970 Jan 14 '19 at 10:05
  • variable set is basically a json array, you would need to pull that array down, add another array element to it and push the result back to octopus. there is a bunch of stuff readymade for you to consume: https://github.com/OctopusDeploy/OctopusDeploy-Api/tree/master/REST/PowerShell. they also have some dll you can use with powershell. i use my own scripts because i needed them to work on linux – 4c74356b41 Jan 14 '19 at 10:09
  • If you just want to use the secret in another step in the same process, you can call `Set-OctopusVariable`. You can then read the variable value back using as `$OctopusParameters["Octopus.Action[StepName].Output.VarName"]` in PowerShell or `#{Octopus.Action[StepName].Output.VarName}` in binding syntax. You can also use the binding syntax in your ARM template directly, and the value will be injected before the ARM template is executed. [Documentation](https://octopus.com/docs/deployment-process/variables/output-variables) – benPearce Jan 16 '19 at 05:20
  • basically i just need to read the values from the azure key vault If I have, say example project in octopus and need a value from the keyvault, where would i put this code? in the variable ? in a script im not sure where I would need to start ? – itye1970 Jan 17 '19 at 09:57
  • well, if you need it to happen during the build - create a powershell step during the build. if you need it to happen outside the build - just create a script and run it – 4c74356b41 Jan 17 '19 at 09:57