Best way to inject Azure KeyVault into a ASP.NET Web Site?

Question

I inherited an old pre-project style ASP.NET Web Site (where you just open a folder, no solution file). I was able to convert that to the slightly newer ASP.NET Web Site template so now I have solution file. (I did attempt to convert to a Web Application after that but it went horrifically bad - seems like it would need a re-write unless I messed up which is always possible).

We are migrating this app to be deployed via Azure DevOps Pipelines, and I'm a bit stuck on how to handle secrets (specifically connection strings). We already have Key Vaults set up for other apps and it all works well, but Web Site template has no nice integration like the Web Application template does.

Now, I could just put placeholders in the web config and use the pipeline to replace the values with Key Vault which would work just fine, but then local development wouldn't be very easy (they'd have to copy/paste a local web config I suppose each time).

Anyone done this successfully with Web Site, or am I just trying to make something work with an old tech that was never ment for it?

Thanks!

Answer 1

Though Replace token method is very convenient and easy to use in Azure devops pipeline, as what you mentioned, it leads many trouble to other developer work (especially for the local develop).

Why not consider to use File transformation task to do this transformate work? This task has one feature variable substitution can let you avoid to any format changes on config file. Just need define corresponding variables which will replace into the config file.

---

Let me take one example to explain this, below is a simple web.config file sample:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <section name="apiConfig" type="System.Configuration.NameValueSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
  </configSections>
  <apiConfig>
    <add key="ClientBasetUrl" value="http://localhost:4200" />
  </apiConfig>
  <system.web>
    <compilation debug="true" targetFramework="4.6.2">
      <assemblies>
        <add assembly="System.Net.Http.WebRequest, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </assemblies>
    </compilation>
    <httpRuntime targetFramework="4.6.1" maxRequestLength="20480" />
  </system.web>
</configuration>

Now I need replace the ClientBasetUrl value: http://localhost:4200 to http://localhost:8080.

1) Since what you concerned is combine Azure Key Vault with Asp.net web application, just go and create one secret ClientBasetUrl into Azure key Vault, and its value is http://localhost:8080.

2) Connect Azure key vault into azure devops pipeline.

3) Here is the key step: Do configure the File Transform task.

steps:

- task: FileTransform@2

  displayName: 'File Transform with Variable: '

  inputs:

    folderPath: '$(System.DefaultWorkingDirectory)'

    xmlTargetFiles: MonoApp.config //Here put your config file name that relative to the root folder

Then you will see the replace are finished successfully after this task ended.

You can see I don't need do any syntax change to my config file, just need store corresponding variables in Azure key vault and ensure they can be downloaded during the pipeline running.

Also, it can make me go very smoothly on my local develop work.