0

I asked previously how to do variable substitution with Azure KeyVault here, and was able to get it mostly working save one last issue. For some unknown reason, the substitution occurs perfectly but it adds one extra single quote at the end. Since these are connection strings in the web.config, that extra single quote breaks it. I have no idea what is adding that extra single quote. I did quadruple check KeyVault to ensure its not there as a typo. I have tried doing XML variable substitution with the FileTransform@2 task as recommended by the answer on my previous question as well with the IISWebAppDeploymentOnMachineGroup@0 task with XmlVariableSubstitution set to true. Both added the extra single quote

Example of web.config before pipeline runs (this is what is checked into Git):

<connectionStrings>
  <add name="DbConnection" connectionString="Placeholder"/>
  ...
</connectionStrings>

And after the pipeline finishes with XML variable substitution

<connectionStrings>
  <add name="DbConnection" connectionString="DataSource=TheDatabase;CheckConnectionOnOpen=true;UserId=MyUser;Password=ThePassword;'"/>
  ...
</connectionStrings>

As you can see, its properly connecting to Azure KeyVault, getting the value and doing the substitution. It's that extra single quote at the end after "ThePassword;" that's making the connection string un-parseable by the application.

Here's snippets of my pipeline:

- task: AzureKeyVault@1
  displayName: 'Get secrets from KeyVault'
  inputs:
    azureSubscription: '${{parameters.keyVault.keyVaultServiceConnection}}'
    KeyVaultName: '${{parameters.keyVault.keyVaultName}}'
    SecretsFilter: '*'
# KeyVault has an app name prefix for each connection string as well as an environment name postfix so this loops removes that prefix so the transformation can match the names/keys properly
- ${{ each secret in parameters.keyVault.secrets }}:
    - task: CmdLine@2
      displayName: 'Set KeyVault secret to match config name'
      inputs:
        script: echo ##vso[task.setvariable variable=${{secret.configSecretName}}]$(${{secret.secretName}}-${{parameters.environment}})
- task: IISWebAppManagementOnMachineGroup@0
  displayName: 'Set up app pool and web site'
  inputs:
    IISDeploymentType: 'IISWebsite'
    ActionIISWebsite: 'CreateOrUpdateWebsite'
    WebsiteName: '${{parameters.webSiteName}}'
    WebsitePhysicalPath: '${{parameters.webSitePhysicalPathRoot}}'
    WebsitePhysicalPathAuth: 'WebsiteUserPassThrough'
    CreateOrUpdateAppPoolForWebsite: true
    AppPoolNameForWebsite: '${{parameters.webAppPool}}'
    DotNetVersionForWebsite: '${{parameters.webAppPoolDotNetVersion}}'
    PipeLineModeForWebsite: '${{parameters.pipeLineModeForWebsite}}'
    AppPoolIdentityForWebsite: '${{parameters.appPoolIdentityForWebsite}}'
- task: IISWebAppDeploymentOnMachineGroup@0
  displayName: 'Deploy web site'
  inputs:
    WebSiteName: '${{parameters.webSiteName}}'
    VirtualApplication: '${{parameters.webAppName}}'
    Package: '$(System.ArtifactsDirectory)\*.zip'
    RemoveAdditionalFilesFlag: ${{parameters.removeAdditionalFiles}} # Set to true
    XmlTransformation: ${{parameters.xmlTransformation}} # Set to false
    XmlVariableSubstitution: ${{parameters.xmlVariableSubstitution}} # Set to true
    TakeAppOfflineFlag: true

I have also tried setting XmlVariableSubstitution to false and using the FileTransform@2 as mentioned above:

- task: FileTransform@2
  inputs:
    folderPath: '${{parameters.webSitePhysicalPathRoot}}'
    xmlTargetFiles: 'web.config'
Hershizer33
  • 1,206
  • 2
  • 23
  • 46
  • Tested using Keyvault variables to replace the web.config parameter. But it could work fine (without single quote). You could check if the value of Keyvault contains special characters. If special characters exist, you can try to delete the special characters and check if it could work as expected. Please share an example of Keyvault specific content – Kevin Lu-MSFT May 14 '20 at 05:26
  • Its a connection string so this obviously have to change it to post here, but this is an example of what's in keyvault: `DataSource=TheDbName;CheckConnectionOnOpen=true;UserId=USER001;Password=SE7VEN07;` – Hershizer33 May 14 '20 at 15:45
  • I test the value you shared, but it still works fine. After my testing, I notice that if there are **double quotes** in KeyVault, they will be converted to single quotes after replacing. Please check if you have double quotes in the keyvault value. You can directly try to replace the existing keyvault value with the value you shared above for testing (Create a new keyvault version). You can also try to use **only** "Azure keyvault" task and "File Transform" task to run the pipeline and check the result. – Kevin Lu-MSFT May 15 '20 at 09:19
  • @KevinLu-MSFT As a follow up, there were no double quotes. I tried many combinations of all the tasks and still have the single quote issue. I actually had to write a silly powershells script that removed the single quote if the connection string ended in one just to get it running. Any other thoughts? – Hershizer33 Jun 05 '20 at 17:57

0 Answers0