0

In my release pipeline I have two variables adminLogin and adminPassword that are marked as secret. I have a task of type Azure CLI@2 in the same release pipeline. It is an inline Powershell Core script running on a Ubuntu agent (I tried the windows agent before with the same problem). The purpose is to deploy a bicep template sending the secret variables adminLogin and adminPassword as parameters.

The issue is that I am not able to access the secret variables in the task. I tried accessing it directly like this

Write-Host "##[warning]Using an input-macro works: $(adminLogin)"

But that did not work. I also tried to map an environmental variable

#Your build pipeline references a secret variable named ‘adminLogin’. Create or edit the build pipeline for this YAML file, define the variable on the Variables tab, and then select the option to make it secret. See https://go.microsoft.com/fwlink/?linkid=865972
variables:
  resourceGroupName: '...'
  environment: 'Test'
  webSku: 'B1'
  maxVCores: '1'
  databaseName: '...'
  applicationLogsRetentionInMB: '50'
  databaseAutoTurnOffDelay: '60'
  databaseMaxSizeInGiB: '10'

steps:
- task: AzureCLI@2
  displayName: 'Deploy bicep template'
  inputs:
    azureSubscription: '....'
    scriptType: pscore
    scriptLocation: inlineScript
    inlineScript: |
     Write-Host "##[warning]Using an input-macro works: $(adminLogin)"
     Write-Host "##[warning]Using the mapped env var for this task works and is recommended: $env:LOGIN"
     az deployment group create  `
     --template-file $(System.DefaultWorkingDirectory)/..../deployment.bicep `
     --resource-group $(resourceGroupName) `
     --parameters '{  \"environment\":{ \"value\": \"$(environment)\"},  \"adminLogin\":{ \"value\": \"$env:LOGIN\"},  \"adminPassword\":{ \"value\": \"$env:PASSWORD\"}, \"webSku\":{ \"value\": \"$(webSku)\"}, \"maxVCores\":{ \"value\": $(maxVCores)}, \"databaseName\":{ \"value\": \"$(databaseName)\"}, \"applicationLogsRetentionInMB\":{ \"value\": $(applicationLogsRetentionInMB)}, \"databaseAutoTurnOffDelay\":{ \"value\": $(databaseAutoTurnOffDelay)}, \"databaseMaxSizeInGiB\":{ \"value\": $(databaseMaxSizeInGiB)}}'
  env:
    LOGIN: $(adminLogin)
    PASSWORD: $(adminPassword)

The adminLogin and adminPassword is not sent when deploying the bicep template and I get this error message

{
  "code": "DeploymentFailed",
  "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
  "details": [
    {
      "code": "InvalidParameterValue",
      "message": "Invalid value given for parameter Login. Specify a valid parameter value."
    }
  ]
}

So I have two questions

  1. How can I change my Azure CLI task so that it can access the secret variables?
  2. Is there a different way to deploy a bicep template from a release pipeline that supports secret variables?
Nils Hedström
  • 126
  • 5

2 Answers2

0

Can you try this:

steps:
- task: AzureCLI@2
  displayName: 'Deploy bicep template'
  inputs:
    azureSubscription: '....'
    scriptType: pscore
    scriptLocation: inlineScript
    inlineScript: |
     Write-Host "##[warning]Using an input-macro works: $(adminLogin)"
     Write-Host "##[warning]Using the mapped env var for this task works and is recommended: $env:LOGIN"
     az deployment group create  `
     --template-file $(System.DefaultWorkingDirectory)/..../deployment.bicep `
     --resource-group $(resourceGroupName) `
     --parameters '{  \"environment\":{ \"value\": \"$(environment)\"},  \"adminLogin\":{ \"value\": \"$(adminLogin)\"},  \"adminPassword\":{ \"value\": \"$(adminPassword)\"}, \"webSku\":{ \"value\": \"$(webSku)\"}, \"maxVCores\":{ \"value\": $(maxVCores)}, \"databaseName\":{ \"value\": \"$(databaseName)\"}, \"applicationLogsRetentionInMB\":{ \"value\": $(applicationLogsRetentionInMB)}, \"databaseAutoTurnOffDelay\":{ \"value\": $(databaseAutoTurnOffDelay)}, \"databaseMaxSizeInGiB\":{ \"value\": $(databaseMaxSizeInGiB)}}'

I used Azure DevOops variables instead of environment variables.

Krzysztof Madej
  • 32,704
  • 10
  • 78
  • 107
  • That produced the same result and error message as before. This [documentation](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch) contains this: > In YAML pipelines, you can set variables at the root, stage, and job level. You can also specify variables outside of a YAML pipeline in the UI. When you set a variable in the UI, that variable can be encrypted and set as secret. Secret variables are not automatically decrypted in YAML pipelines and need to be passed to your YAML file with env: or a variable at the root level. – Nils Hedström Jun 04 '21 at 09:17
0

Azure CLI accepts parameters in form of parameterName=value and perhaps you should try this to pass secrets instead inline json. You have it in apostrophes, so shell variables inside will not be resolved and this probably causes your error.

Additionally, you can put Non-secret parameters into a json file and in —-parameters pass just the name of that file. CLI will detect and read the file to get parameters out. Secrets pass as key=value entries.

Other option to pass secrets to deployment is to use key vault references in the json file: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault (if the secret is in some key vault). If you need to consume secret in the entry file (in your case deployment.bicep) then use the reference but if secret is consumed by a module you can use getSecret function in bicep (from 0.4): https://github.com/Azure/bicep/blob/main/docs/spec/modules.md#using-existing-key-vaults-secret-as-input-for-secure-string-module-parameter and as parameter pass name and RG and subscription of the key vault and name of the secret.

Miq
  • 3,931
  • 2
  • 18
  • 32