Azure DevOps + Azure Static Web App - Read deployment token from variables

Question

I am facing an issue in using deployment tokens stored in Key Vault for deploying the azure static web app. Since I am using different agents for fetching secrets from Key Vault and deploying the azure static web app, I need to pass the token from one job to another.

Job 1 - Get the Deployment token from Key Vault and use a bash command to verify

- job: GetDeploymentToken
      pool:
        name: 'Agent1'
      timeoutInMinutes: 0
      steps:
        - task: AzureCLI@2
          name: FetchSecret
          inputs:
            azureSubscription: 'service-connection'
            scriptType: pscore
            scriptLocation: inlineScript
            inlineScript: |
                $deploymenttoken = az keyvault secret show --name "deploymenttoken" --vault-name "dev1-keyvault" --query "value"
                echo "##vso[task.setvariable variable=deploymenttoken ;isOutput=true]$deploymenttoken "
        - task: PowerShell@2
          inputs:
            targetType: 'inline'
            script: |
              # Write your PowerShell commands here.
              echo $(FetchSecret.deploymenttoken )

Job 2 - Use the variable deploymenttoken

- job: Deploy_Static_web_app
      dependsOn: GetDeploymentToken
      variables: 
        - name: deploymenttoken
          value: $[ dependencies.GetDeploymentToken.outputs['FetchSecret.deploymenttoken'] ]
      pool:
        vmImage: ubuntu-latest
      timeoutInMinutes: 0
      steps:
        - task: Bash@3
          inputs:
            targetType: 'inline'
            arguments: 
            script: |
              echo "1- $(deploymenttoken)"


        - task: AzureStaticWebApp@0
          inputs:
            app_location: "frontend"
            api_location: "api"
            output_location: "build"
            
          env:
            azure_static_web_apps_api_token: '$(deploymenttoken)'

I am getting the below error:

Instead of fetching value from a different job, If I get the value from a library group, the deployment works fine

I tried using a dummy value in the library group and updating its value in job 1 using $env:deploymenttoken but even that didn't work

$deploymenttoken = az keyvault secret show --name "deploymenttoken ", the name has a trailing space. — MZM, Nov 29 '22 at 04:11
Due to the nature of the design of this task, the expression is not expanded. A possible solution to achieve your goal is to deploy the static web app using command/script, this way the expression will be expanded and passed to the command/script as a runtime variable. — Bowman Zhu-MSFT, Nov 30 '22 at 09:52

Swarna Anipindi · Answer 1 · 2022-11-29T06:20:09.793

0

All parameters are evaluated in compile time. We can create a new variable as an output and make your template job dependent from the job which generates a new variable afterwards, sample code as below

   jobs:
- job: BuildDeploy
  steps:
  - script: echo "##vso[task.setvariable variable=applicationId;isOutput=true]629ae9cb-95e0-46b7-8a88-a4034b68323e"
    name: mytask

- job: Test
  variables:
    newValue: $[dependencies.BuildDeploy.outputs['mytask.applicationId']]
  dependsOn: BuildDeploy
  steps:
  - powershell: |
      Write-Host "This value is: ${variables.newValue}"
    displayName: 'Output the value'

Updated source code in job 1 as output

script: |
          echo $deploymenttoken
          $deploymenttoken = az keyvault secret show --name "deploymenttoken " --vault-name "dev1-keyvault" --query "value"
          echo "##vso[task.setvariable variable=deploymenttoken ;isOutput=true]$deploymenttoken "

place below code in job 2

 - script: echo "deploymenttoken=$(deploymenttoken)"
   value: $[ dependencies.GetDeploymentToken.outputs['FetchSecret.deploymenttoken'] ]

Hope this helps!

edited Nov 29 '22 at 06:20

answered Nov 29 '22 at 05:18

Swarna Anipindi

792
2
9

Hi Swarna, When I try to implement your sample with the help of demo_var, I don't see the value changing in the second job. Can you please review and see if u r missing anything – Tarun Bhatt Nov 29 '22 at 05:53
Simplify the sample code base foe easy understanding! Thank You – Swarna Anipindi Nov 29 '22 at 06:33
This part is working for me as well. I am having trouble in using this value in task: AzureStaticWebApp@0 (see code above). I didn't had any trouble in reading the value in second job and the value is available in powershell or bash but not in task: AzureStaticWebApp@0 – Tarun Bhatt Nov 29 '22 at 06:38
Access value like this '$(variables.deploymenttoken)' on task: AzureStaticWebApp@0 – Swarna Anipindi Nov 29 '22 at 06:48
I have already tried '$(variables.deploymenttoken)' & '${{variables.deploymenttoken}}' and both does not work. It seems like AzureStaticWebApp supports only env variables which is why its under the env field. Because variables from the library are treated like env variables, its working with library group. – Tarun Bhatt Nov 29 '22 at 06:59
my view env is not mandatory. [Refer](https://stackoverflow.com/questions/73460248/azurestaticwebapp0-not-recognizing-deployment-token-from-variable) – Swarna Anipindi Nov 29 '22 at 07:15
Yes its not if the field is already set which will happen if the field is present in library group. In our case though, we are fetching the value in the code. Hence, I tried moving the token field out of the env tag but it didn't work. The only other possible solution is that I define an empty field in library group and then set the value in job1 – Tarun Bhatt Nov 29 '22 at 07:20
yes, this will work "The only other possible solution is that I define an empty field in library group and then set the value in job1" Good learning today! Thank You – Swarna Anipindi Nov 29 '22 at 07:28
even this solution is not working – Tarun Bhatt Nov 29 '22 at 10:26

Azure DevOps + Azure Static Web App - Read deployment token from variables

1 Answers1

Linked