Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] Where does the Azure DevOps Token Replacement Task get the sensitive values that will be replaced? #544

Closed
erikhjensen opened this issue May 7, 2024 · 2 comments
Closed

[Question] Where does the Azure DevOps Token Replacement Task get the sensitive values that will be replaced? #544

erikhjensen opened this issue May 7, 2024 · 2 comments

Comments

@erikhjensen
Copy link

Release version

latest

Question Details

When comparing the Azure DevOps pipeline reference examples to that of the GitHub Actions we see some differences to how the secrets/env are passed to the token replacement task. The nature of the 3rd party task is no-doubt part of that. I'm hoping you can clarify how the Azure DevOps scenario operates.

In the Azure DevOps Pipeline Sample we see that a variable is explicitly seeded. I'd imagine this can be done via VariableGroup or, perhaps a secret backend.
variables: #setting the testSecretValue to the prod resource group name as an example testSecretValue: $(RESOURCE_GROUP_NAME_Prod)

Then later, in the reusable pipeline, we see the token replacement task however, unlike the GitHub Actions example, the task itself doesn't seem that it takes an input argument to map any environment vars/secrets into the task. So my assumption is that the task looks to do this implicitly rather than explicitly.

When we look at the sample configuration.prod there are tokens to be replaced on lines 16, 20 and 24. Only line 16 seems to be referenced in the variables for the job.

Based on how the Token Replacement task is employed, as of V3 which you use (since superseded by 6.. but I see that upgrading is not yet planned by the ApiOps team), is the idea that you seed the Job w/ named Variables whose key matches that of the replacement token in the configuration file?

thanks!

Expected behavior

Just clarifying the Token Replacement Scenario

Actual behavior

N/A

Reproduction Steps

Seed Environment Variables to be used w/ Token Replacement
@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024 

  Thank you for opening this issue! Please be patient while we will look into it and get back to you as this is an open source project. In the meantime make sure you take a look at the [closed issues](https://github.com/Azure/apiops/issues?q=is%3Aissue+is%3Aclosed) in case your question has already been answered. Don't forget to provide any additional information if needed (e.g. scrubbed logs, detailed feature requests,etc.).
  Whenever it's feasible, please don't hesitate to send a Pull Request (PR) our way. We'd greatly appreciate it, and we'll gladly assess and incorporate your changes.

@waelkdouh
Copy link
Contributor

Here is a sample configuration.prod.yaml file which is expecting a namedvalue called testsecret (of type secret) to be overridden.
image

As you can see the testsecretvalue is passed in the run-publisher pipeline as a variable
image

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@waelkdouh @erikhjensen