Using secret variable in Azure CLI task in release pipeline

0
votes

In my release pipeline I have two variables adminLogin and adminPassword that are marked as secret. I have a task of type Azure CLI@2 in the same release pipeline. It is an inline Powershell Core script running on a Ubuntu agent (I tried the windows agent before with the same problem). The purpose is to deploy a bicep template sending the secret variables adminLogin and adminPassword as parameters.

The issue is that I am not able to access the secret variables in the task. I tried accessing it directly like this

Write-Host "##[warning]Using an input-macro works: $(adminLogin)"

But that did not work. I also tried to map an environmental variable

#Your build pipeline references a secret variable named ‘adminLogin’. Create or edit the build pipeline for this YAML file, define the variable on the Variables tab, and then select the option to make it secret. See https://go.microsoft.com/fwlink/?linkid=865972
variables:
  resourceGroupName: '...'
  environment: 'Test'
  webSku: 'B1'
  maxVCores: '1'
  databaseName: '...'
  applicationLogsRetentionInMB: '50'
  databaseAutoTurnOffDelay: '60'
  databaseMaxSizeInGiB: '10'

steps:
- task: AzureCLI@2
  displayName: 'Deploy bicep template'
  inputs:
    azureSubscription: '....'
    scriptType: pscore
    scriptLocation: inlineScript
    inlineScript: |
     Write-Host "##[warning]Using an input-macro works: $(adminLogin)"
     Write-Host "##[warning]Using the mapped env var for this task works and is recommended: $env:LOGIN"
     az deployment group create  `
     --template-file $(System.DefaultWorkingDirectory)/..../deployment.bicep `
     --resource-group $(resourceGroupName) `
     --parameters '{  \"environment\":{ \"value\": \"$(environment)\"},  \"adminLogin\":{ \"value\": \"$env:LOGIN\"},  \"adminPassword\":{ \"value\": \"$env:PASSWORD\"}, \"webSku\":{ \"value\": \"$(webSku)\"}, \"maxVCores\":{ \"value\": $(maxVCores)}, \"databaseName\":{ \"value\": \"$(databaseName)\"}, \"applicationLogsRetentionInMB\":{ \"value\": $(applicationLogsRetentionInMB)}, \"databaseAutoTurnOffDelay\":{ \"value\": $(databaseAutoTurnOffDelay)}, \"databaseMaxSizeInGiB\":{ \"value\": $(databaseMaxSizeInGiB)}}'
  env:
    LOGIN: $(adminLogin)
    PASSWORD: $(adminPassword)

The adminLogin and adminPassword is not sent when deploying the bicep template and I get this error message

{
  "code": "DeploymentFailed",
  "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
  "details": [
    {
      "code": "InvalidParameterValue",
      "message": "Invalid value given for parameter Login. Specify a valid parameter value."
    }
  ]
}

So I have two questions

  1. How can I change my Azure CLI task so that it can access the secret variables?
  2. Is there a different way to deploy a bicep template from a release pipeline that supports secret variables?
2
azureazure-devopsazure-bicep

2 Answers

0
votes

Can you try this:

steps:
- task: AzureCLI@2
  displayName: 'Deploy bicep template'
  inputs:
    azureSubscription: '....'
    scriptType: pscore
    scriptLocation: inlineScript
    inlineScript: |
     Write-Host "##[warning]Using an input-macro works: $(adminLogin)"
     Write-Host "##[warning]Using the mapped env var for this task works and is recommended: $env:LOGIN"
     az deployment group create  `
     --template-file $(System.DefaultWorkingDirectory)/..../deployment.bicep `
     --resource-group $(resourceGroupName) `
     --parameters '{  \"environment\":{ \"value\": \"$(environment)\"},  \"adminLogin\":{ \"value\": \"$(adminLogin)\"},  \"adminPassword\":{ \"value\": \"$(adminPassword)\"}, \"webSku\":{ \"value\": \"$(webSku)\"}, \"maxVCores\":{ \"value\": $(maxVCores)}, \"databaseName\":{ \"value\": \"$(databaseName)\"}, \"applicationLogsRetentionInMB\":{ \"value\": $(applicationLogsRetentionInMB)}, \"databaseAutoTurnOffDelay\":{ \"value\": $(databaseAutoTurnOffDelay)}, \"databaseMaxSizeInGiB\":{ \"value\": $(databaseMaxSizeInGiB)}}'

I used Azure DevOops variables instead of environment variables.

0
votes

Azure CLI accepts parameters in form of parameterName=value and perhaps you should try this to pass secrets instead inline json. You have it in apostrophes, so shell variables inside will not be resolved and this probably causes your error.

Additionally, you can put Non-secret parameters into a json file and in —-parameters pass just the name of that file. CLI will detect and read the file to get parameters out. Secrets pass as key=value entries.

Other option to pass secrets to deployment is to use key vault references in the json file: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault (if the secret is in some key vault). If you need to consume secret in the entry file (in your case deployment.bicep) then use the reference but if secret is consumed by a module you can use getSecret function in bicep (from 0.4): https://github.com/Azure/bicep/blob/main/docs/spec/modules.md#using-existing-key-vaults-secret-as-input-for-secure-string-module-parameter and as parameter pass name and RG and subscription of the key vault and name of the secret.