In my release pipeline I have two variables adminLogin and adminPassword that are marked as secret. I have a task of type Azure CLI@2 in the same release pipeline. It is an inline Powershell Core script running on a Ubuntu agent (I tried the windows agent before with the same problem). The purpose is to deploy a bicep template sending the secret variables adminLogin and adminPassword as parameters.
The issue is that I am not able to access the secret variables in the task. I tried accessing it directly like this
Write-Host "##[warning]Using an input-macro works: $(adminLogin)"
But that did not work. I also tried to map an environmental variable
#Your build pipeline references a secret variable named ‘adminLogin’. Create or edit the build pipeline for this YAML file, define the variable on the Variables tab, and then select the option to make it secret. See https://go.microsoft.com/fwlink/?linkid=865972
variables:
resourceGroupName: '...'
environment: 'Test'
webSku: 'B1'
maxVCores: '1'
databaseName: '...'
applicationLogsRetentionInMB: '50'
databaseAutoTurnOffDelay: '60'
databaseMaxSizeInGiB: '10'
steps:
- task: AzureCLI@2
displayName: 'Deploy bicep template'
inputs:
azureSubscription: '....'
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
Write-Host "##[warning]Using an input-macro works: $(adminLogin)"
Write-Host "##[warning]Using the mapped env var for this task works and is recommended: $env:LOGIN"
az deployment group create `
--template-file $(System.DefaultWorkingDirectory)/..../deployment.bicep `
--resource-group $(resourceGroupName) `
--parameters '{ \"environment\":{ \"value\": \"$(environment)\"}, \"adminLogin\":{ \"value\": \"$env:LOGIN\"}, \"adminPassword\":{ \"value\": \"$env:PASSWORD\"}, \"webSku\":{ \"value\": \"$(webSku)\"}, \"maxVCores\":{ \"value\": $(maxVCores)}, \"databaseName\":{ \"value\": \"$(databaseName)\"}, \"applicationLogsRetentionInMB\":{ \"value\": $(applicationLogsRetentionInMB)}, \"databaseAutoTurnOffDelay\":{ \"value\": $(databaseAutoTurnOffDelay)}, \"databaseMaxSizeInGiB\":{ \"value\": $(databaseMaxSizeInGiB)}}'
env:
LOGIN: $(adminLogin)
PASSWORD: $(adminPassword)
The adminLogin and adminPassword is not sent when deploying the bicep template and I get this error message
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "InvalidParameterValue",
"message": "Invalid value given for parameter Login. Specify a valid parameter value."
}
]
}
So I have two questions
- How can I change my Azure CLI task so that it can access the secret variables?
- Is there a different way to deploy a bicep template from a release pipeline that supports secret variables?