search

johanclasson / vso-agent-tasks

Build and Release Tasks for Visual Studio Online and Team Foundation Server
MIT License
20 stars 16 forks source link

DbUpMigration - Secret (environment) variables not accessible #61

Open SebastiaanPolfliet opened 4 years ago

SebastiaanPolfliet commented 4 years ago

Hi

First of all thank you for the AzureDevops Task!

I encounter the following issue:

DbUp does not pick-up variables that are marked as secret.

Looking to the source code it seems that the values are directly read from environment variables in powershell but (by design) secrets aren't mapped to environment variables (see documentation).

In the following issue they suggest to use input fields.

Is this something that can be considered?

johanclasson commented 4 years ago

Thank you!

Yes. I am aware of the issue.

I think that the hardest problem to solve is how to make the GUI. The only thing I can think of is to have a multi-line textbox where each line needs to be in the format myname=myvalue. But is that good enough? Do you have any other suggestion?

Meanwhile, I think a workaround would be to use a PowerShell task before the DbUp task where you use the a logging command such as:

Write-Host "##vso[task.setvariable variable=MYNAME;]($mysecret)"
SebastiaanPolfliet commented 4 years ago

Thank you for the suggested workaround.

I would base my UI on one of the following tasks

{
    "name": "overrideParameters",
    "type": "multiLine",
    "label": "Override template parameters",
    "defaultValue": "",
    "required": false,
    "groupName": "Template",
    "helpMarkDown": ".. ",
    "properties": {
        "editorExtension": "ms.vss-services-azure.azurerg-parameters-grid"
    }
}

However I don't know if you can use the editorExtension yourself (something to test).

See https://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/AzureResourceGroupDeploymentV2/task.json

image

Microsoft uses the following setting for this in it's task.json. 

"showEnvironmentVariables": true

See https://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/PowerShellV2/task.json

I think I prefer the second UI, also I suspect it allows you to use the same code as you have now. If you add an entry like DBUP_SECRET with value $(SECRET) I'd expect it to be available in your powershell script.

If I come up with other tasks that try to solve the same issue I'll let you know.