Reputation: 547
How to pass azure-pipelines.yml variables to ARM templates with AzureResourceManagerTemplateDeployment
I'm starting to work with Azure and tried these steps:
- I added a secret to an Azure Vault.
- I linked a service principal to my Azure DevOps pipelines.
- I created a variable group linked to my vault.
- I created a variable group with some variables.
- I created a azure-pipelines.yaml with a variables: group: group1 group: group2 part
- I have
- task: AzureResourceManagerTemplateDeployment@3with a template with parameters. How do I satisfy the paramters from the variable groups?
Upvotes: 7
Views: 7817
Answers (2)
Reputation: 59035
There are some limited scenarios where using variable groups in conjunction with YAML pipelines make sense, namely if you have a secret that isn't in keyvault that you need to store securely.
However, there are much better ways to manage this scenario. Remember, pipeline variables (including variable groups) should be for pipeline values, not application configuration. Tightly coupling your continuous delivery platform to your application's configuration just makes it harder to replicate your deployment process locally or migrate to a different continuous delivery provider in the future.
That said, here are a few recommended alternatives:
Add a
AzureKeyVaultstep to your pipeline in order to retrieve secrets from the keyvault.Link your ARM template directly to the keyvault; ARM templates have native support for keyvault parameters:
"adminPassword": { "reference": { "keyVault": { "id": "/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" }, "secretName": "ExamplePassword" } }
Write your application to retrieve secrets directly from the keyvault at runtime.
Upvotes: -4
Reputation: 30343
You can have a try using overrideParameters parameter for the task to override your ARM template's parameters with the variables defined in your variable groups. Check here for more parameters about this task.
- task: AzureResourceManagerTemplateDeployment@3
inputs:
azureResourceManagerConnection: <connection>
overrideParameters: -storageAcctName azurerg -Username $(vmusername) -azureKeyVaultName $(fabrikamFibre)
For accessing AzureKeyVault, you can also use Azure Key Vault task to get your secrets in your build pipeline, or integrate KeyVault to your ARM template as @Daniel Mann pointed out. Check here for Microsoft official tutorial.
Upvotes: 15
Related Questions
- Azure pipeline iteration for ARM template Parameters
- The template parameter is not valid. The parameter value must be null
- Azurepipeline runtime paramter for the ARM template Json file
- Inheritance for the parameters defined in azure pipelines
- How to pass variables to the template parameter in azure yaml?
- custom pipeline resource variables
- How to pass Azure ARM template object value from YAML file?
- Azure ARM template : Setting parameter value using a variable
- How to pass an Azure pipeline variable to an ARM template used by AzureResourceManagerTemplateDeployment@3 task?
- Using ARM Templates from external repository