How to use a variable within another variable in Azure DevOps

Question

Within Azure DevOps YAML is it possible to use a variable within a get for another variable.

my specific issue is around using the Azure Key Vaults task. using this task as below:

  - task: AzureKeyVault@1
    displayName: 'Get Secrets $(KeyVault_Key) from ${{parameters.KeyVaultName}}'
    inputs:
     azureSubscription: ${{parameters.azureSubscription}}
     KeyVaultName: ${{parameters.KeyVaultName}}
     SecretsFilter: '$(KeyVault_Key)'
     RunAsPreJob: true

I have a variable in the Library called KeyVault_Key and pass this into the filter. The Key Vault task will create a new variable using the value of this variable.

e.g. if KeyVault_Key = "mySecretKey" then it create a variable you can access as $(mySecretKey)

However, when trying to access all of this using the variable commands it does not work.

e.g. $($(KeyVault_Key))

I have also tried variables as well like

e.g. $(${{variables.KeyVault_Key}})

** Update **

This is an example using the variable solution as recommended.

  - stage: 'Deploy'
displayName: 'Deploy Application'
variables:
  - name: "sqlConnectionNameKey"
    value: '$(TF_VAR_MYSQL_SERVER_USERNAME_KEY)'
  - name: "sqlConnectionPwdKey"
    value: '$(TF_VAR_MYSQL_SERVER_PASSWORD_KEY)'
jobs:
  - deployment: DeployApiDatabase
    pool:
      name: Default
    environment:
      name: Azure
    strategy:
      runOnce:
        deploy:
          steps:
            - task: AzureKeyVault@1
              displayName: 'Get Secrets'
              inputs:
                azureSubscription: ${{parameters.azureSubscription}}
                KeyVaultName: '$(TF_VAR_RESOURCE_PREFIX)-kv'
                SecretsFilter: '${{variables.sqlConnectionNameKey}}, ${{variables.sqlConnectionPwdKey}}'
                RunAsPreJob: true
            - task: AzureMysqlDeployment@1
              displayName: 'Deploy ApplicationConfigurationDbContext DB'
              inputs:
                azureSubscription: ${{parameters.azureSubscription}}
                ServerName: '$(sqlServerName).mysql.database.azure.com'
                DatabaseName: 'DatabaseName'
                SqlUsername: '$(sqlConnectionNameKey)@$(sqlServerName)' 
                SqlPassword: '$(sqlConnectionPwdKey)' 
                TaskNameSelector: 'SqlTaskFile'
                SqlFile: '${{variables.mySqlLocation}}DbContext.sql'
                IpDetectionMethod: 'AutoDetect'

Answer 1

This won't work:

  variables: 
  - name: SecretKeyFromKeyVault
    value: $(KeyVault_Key)

$(VariableName) is runtime expression, when define variable like this, the value should be defined in compile time. So, compile-time expression should be used:

  variables: 
  - name: SecretKeyFromKeyVault
    value: ${{ variables.KeyVault_Key }} 

Answer 2

Nested variables are not yet supported in azure pipeline. The user voice has been submitted to Microsoft Development team. You can vote it up here or submit a new one.

As a workaround, you can define a new variable and map its value to variable $(KeyVault_Key). See below example:

  variables: 
  - name: SecretKeyFromKeyVault
    value: $(KeyVault_Key)

Then you can refer to the variable mySecretKey created by Key Vault task by using $(SecretKeyFromKeyVault)

Answer 3

No this is not possible. You can't nest them. So if you want to use immediately value of your secret you can try to use Azure Cli task

  - task: AzureCLI@2
    inputs:
      azureSubscription: '${{parameters.azureSubscription}}'
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |
        $secretValue =  az keyvault secret show --vault-name ${{parameters.KeyVaultName}} --name $(KeyVault_Key) --query value  -o tsv
        echo $secretValue

However, if this doesn't solve your issue I'm afraid you are forced to redesign your idea.