An Azure DevOps pipeline unavoidably uses confidential information including such as usernames and passwords which need to be protected from unauthorised access and alteration. The way to achieve this in Azure DevOps is for enables this by allowing your Pipeline to reference variables which are stored in a Variable Group which itself can be configure in one of two ways:, each approach described in detail the sections below.
Define your variables in a Variable Group and protect selected (sensitive) variables by marking each of them as Secret, or
Protect all variables by storing them in as Secrets in an Azure Key Vault and defining a Variable Group linked to that Key Vault.
See Variable groups for Azure Pipelines - Azure Pipelines | Microsoft Docs
Creating Secret Values in a Variable Group
...
We recommend creating a Variable Group per DataStage Engine.
For DevOps scenarios this usually involves customers creating one Variable Group for each non-production environment (e.g. DEV and QA), and one for their production environment (assuming they use Azure DevOps to deploy to production)
For DataStage upgrade scenarios most customers create…
one Variable Group for each non-production legacy environment,
one Variable Group for each non-production target environment, where upgrade acceptance testing will take place,
one Variable Groups for each production legacy environment, if they want to use Azure DevOps to deploy to their legacy production environment while they plan their cutover
Create a Variable Group including secret variables
| Anchor | ||||
|---|---|---|---|---|
|
In your project in Azure DevOps select Pipeline → Library → + Variable Group.
...
Give your variable group a name, description, and add the values you need in your pipeline. Do not select the Link secrets from an Azure key vault as variables toggle.
The variables you need to add to support the example Azure Pipelines shipped with MettleCI are described below (using the Azure CLI to describe them):
| Code Block | ||
|---|---|---|
| ||
# Describe all the Variable Groups used for Data Migrators demos
$> az pipelines variable-group list --query-order Asc --output table
ID Name Type Description Number of Variables
---- --------------- ------ ----------------------------------- ---------------------
1 demo117_NONPROD Vsts DataStage Demo v11.7 Non-Production 10
2 demo115_NONPROD Vsts DataStage Demo v11.5 Non-production 10
3 demo117_PROD Vsts DataStage Demo v11.7 Production 10
4 demo115_PROD Vsts DataStage Demo v11.5 Production 10
# Get the variables in the Variable Group we're interested in (Group 1, demo117_NONPROD)
$> az pipelines variable-group variable list --group-id 1 --output table
Name Is Secret Value
-------------- ----------- -----------------------------------------------------
ComplianceRepo False ADO-Compliance
DomainName False demo117-svcs.your-org.com:59445
EngineName False demo117-engn.your-org.com
IISPassword True
IISUsername False isadmin
MCIPassword True
MCIUsername False mciworkb
MettleHome False /opt/dm/mci
ProjectName False wwi_azure_ds117
IISVersion False 11.7 |
Create a Variable Group based on an Azure Key Vault
Microsoft have good documentation on creating an Azure Key Vault which we recommend you consult.
Create an Azure Key Vault
...