Search code examples
asp.netweb-configazure-devopsazure-web-app-serviceconfig-transformation

How to transform mailSettings in web.config, without having credentials in source control


I have a web app that I deploy to an Azure App Service, using VSTS. So far, I have managed to successfully use config transforms and variable substitutions to be able to not have any sensitive information in source control, but I can't get my head around how to do it for the smtp credentials in system.net/mailSettings/smtp/network.

Anyone have any ideas?


Solution

  • OK, after digging a bit, and asking around, it seems as using WebDeploy and parameters.xml is working.

    This is what I did:

    1. I added the addon Replace Tokens to my VSTS account.
    2. I added a parameters.xml to my web site project, and it looks like this:

      <?xml version="1.0" encoding="utf-8"?>
      <parameters>
        <parameter name="Mail.Username" description="The username used for smtp authentication" defaultValue="#{Mail.UserName}#" tags="">
          <parameterEntry kind="XmlFile" scope="obj\\Release\\Package\\PackageTmp\\Web\.config$" match="/configuration/system.net/mailSettings/smtp/network/@userName" />
        </parameter>
        <parameter name="Mail.Password" description="The password used for smtp authentication" defaultValue="#{Mail.Password}#" tags="">
          <parameterEntry kind="XmlFile" scope="obj\\Release\\Package\\PackageTmp\\Web\.config$" match="/configuration/system.net/mailSettings/smtp/network/@password" />
        </parameter>
      </parameters>
      
    3. My build step was already set to output a package, but these are the MSBuild parameters needed for the build step. /p:DeployOnBuild=true /p:WebPublishMethod=Package /p:PackageAsSingleFile=true /p:SkipInvalidConfigurations=true /p:PackageLocation=”$(build.artifactstagingdirectory)\\” if you, like me, are doing config transforms of connection strings, you might want to add /p:AutoParameterizationWebConfigConnectionStrings=false to that list of parameters as well.

    4. In the Release Configuration, before the Deploy to Azure App Service step, add a step using the afore mentioned Replace Tokens addon. I stuck with the default syntax for replacement values, but those could be changed. Since I'm using all default values, I run the task in Root directory $(System.DefaultWorkingDirectory)/$(Build.DefinitionName)/drop and Target files *.SetParameters.xml

    5. Then in the Deploy to Azure App Service step I selected the option Publish using Web Deploy and for the SetParameters file I used $(System.DefaultWorkingDirectory)/$(Build.DefinitionName)/drop/<Name of Web Project>.SetParameters.xml

    6. Under Post Deployment Action, set Deployment script type to Inline script, and add the following script.

      @echo off
      del parameters.xml
      

      This is because .config files aren't served by default, but .xml files are, and otherwise your parameters.xml would sit in your web root unprotected, with your smtp username and password in plain text.

    7. Next add Release Variables named Mail.Username and Mail.Password, and fill in their values. I made Mail.Password a secret.

    8. Check in everything, and trigger a build and release!