Search code examples
azuresecuritydeploymentazure-service-fabric

Substitute Service Fabric application parameters during deployment

I'm setting up my production environment and would like to secure my environment-related variables. For the moment, every environment has its own application parameters file, which works well, but I don't want every dev in my team knowing the production connection strings and other sensitive stuffs that could appear in there.

So I'm looking for every possibility available. I've seen that in Azure DevOps, which I'm using at the moment for my CI/CD, there is some possible variable substitution (xml transformation). Is it usable in a SF project? I've seen in another project something similar through Octopus. Are there any other tools that would help me manage my variables by environment safely (and easily)? Can I do that with my KeyVault eventually? Any recommendations? Thanks

EDIT: an example of how I'd like to manage those values; this is a screenshot from octopus : enter image description here

so something similar to this that separates and injects the values is what I'm looking for.

Solution

  • You can do XML transformation to the ApplicationParameter file to update the values in there before you deploy it.

    The other option is use Powershell to update the application and pass the parameters as argument to the script.

    The Start-ServiceFabricApplicationUpgrade command accept as parameter a hashtable with the parameters, technically, the builtin task in VSTS\DevOps transform the application parameters in a hashtable, the script would be something like this:

    #Get the existing parameters
$app = Get-ServiceFabricApplication -ApplicationName "fabric:/AzureFilesVolumePlugin"

#Create a temp hashtable and populate with existing values
$parameters = @{ } 
$app.ApplicationParameters | ForEach-Object { $parameters.Add($_.Name, $_.Value) }

#Replace the desired parameters
$parameters["test"] = "123test" #Here you would replace with your variable, like  $env:username 

#Upgrade the application
Start-ServiceFabricApplicationUpgrade -ApplicationName "fabric:/AzureFilesVolumePlugin" -ApplicationParameter $parameters -ApplicationTypeVersion "6.4.617.9590" -UnmonitoredAuto

    Keep in mind that the existing VSTS Task also has other operations, like copy the package to SF and register the application version in the image store, you will need to replicate it. You can copy the full script from Deploy-FabricApplication.ps1 file in the service fabric project and replace it with your changes. The other approach is get the source for the VSTS Task here and add your changes.

    If you are planning to use KeyVault, I would recommend the application access the values direct on KeyVault instead of passing it to SF, this way, you can change the values in KeyVault without redeploying the application. In the deployment, you would only pass the KeyVault credentials\configuration.