Search code examples
azurepowershellazure-devopsazure-pipelines-yaml

Is there a dynamic way to get variables from Variable Group? Even secret ones? and insert in Azure Key Vault

Basically I want to secure and seed my Key Vault so I was reading storing those keys and other stuff in a Variable Group was one way, but I was seeing the only way to get them printed or exported in a text file was using the specific name, so this is not dynamic because I would need to modify my pipe every time I need to add a variable to my Key Vault

so is there a way to try to make this dynamic? so PowerShell loops the variable group and prints them/insert them in my Key Vault.

important I cannot use Link Key Vault option in Variable Group.

thanks a lot

someone else was trying to accomplish this but https://developercommunity.visualstudio.com/t/Loop-azure-devops-group-variable-and-pri/10687735?ftype=problem&stateGroup=active&sort=newest&viewtype=all

If the variable is secret, we are not able to get the value of the variable via Rest API or Azure DevOps CLI.


trigger:
- main

pool: ....

variables:
- group: 'myVariableGroup'

jobs:
- job: PrintVariables
  steps:
  - powershell: | Write-Host "Printing variables from myVariableGroup" Write-Host "secretvar: $(secretvar)" Write-Host "secretvar2: $(secretvar2)"

I've try some powershell but I get nothing

Solution

  • If the variable is secret, we are not able to get the value of the variable via Rest API or Azure DevOps CLI.

    For a workaround, we can use two pipelines to achieve it. One is used to read the all the name in the variable group and trigger the other pipeline, the other pipeline will use object type parameters to loop all the variable in variable group even it is secret.

    Here is an example:

    Pipeline1:loop the variable name in vargroup, send a request to the second pipeline and pass the varnamelist

    $token = “ccc”

$url=“https://dev.azure.com/{org}/{project}/_apis/distributedtask/variablegroups/{vargroupID}?api-version=6.0-preview.2”

$token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($token)"))

$response = Invoke-RestMethod -Uri $url -Headers @{Authorization = “Basic $token”} -Method Get -ContentType application/json
$allVariableName= "["
ForEach ($variable in $response.variables)

{


$variablenames = $variable | Get-Member | Where {$_. MemberType -like ‘NoteProperty’} | Select-Object -Property name

ForEach ($name in $variablenames.name)
{
$allVariableName = $allVariableName+$name+","

}

}
$allVariableName= $allVariableName -replace ".{1}$"
$allVariableName= $allVariableName+"]"


$url="https://dev.azure.com/{org}/{project}/_apis/pipelines/{pipelineID}/runs?api-version=5.1-preview"

    $JSON = "
    {
         
      `"resources`": {
        `"repositories`": {
          `"self`": {
            `"ref`": `"refs/heads/master`"
          }
        }
      },
      `"templateParameters`": {
        `"InputProperties`":`"$($allVariableName)`"
      },


    }"

$response = Invoke-RestMethod -Uri $url -Headers @{Authorization = "Basic $token"} -Method Post -Body $JSON -ContentType application/json

    Pipeline2: get the namelist provided by pipeline1, ${{ parameter }} is the variableName,$(${{ parameter }}) is secretValue

    parameters:
  - name: InputProperties
    type: object       


variables:
 - group: {variablegroupName}


pool:
  vmImage: windows-latest

steps:


- ${{ each parameter in parameters.InputProperties }}:
  - task: PowerShell@2
    inputs:
      targetType: 'inline'
      script: |
       echo ${{ parameter }}
       echo $(${{ parameter }})