Search code examples
azure-devopsyamlazure-pipelines

Pipeline YAML template defines variables at the job level, but they are not being resolved into their values

My YAML code below seems to follow the MS documentation, and LLMs have not identified any syntactical issues. However, when running the pipeline, I'm getting this error:

The pipeline is not valid. [...] references service connection $(azureSubscription) which could not be found.

So it seems the variables I've defined are not being recognised, they are being treated as literals, i.e. it is trying to find a subscription literally called "$(azureSubscription)".

(If I replace the variable with the literal subscription name, it does work.)

My pipeline code is this:

trigger:
  - main

extends:
  template: deploy-template.yml
  parameters:
    buildConfiguration: 'Release'

And the deploy-template.yml code is this (simplified for clarity):

parameters:
- name: buildConfiguration
  type: string
  default: ''

stages:
- stage: buildstage

  pool:
    vmImage: ubuntu-latest

  jobs:
  - job: buildjob

    variables:
      azureSubscription: 'name of our subscription'
      buildConfiguration: '${{ parameters.buildConfiguration }}'

    steps:

    (couple of tasks here)

    - task: AzureRmWebAppDeployment@4
      displayName: 'Deploy to slot'
      condition: succeeded()
      inputs:
        ConnectionType: 'AzureRM'
        azureSubscription: '$(azureSubscription)'
        appType: 'webApp'
        (etc)

All the documentation says this should work, i.e. '$(azureSubscription)' should resolve to 'name of our subscription', but it is not and is apparently being treated as a literal. This is also happening with other variables defined there (not shown for simplicity) so the entire "variables:" section at the job level doesn't seem to work? I've tried it in various ways, with and without the quotes, etc. and run out of things to try.

Does anyone have any insight into why this is happening? Would really appreciate some help, this has really stumped me, although I'm quite new to YAML.

Solution

  • The value of $(azureSubscription) is being evaluated at runtime, however certain elements, like service-connections must be defined at compile-time in order to validate permissions, pipeline authorizations and any 'approvals + checks' associated with the service-connection.

    To ensure that the service-connection is resolved correctly, switch to a ${{ }} compile-time expression.

       - task: AzureRmWebAppDeployment@4
      displayName: 'Deploy to slot'
      condition: succeeded()
      inputs:
        ConnectionType: 'AzureRM'
        azureSubscription: ${{ variables.azureSubscription }}
        appType: 'webApp'
        (etc)