Azure DevOps- Hide Release Task Logs - azure-devops

Looking for suggestions on a problem I'm facing in pipeline deployments for Azure Functions. I'm using the new Azure App Config service to pull app configuration variables to the pipeline.
These are then being used by an Azure App Service Deploy Task in the App settings section to populate the app configuration of an Azure Function. I'm in need of a way to hide the release logs for this from our developer group in the production stage of our deployment. Otherwise it will display the the app settings in the log file from the release. We still want devs to be able to see other stages of the release pipeline.
I believe I could write a powershell script to mark the variables as secrets, but that seems less manageable based on the number of release pipelines and variables that would need to be scripted. I would rather just be able to hide the logs from everyone besides a select group of users or turn them off for that release task in general by stage.
I'm also trying to avoid using Key-Vault for this scenario.
So long story short-
Is there a way to turn off logs for a specific release task in AzDo? If possible by stage?
Is there a way to hide logs by stage? Can that be done on a user level?
Suggestions are appreciated.

No, this is not possible and leads to security by obscurity.
Just use keyvault or use a script to register the secret values. You don't have to hard-code them in a powershell step or anything, you can register secrets by parsing whatever settings file you have and calling:
write-host "##vso[task.setvariable variable=$name;issecret=true]$valueToRegister"
See:
https://github.com/Microsoft/azure-pipelines-tasks/blob/master/docs/authoring/commands.md

Related

How to configure Azure DevOps with SQL DB

We Have Automated scripts that we would like to build and Test on Azure DevOps but our pipeline cannot run our Test Scripts on Azure
We have a Database Service Account that we want to configure on Azure but we don't know how to go about it. Please assist.
Here is a well explained video (by Hassan Habib from Microsoft) on exactly how to run a console app (you create) in an Azure Pipeline that securely gets credentials to immediately do stuff in Azure (https://youtu.be/ht0xhQyF1x4?t=1688)
He basically, in a handful of minutes shows exactly how to:
Link Pipeline Variables to KeyVault Secrets, so when accessed, the variables do a get() from KeyVault and return that value.
Securely links Pipeline Variables to Azure Environment Variables.
As a step in the release pipeline the console app reads the Azure Environment Variables to get credentials to do stuff in Azure.
In his case he created an Azure Resource Group in Azure.
In your case if I’m understanding correctly. You could possibly make a simple console app that runs in the pipeline, that gets creds\connections strings for your database to do whatever in the DB and could possibly test your scripts.

Azure Devops Service Now - how to get CHANGE_REQUEST_NUMBER/CHANGE_CORRELATION_ID for YAML pipeline

Following the MS documentation here: https://learn.microsoft.com/en-us/azure/devops/pipelines/release/approvals/servicenow?view=azure-devops
I've set up an Azure DevOps environment with the Service Now Pre-deployment check and can successfully create a new standard change request in Service Now and update it using the UpdateServiceNowChangeRequest#2 task.
However, I'm struggling to find a way to access the CHANGE_REQUEST_NUMBER and CHANGE_CORRELATION_ID that are available to the UpdateServiceNowChangeRequest#2 tasks
The documentation describes how to get to these using the release pipeline by having a name for the gate and using $(PREDEPLOYGATE.mygatename.CHANGE_REQUEST_NUMBER), but there is no option in the YAML setup to name a gate and I can't seem to find another way to get to these variables
I've tried just enumerating all the environment variables in the pwsh task (i.e. gci env:\ ) but nothing relating to these variables shows up.

UpdatePipeline (SelfMutate) stage gone missing from my AWS CDK pipeline

I've been trying to fix an issue with our CDK pipeline. The pipeline was failing at the UpdatePipeline stage, while trying to perform the SelfMutate action. It turned out that we had recently made a change in the pipeline code to use a secret corresponding to the personal access token from a different github account. This new account did not have access to the repo containing the pipeline code. Once the account was given access, the pipeline was able to run successfully.
However, while trying to diagnose the problem, I temporarily pushed a change to add selfMutating: false to the CDK pipeline. At first, the pipeline continued trying to run the SelfMutate action (maybe because the github access issue meant it couldn't see this change). Once I resolved the access problem, the pipeline ran successfully and removed the UpdatePipeline stage altogether.
I then reverted my change, thinking that UpdatePipeline and SelfMutate would be reinstated. However this has not happened, and the pipeline is now running with this stage being missed out altogether.
Why has this happened and what can I do to reinstate self-mutation?
If you turned off self mutation then subsequent deploys will not affect the pipeline.
To fix this you need to enable self mutation and deploy the pipeline stack manually from you machine to update.

Share variables between different projects in Azure DevOps

I hope you are all well!
I need to ask a question about azure devops, I already read the documentation, but I did not find a way to resolve these doubts
I have the X, Y and Z projects and in the X project create in the Pipeline >> Libray a group of variables called general that I would like to be shared with the Y and Z pipelines, when configuring this group I enabled the option "Allow Access to all pipelines" .
In the YAML of the Y and Z pipelines I made the following configuration:
**variables:
group: general**
When running the pipeline he returns an authorization request and even clicking authorize it, according to the print below:
Print Authorization error
There was a resource authorization issue:
"An error occurred while loading the YAML build pipeline.
Variable group was not found or is not authorized for use.
For authorization details, refer to https://aka.ms/yamlauthz."
My question is, is there any way to share variables between pipelines of different purposes, if there is, can you please send me some documentation that can help me to configure this?
Testing in my side and I can reproduce this issue, setting the Allow access to all pipelines option will enable the variable group to be accessible for any pipelines in current project not across projects. It should be a known limitation and this is the feedback ticket. You can vote and follow this ticket. You can also create a new suggestion ticket here. The product group will review these tickets regularly, and consider to take it as roadmap.
In addition, as a workaround, you could try to add these shared variables to Azure Key Vault, and then use Azure Key Vault task to fetch the latest values of all or a subset of secrets from the vault, and set them as variables that can be used in subsequent tasks of a pipeline. See: Use Azure Key Vault secrets in Azure Pipelines for details.
This link gives a good overview of using variables in Azure DevOps pipelines:
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables
In the most common case, you set the variables and use them within the
YAML file.
In the YAML file, you can set a variable at various scopes:
At the root level, to make it available to all jobs in the pipeline.
At the stage level, to make it available only to a specific stage.
At the job level, to make it available only to a specific job.
Q: It sounds like you would like to share variables between YAML pipeline roots, correct? You're currently trying to use variable groups to accomplish this, correct?
Another solution would be to have your pipeline read from a "shared file". For example:
Is there a way to read file from Azure DevOps YAML?
... you can use any scripting language you like to parse the file and
"spit out" whatever you need as a build variable and consume it later
on. here's what I've been doing:
- script: echo "##vso[task.setvariable variable=dp]$(cat $(Build.Repository.LocalPath)/deployment/dp)"
- script: az group delete -n $(dp)-k8s -y --no-wait
In other words:
Create a file with the variables you wish to "export". It can be any script format: Powershell, bash, etc., etc.
Modify your pipeline(s) to read the file and "import" the variable definitions at runtime.
There are many ways to do this. The SO link above is just an example.

Include pipeline variables in release notifications

I am using Azure Devops (formerly VSTS) releases to deploy a project.
In my release pipeline I have a power shell task that may not succeed in ways that do not indicate a deployment failure. I would like to alert users when these conditions arise.
I have suppressed the errors in the power shell script and am using them to control flow to subsequent pipeline tasks.
Is there a way include pipeline variables in the notifications Azure Devops sends when a deployment is complete?
No, the notification template is not customizable and this feature was requested: Customise VSTS email templates
But you may log your pipeline variables with powershell script: Write-Host "My var: $(my_variable)"
User-defined variables