-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Issue] azd deploy fails in azdo build pipeline when connection string value is expected from remote environment. #3850
Comments
I've struggled with providing connection strings myself, providing these 'secure parameters' in a pipeline from an environment variable seems to be challenging. There may be something in my thread that helps you: #3597 |
@mip1983 thanks it looks like I might be able to work around my problem with the Variable Groups mentioned in your thread. |
Hi @Bpflugrad , I can explain what is happening. When you run @secure()
param BlobStorageConnection string If you What you are doing is interesting, because you are hoping to set the env var in remote-state and have the pipeline to pick the env var from the remote state. Ideally, you should not add plain text to remote-state, as that's not a secured store. But, making the secure thing apart, azd is been able to pull the value from the remote-state to run Azd uses the So, here's what you should be able to do, to make your sample work:
{
"infra": {
"parameters": {
"BlobStorageConnection": "YOUR_CONNECTION_STRING"
}
}
}
{}
Now azd will be able to fetch the value from the remote-state (from the config.json) for provison and for deploy. Now, let me just say it again. remote-state is not meant for secured values. We are still working/designing a secured store (like KeyVault) but, remote-state should not be considered secured.
- task: AzureCLI@2
displayName: Provision Infrastructure
inputs:
azureSubscription: azconnection
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
azd provision --no-prompt --environment $(AZURE_ENV_NAME)
env:
AZURE_SUBSCRIPTION_ID: $(AZURE_SUBSCRIPTION_ID)
AZURE_ENV_NAME: $(AZURE_ENV_NAME)
AZURE_LOCATION: $(AZURE_LOCATION)
AZD_INITIAL_ENVIRONMENT_CONFIG: $(AZD_INITIAL_ENVIRONMENT_CONFIG)
{
"infra": {
"parameters": {
"BlobStorageConnection": "vault://1b14641c-bb16-4ee9-87f9-d5e19ef09b17/6675dd26-3372-47a7-a35e-b2026e84c2e9"
}
},
"vault": "1b14641c-bb16-4ee9-87f9-d5e19ef09b17"
} When azd sets AZD_INITIAL_ENVIRONMENT_CONFIG, it will resolve the vault reference and write the value as a secret in azdo. |
Thanks for the help @vhvb1989 this has been a lot of trial and error. I decided to go with your second suggestion, and updated my build pipe and re-ran When I run the pipe now I get a lot of security errors either saying the wrong client secret was provided: This wasn't happening prior to my changes so my assumption is that attempting to resolve the vault reference is the issue. I'm not familiar with |
Hi @vhvb1989, Sorry for the confusion Friday. I figured out why I was getting the panic message. Basically, when you have used However, after successfully doing this, and verifying that the following appears in my remote
However,
I am not using If I do use
Also after each failed deployment the remote
You only mentioned adding Anyway, perhaps I missed a step but I can't get your second suggestion to work. Any help is appreciated! |
@Bpflugrad , #3891 was not the only issue affecting azd on CI/CD.
{
"infra": {
"parameters": {
"BlobStorageConnection": "vault://9f52a64c-260e-4515-9d32-4b5463939db7/27440911-0f41-45f5-83f8-682a15aacdd4"
}
},
"vault": "9f52a64c-260e-4515-9d32-4b5463939db7"
} to what it should be in CI: {
"infra": {
"parameters": {
"BlobStorageConnection": "The actual connection string HERE"
}
},
} The issue on 1.9.0 is that azd is setting the config.json like: {
"infra": {
"parameters": {
"BlobStorageConnection": "The actual connection string HERE"
}
},
"vault": "9f52a64c-260e-4515-9d32-4b5463939db7"
} You can see that the secrets are resolved, but the |
Thanks @vhvb1989. I updated to the daily build. The workaround (your second suggestion) where the raw value is included in However, using
After updating the Thanks again for your help, I can at least proceed with the insecure workaround until the vaults can be figured out. |
Hi @vhvb1989 , I tried a few permutations of my build script. If I have
I've never worked with Go before but looking at this stack trace, |
Hi @Bpflugrad |
Hi @vhvb1989, Thanks for the reply. I updated my local machine to I took the following steps:
Unfortunately, |
Hi @Bpflugrad, since you haven’t asked that we “ |
Output from
azd version
Run
azd version
and copy and paste the output here:azd version 1.8.2 (commit 14600c7a54edac4f54397413f8638431f5c16327)
Describe the bug
Deploying in an azdo pipeline:
Using Aspire preview 6
8.0.0-preview.6.24214.1
.Using
AddConnectionString(string)
to add a reference to an existing Azure resource by connection string.When deploying in an azdo pipeline, if a deployment has never been completed before (such as with
azd up
on a development machine),azd deploy
fails with error message:This causes the pipeline to fail and deployment cannot be completed.
To Reproduce
Visual Studio 17.10.0 Preview 5.0
create a new project from template .Net Aspire Starter Project.azd init
in the Solution folder.azure.yaml
adding to the root:.azdo\pipelines
azure-dev.yml
azd pipeline config
, following all instructions related to PAT, remotes, etc.azconnection
service principal withStorage Blob Contributor
for Storage Account STORAGE_ACCOUNT.AppHost.Program
with the following line:var blobStorageConnectionString = builder.AddConnectionString("BlobStorageConnection");
AddProject
line, adding.WithReference(blobStorageConnectionString)
.ApiService.Program
adding:builder.AddAzureBlobClient("BlobStorageConnection");
azure-dev.yml
to add build commands:azd env set AZURE_BLOB_STORAGE_CONNECTION CONNECTION_STRING
azd infra synth
main.parameters.json
added by this command that the following line exists:The build will be triggered, and at the
Deploy Application
step will fail with error:Expected behavior
Deployment should succeed since the required parameter is present in the environment.
Environment
Information on your environment:
-
dotnet --version 8.0.300-preview.24203.14
-
Visual Studio 17.10.0 Preview 5.0
- Aspire preview 6
8.0.0-preview.6.24214.1
-
azd version 1.8.2 (commit 14600c7a54edac4f54397413f8638431f5c16327)
Additional context
When not using
azd infra synth
the error is slightly different:Also tried to updating the
builder.AddConnectionString("BlobStorageConnection", "AZURE_BLOB_STORAGE_CONNECTION");
and still get the panic.The text was updated successfully, but these errors were encountered: