I'm working on improving security in a legacy asp.net application. One issue identified was the use of hard-coded database connection strings in web.config.

To resovle this, I've moved the connection details to secret variables in Azure Devops variable groups.

The variable substitution is done in the IISWebAppDeploymentOnMachineGroup@0 task, by setting XmlVariableSubstitution.

This works fine. However I'm a bit concerned about how broadly this applies. This task will perform substitutions across all config files in the application, matching any element in appSettings, connectionStrings, configSections, based on key or name, against all pipeline variables.

If at some stage someone added a variable to the variable groups, which happens to match a key for any appSettings across the whole application, the value will be unintentionally and silently substituted.

I'd like to somehow limit the scope of the substitution task, to ensure it only applies where we need it to.

Is anyone aware of any way to do this?

CodePudding user response：

When you use the option: XML variable substitution in the IISWebAppDeploymentOnMachineGroup task, it will loop all config files by default.

I am afraid that there is no such method can limit the scope of the Xml Variable Substitution action in the IISWebAppDeploymentOnMachineGroup task.

For a workaround, you can add File transform task to update the variable in the config file. It supports to defining the target file in the task.

for example:

- task: FileTransform@1
  displayName: 'File Transform: '
  inputs:
    fileType: xml
    targetFiles: web.config

On the other hand, you can also use the task RegEx Match & Replace task from RegEx Match & Replace. It supports to define the target variable and target file in the task. Refer to my previous ticker: RegExMatchReplace task