Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Managing passwords in continuous deployment

We are well into our deployment of continuous integration environment using TeamCity. As we work through the CI process and move toward continuous deployment, we have run into a problem with how we manage production passwords. For other changes in the config, we use the Web.Config transform. However, I don't really want to bake the production password in a build profile.

Before CI/CD, we would take the Web.config, use aspnet_regiis to decrypt the connection strings, change the password, then re-encrypt. Obviously, this is error prone and not at all in the spirit of CI/CD.

I've had several other thoughts that were basically all about using something in the deploy script to re-write and then encrypt the connection strings section of the file, but it seems like this must be a common problem and that there must be some generally accepted solution. But so far, I can't find it. Is there a "right way"?

Thanks!

like image 354
Jacob Avatar asked Feb 27 '12 19:02

Jacob


2 Answers

One possible solution, available since TeamCity 7.0, is to use typed parameters. You can define a parameter in TeamCity of type password, and pass it somehow to your build script (either as environment variable or as your build script property).

TeamCity stores values of such parameters in its own configuration files and in database in scrambled form. If password appears in build log or on build parameters page, it will be replaced with ***.

like image 133
Pavel Sher Avatar answered Oct 01 '22 01:10

Pavel Sher


Use config transformations. You can even build your own transformation that can handle encryption/decryption. The easiest way is encrypt the production strings in the release.web.config and use a transformation to handle replacing the connection strings.

http://msdn.microsoft.com/en-us/library/dd465318.aspx

http://sedodream.com/2010/09/09/ExtendingXMLWebconfigConfigTransformation.aspx

If this doesn't work for you, use a postbuild event to call aspnet_regiis. If you chose to extend the config transformation, you can do ANYTHING with it. The encryption keys could be on the moon as long as you can get to them.

like image 45
Darthg8r Avatar answered Oct 01 '22 02:10

Darthg8r