Use Azure Key Vault Secrets for Unit Tests in Azure Pipelines
I have a solution in .NET 5 with some Unit Tests in NUnit that required some secrets to work correctly. Testing in Visual Studio using local user secrets works fine but now I want to try to integrate using Azure Key Vault and run the Unit Tests inside a Pipeline.
I added the Task AzureKeyVault@2 and according to the log the secrets are downloaded just fine but in the next steps, the Unit Tests fail because it doesn't find some keys when try to access from IConfiguration.
This is my azure-pipelines.yml (only the relevant parts).
- job: Init
displayName: Unit Testing
variables:
solutionToBuild: 'Solution.sln'
unitTestsProject: 'UnitTests\UnitTests.csproj'
buildConfiguration: 'Release'
steps:
- task: DotNetCoreCLI@2
displayName: 'Restore Packages'
inputs:
command: 'restore'
projects: '$(solutionToBuild)'
verbosityRestore: minimal
feedsToUse: 'select'
- task: DotNetCoreCLI@2
displayName: 'Build Solution'
inputs:
command: 'build'
projects: '$(solutionToBuild)'
arguments: '-c $(buildConfiguration)'
- task: AzureKeyVault@2
displayName: 'Configure Key Vault'
inputs:
azureSubscription: '**-etc-**'
KeyVaultName: '**key-vault-name**'
- task: DotNetCoreCLI@2
displayName: 'Run Unit Tests'
inputs:
command: 'test'
projects: '$(unitTestsProject)'
arguments: '-c $(buildConfiguration) --collect:"XPlat Code Coverage"'
publishTestResults: true
I created this basic tests that are currently failing in the Pipeline. I'm using the Host.CreateDefaultBuilder() method to initialize all the unit tests.
[Test]
[TestCase("secret-key-1")]
[TestCase("secret-key-1")]
public void TestSecrets(string key)
{
Assert.NotNull(_config[key]);
Assert.IsNotEmpty(_config[key]);
}
Does the AzureKeyVault@2 pass the secrets keys and values for the DotNetCoreCLI@2 task or do I need an additional step?. I read that you can play with the FileTransform@1 step using an empty appsettings.json but I couldn't make it work. Is there a correct method to achieve this?
I finally made it work. I decided to go to the route of the appsettings.json. with File Transformation Task. I will answer myself just in case anyone else find this useful.
You need to have a appsettings.json in your Unit Test project, and add all the required keys you'll need in your Unit Tests, but without values, only "", e.g.
{
"secret-key-1": "",
"secret-key-2": "",
"secret-key-3": "",
}
If you want to test locally you can use the local user-secrets option in Visual Studio and add all the keys like in your appsettings.json file but with actual values (you'll be the only one to view the values anyways)
{
"secret-key-1": "some-secret-value",
"secret-key-2": "some-secret-value",
"secret-key-3": "some-secret-value",
}
Then, in your SetUp method you can initialize the IConfiguration class as follow. (You can easily transform this into a static method if you have multiple Unit Tests classes)
[TestFixture]
public class MyUnitTest
private IConfiguration Config;
[SetUp]
public void Setup()
{
Config = new ConfigurationBuilder()
.SetBasePath(AppContext.BaseDirectory)
.AddJsonFile("appsettings.json", optional: true)
.AddUserSecrets(Assembly.GetExecutingAssembly())
.Build();
}
[Test]
[TestCase("secret-key-1")
[TestCase("secret-key-2")
public void TestKeys(string key)
{
Assert.NotNull(config[key]);
Assert.IsNotEmpty(config[key]);
}
}
Finally, in the azure-pipelines.yml you add the FileTransform@1 Task after the AzureKeyVault@2.
- task: AzureKeyVault@2
displayName: 'Configure Key Vault'
inputs:
azureSubscription: '**-etc-**'
KeyVaultName: '**key-vault-name**'
- task: FileTransform@1
displayName: 'Set Unit Tests Settings'
inputs:
folderPath: '$(projectsDirectory)'
fileType: 'json'
targetFiles: '**/appsettings.json'
- task: DotNetCoreCLI@2
displayName: 'Run Unit Tests'
inputs:
command: 'test'
projects: '$(unitTestsProject)'
arguments: '-c $(buildConfiguration) --collect:"XPlat Code Coverage"'
publishTestResults: true
And that's it, after that in the pipeline log you'll see something like this in the FileTransform@1 task
Applying JSON variable substitution for **/appsettings.json
Applying JSON variable substitution for D:\a\1\s\UnitTests\appsettings.json
Substituting value on key secret-key-1 with (string) value: ***
Substituting value on key secret-key-2 with (string) value: ***
Substituting value on key secret-key-3 with (string) value: ***
- How to add new secrets (from Azure Key Vault) to the variable group in Azure Devops
- Azure Pipeline: Unable to locate executable file: 'gulp'. during task Gulp@1
- How to Simplify a Complex Azure DevOps Release Pipeline with 11 Environments and Unique Task
- Can't update Azure Pipepline. Error: Failed to fetch App Service publishing credentials
- How can I get the name of the user that approved azure devops pipeline
- Create a new pipeline from existing YML file in the repository (Azure Pipelines)
- How to reference a secret variable from an AzurePowerShell@5 task
- Is it possible to rename a release?
- Passing branch names between pipelines
- How do I get my Azure DevOps Pipeline build to fail when my linting script returns an error?
- How do I filter releases for a specific Environment (Stage)?
- Run pre-built artefact in azure yaml pipeline
- How do I trigger a failure in azure pipelines when a bicep template build fails?
- Bicep - Get Service Principal ID from App ID
- How can I inject Azure DevOps pipeline run number in a build artifact file?
- Azure DevOps Python Pipeline Agent.ToolsDirectory error on self-hosted agent
- How not to excecute specific Azure Pipeline stage which is defined with a template
- Error: Blob LeaseIdMissing when trying to update remote state in Azure Blob Storage
- In Azure Devops Yaml pipeline, how to programatically add a step to a deployment
- Trigger Azure DevOps CI Build when pushing a branch with a certain name
- Azure Pipelines - Run a stage multiple times
- How to Format Azure DevOps YAML Pipeline Build Number with leading zeros?
- Select specific task in Azure DevOps UI pipeline run
- Is it possible to use JDK 21 in an Azure Pipeline Gradle task?
- Issue Referencing Secret Variable in Azure Dev Ops
- Azure pipelines filter "each" loop results with an "if"
- Detected characters in arguments that may not be executed correctly by the shell. Please escape special characters using backtick (`)
- Azure DevOps - unable to access dlls build in previous stage or job
- Azure Pipeline - Write a file with break points
- How to cache pip packages within Azure Pipelines