It’s not uncommon to have a deployment script that inputs a password or other secret in order to deploy to certain environments. This way, the actual secret never needs to be stored in the script itself.
When running the script from a command-line, this isn’t a problem. The user running the script can simply type in the secret when prompted. However, it becomes particularly challenging when trying to automate the execution of a script as part of an application release automation process. The password will need to be stored somewhere in order to automatically execute the script.
Fortunately, BuildMaster already has features to address this scenario: you can create Resource Credentials to store secrets that can be used but not viewed, and Users & Tasks to restrict who can use those secrets.
However, sometimes it’s easier to simply automate the existing process than to define a new one, and that’s where this tutorial comes in. With Release Template Variables, you can configure BuildMaster in such a way that the user who deploys to particular a stage or environment is prompted for a password or other secret prior to deployment.
For this tutorial, we’ll use a dummy PowerShell script called DeployHdarsService that has three parameters: TargetIp, ServiceUserKey, and ServicePassword. Once this script is loaded as an asset in BuildMaster, it can be executed as part of a deployment plan. See Adding and Executing PowerShell Scripts for more information.
Just like with any other PowerShell asset, when you add the script using the visual editor, you’ll be prompted to enter values for the parameters. These are what will be passed to the script when the deployment plan runs. Instead of entering the actual password, enter $ServiceUserPassword instead; in the next step, we’ll set up a prompt for that variable.
One major benefit of Release Templates is the ability to define the variables that must be defined on releases, packages, and deployments. By setting up a deployment variable inside of a release template, you can use it as a password /secret prompt.
To create a release template, go to Releases > Release Templates > Create.
Note that any deployment variables you add must be entered before the deployment, and if you check Required and Obscured, then it will function just like a password prompt for an interactive script.
Unless you Log or otherwise display $ServiceUserPassword as part of the deployment plan, the value will not be shown to other users.
After creating a release that uses the release template, you will be prompted for the ServiceUserPassword variable prior to deployment.