Azure DevOps CI/CD and Separating Connection Strings from Source Control

Question

So I\'ve been following many different idea/strategies through many blogs/SO posts but I haven\'t been able to find my idea solution.

What I\'m Using

• Vis

Answer 1

VSRM task to publish Web Apps supports overriding values in Web.config. You can keep your secrets in VSRM and replace them in the deployment time. See File transforms and variable substitution reference # XML variable substitution

Answer 2

Short answer: Don't put secrets in configuration files.

If all your resources reside in Azure, use Managed Service Identities so that you don't need to bother with connection strings.

If not, use ARM templates and key vault-linked parameters to manage your Azure infrastructure. Azure Web Apps allow you to override configuration files with app settings/connection strings within the web app. So simply use key vault to manage that stuff, and tell the web app to pull the values from key vault.