问题
We are trying to add Always encrypted in one of our application and we would like to make it work with our CI flow.
We are using DACPAC deploy with Azure Devops. Everything worked until now but we are facing a challenge with always encrypted...
Each SQL environment needs to have a different key that is in Azure Key Vault. The way we found to automate this is by using a SSDT Variables (ref)
CREATE COLUMN MASTER KEY [ResponseKey] WITH (
KEY_STORE_PROVIDER_NAME = N'AZURE_KEY_VAULT',
KEY_PATH = N'[$(OurVariableName)]' );
When the compare between our DB and the DACPAC is done, the script always contains the Drop + Create of the key even if the value of the key is the same. We tried outputting the generated script and our key value from Azure Key vault is in the variable section of the script. It is as if, the compare doesn't work with variables.
Has anyone made this work?
Also, when we add a new encrypted column, the generated script always fail, stating that there is data already in the table. This seems the opposite of this link
回答1:
After a few days of research, it seems it isn't possible to use variables to change the values of keys for deployment of our DACPAC in each of our environments. (Or we have not found how!).
The workaround we are using is to deploy the keys and the encrypted column by script in each of our environments (with diferrent keys in each envionment), then we modify our DACPAC to match what has been done manually.
We have added two options to our XML Publishing profile :
<ExcludeColumnEncryptionKeys>True</ExcludeColumnEncryptionKeys> <ExcludeColumnMasterKeys>True</ExcludeColumnMasterKeys>
When we deploy in our CI flow, the keys are not compared and no change is done to the structure even if they are different.
It would be nice to be able to use variable instead of doing things manually but that's the way it seems to be!
CI + Always encrypted don't go together!
来源:https://stackoverflow.com/questions/59619527/ci-with-a-sql-always-encrypted-column