Azure Terraform（十一）Azure DevOps Pipeline 内的动态临时变量的使用

思路浅析

　　在我们分析的 Azure Terraform 系列文中有介绍到关于 Terraform 的状态文件远程存储的问题，我们在  Azure DevOps Pipeline 的 Task Job 加 azure_cli_script 执行内联脚本（该脚本帮我们创建好 Terraform 状态文件存储所在的 Azure Resource Group、 Azure Storage Account、Azure KeyVault 等资源），需要注意的是，内联脚本中有使用动态变量，该变量临时存储 Azure Storage Account 的 Account Key，如下图所示：

本篇文章，我继续带领大家，分析如何在 Azure DevOps Pipeline 运行中创建使用动态临时变量，使用动态临时变量替换 Azure Pipeline 管道变量。

项目整体架构图

Pipeline 变量定义、输出

在此阶段，我们需要利用 azure_cli_script 任务，创建动态临时变量，输出参数，其中最主要的是将动态临时变量输出，Task yaml 如下所示

输出的变量用于同一个 stage，不同 job

- stage: script
  jobs:
   - job: azure_cli_script
     steps:
      - task: AzureCLI@2
        displayName: 'Azure CLI :Create Storage Account，Key Vault And Set KeyVault Secret'
        name: 'output_variable'
        inputs:
          azureSubscription: 'Microsoft Azure Subscription(xxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)'
          scriptType: 'bash'
          addSpnToEnvironment: true
          scriptLocation: 'inlineScript'
          inlineScript: |
              # create azure resource group
              az group create --location eastasia --name $(terraform_rg)

              # create azure storage account
              az storage account create --name $(storage_account) --resource-group $(terraform_rg) --location eastasia --sku Standard_LRS

              # create storage account container for tf state
              az storage container create --name $(storage_account_container) --account-name $(storage_account)

              # query storage key and set variable
              ACCOUNT_KEY=$(az storage account keys list --resource-group $(terraform_rg) --account-name $(storage_account) --query "[?keyName == 'key1'][value]" --output tsv)

              # create azure keyvault
              az keyvault create --name $(keyvault) --resource-group $(terraform_rg) --location eastasia --enable-soft-delete false

              # set keyvault secret,secret value is ACCOUNT_KEY
              az keyvault secret set --name $(keyvault_sc) --vault-name $(keyvault)  --value $ACCOUNT_KEY

              # set secret varivale and add to environment
              echo "##vso[task.setvariable variable=ACCOUNT_KEY;isOutput=true]$ACCOUNT_KEY"
              #echo "##vso[task.setvariable variable=ACCOUNT_KEY;issecret=true;isOutput=true]$ACCOUNT_KEY"

   - job: same_stage_echo
     dependsOn: azure_cli_script
     variables:
       ACCOUNT_KEY: $[dependencies.azure_cli_script.outputs['output_variable.ACCOUNT_KEY']]
     steps:
       - task: Bash@3
         displayName: 'Bash :output temporary variables in different jobs on the same stage'
         inputs:
           targetType: 'inline'
           script: |
             # echo ACCOUNT_KEY
             echo "ACCOUNT_KEY is $ACCOUNT_KEY"

输出变量用于不同 stage

- stage: echo_varibale
  dependsOn: script
  jobs:
    - job: different_stage_echo
      variables:
        ACCOUNT_KEY: $[stageDependencies.script.azure_cli_script.outputs['output_variable.ACCOUNT_KEY']]
      steps:
        - task: Bash@3
          displayName: 'Bash :output temporary variables in same jobs on the same stage'
          inputs:
            targetType: 'inline'
            script: |
              # echo ACCOUNT_KEY
              echo "ACCOUNT_KEY is $ACCOUNT_KEY"

以下为完整的   azure-pipelines-1.yaml

# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml

trigger:
- remote_stats

pool:
  vmImage: ubuntu-latest

stages:
- stage: script
  jobs:
   - job: azure_cli_script
     steps:
      - task: AzureCLI@2
        displayName: 'Azure CLI :Create Storage Account，Key Vault And Set KeyVault Secret'
        name: 'output_variable'
        inputs:
          azureSubscription: 'Microsoft Azure Subscription(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx)'
          scriptType: 'bash'
          addSpnToEnvironment: true
          scriptLocation: 'inlineScript'
          inlineScript: |
              # create azure resource group
              az group create --location eastasia --name $(terraform_rg)

              # create azure storage account
              az storage account create --name $(storage_account) --resource-group $(terraform_rg) --location eastasia --sku Standard_LRS

              # create storage account container for tf state
              az storage container create --name $(storage_account_container) --account-name $(storage_account)

              # query storage key and set variable
              ACCOUNT_KEY=$(az storage account keys list --resource-group $(terraform_rg) --account-name $(storage_account) --query "[?keyName == 'key1'][value]" --output tsv)

              # create azure keyvault
              az keyvault create --name $(keyvault) --resource-group $(terraform_rg) --location eastasia --enable-soft-delete false

              # set keyvault secret,secret value is ACCOUNT_KEY
              az keyvault secret set --name $(keyvault_sc) --vault-name $(keyvault)  --value $ACCOUNT_KEY

              # set secret varivale and add to environment
              echo "##vso[task.setvariable variable=ACCOUNT_KEY;isOutput=true]$ACCOUNT_KEY"
              #echo "##vso[task.setvariable variable=ACCOUNT_KEY;issecret=true;isOutput=true]$ACCOUNT_KEY"

   - job: same_stage_echo
     dependsOn: azure_cli_script
     variables:
       ACCOUNT_KEY: $[dependencies.azure_cli_script.outputs['output_variable.ACCOUNT_KEY']]
     steps:
       - task: Bash@3
         displayName: 'Bash :output temporary variables in different jobs on the same stage'
         inputs:
           targetType: 'inline'
           script: |
             # echo ACCOUNT_KEY
             echo "ACCOUNT_KEY is $ACCOUNT_KEY"

- stage: echo_varibale
  dependsOn: script
  jobs:
    - job: different_stage_echo
      variables:
        ACCOUNT_KEY: $[stageDependencies.script.azure_cli_script.outputs['output_variable.ACCOUNT_KEY']]
      steps:
        - task: Bash@3
          displayName: 'Bash :output temporary variables in same jobs on the same stage'
          inputs:
            targetType: 'inline'
            script: |
              # echo ACCOUNT_KEY
              echo "ACCOUNT_KEY is $ACCOUNT_KEY"

*****重点*****：管道内变量与动态临时变量使用区别

Pipeline 管道内使用方式：$(变量名称)

动态临时变量使用方式：$变量名称

配置 Pipeline 管道变量

使用 Azure CLI 创建 Azure Storage Account、Azure Key Vault 的内联脚本中使用管理内变量控制参数

变量名	变量值
terraform_rg	Web_Test_TF_RG
storage_account	cnbatetfstorage
storage_account_container	tf-state
keyvault	cnbate-terraform-kv
keyvault_sc	terraform-stste-storage-key
container_key	cnbate.tf.stats

运行 Pipeline，查看配置输出

由于我们已经在 azure-pipelines-1.yaml 文件中指定了工作分支 “remote_stats”，当我们只要触发 “remote_stats” 分支的 “push” 或者 “pull_request” 动作都会触发 Azure DevOps Pipeline 的运行。

相同 stage 内的 job 输出

不同 stage 的 job 输出

总结

本期实验，我们学习了如何在 Azure DevOps Pipeline 运行期间创建的动态临时变量以及变量的输出，使得我们更加灵活的在任意 job 中声明自定义的动态临时变量，并将动态临时变量应用到任意的 job 中，这种方式有区别与Pipeline 管道内变量，尤其是在定义阶段和使用语法上，详细内容参考官方文档。

在脚本中设置变量：https://docs.microsoft.com/en-us/azure/devops/pipelines/process/set-variables-scripts

github 代码地址：https://github.com/yunqian44/Terraform_Cnbate_Traffic_Manager

Terraform 在 Azure DevOps 中的使用系列：https://www.cnblogs.com/AllenMaster/category/1876925.html