Team Foundation Server(Release Pipeline)

Question

I'm developing Release pipeline for deploying artefacts using TFS 2017 Update3 Release Management. There are various tasks like "Windows Machine File Copy" and "Run Power Shell on Target machines" which needs admin credentials to be passed as input parameters. These admin credentials have Administrative access on target nodes. I'm using Windows service accounts for these. We have an organisational security policy to rotate passwords every month.

With that in mind, it is hectic to update hundreds of TFS release definitions for new password every month.

Do you have a better idea to handle this? Please give detailed answers. Thanks in advance.

Answer 1

You could use a variable group to store values that you want to make available across multiple build and release definitions. Variable groups are defined and managed in the Library tab of the Build & Release hub. In this way, you can just edit the variable group:

https://docs.microsoft.com/en-us/vsts/pipelines/library/variable-groups?view=vsts

Answer 2

If you want to automate the process you use the solution defined here. This details how to use the TFS API to poke the definitions.

Alternatively you could create your own PowerShell task that sources the password from some alternative source like Azure Key vault or even hard code it into the json task definition itself (don't do this).

You can vote to improve this story here.

I wrote a custom version of the PowerShell task that uses the identity of the agent as part of the WinRM session which greatly simplifies our release definition process.