Skip to content

Commit 0ec23ab

Browse files
authored
Merge pull request #166 from Azure/docs/improve-environment-overrides
docs: improve environment overrides guide
2 parents 95e389a + 7d4fb99 commit 0ec23ab

1 file changed

Lines changed: 75 additions & 1 deletion

File tree

docs/guides/environment-overrides.md

Lines changed: 75 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,10 @@ namedValues:
4242
keyVault:
4343
secretIdentifier: "https://prod-kv.vault.azure.net/secrets/db-conn"
4444
identityClientId: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
45+
- name: payment-api-key
46+
properties:
47+
secret: true
48+
value: "{#[PAYMENT_API_KEY]#}" # Pipeline token — replaced at runtime
4549

4650
backends:
4751
- name: petstore-backend
@@ -127,6 +131,29 @@ namedValues:
127131
identityClientId: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
128132
```
129133
134+
### Named value secrets (with pipeline token substitution)
135+
136+
Secrets can be stored in Key Vault (see [Key Vault pattern](#key-vault-pattern) below) or injected at pipeline runtime using [token substitution](token-substitution.md). With token substitution, the `{#[TOKEN_NAME]#}` placeholder is replaced with the actual secret value from your pipeline's secret store (GitHub Actions Secrets or Azure DevOps variable groups).
137+
138+
```yaml
139+
namedValues:
140+
- name: payment-api-key
141+
properties:
142+
displayName: payment-api-key
143+
secret: true
144+
value: "{#[PAYMENT_API_KEY]#}" # Replaced at pipeline runtime
145+
- name: webhook-secret
146+
properties:
147+
secret: true
148+
value: "{#[WEBHOOK_SECRET]#}"
149+
```
150+
151+
Store the actual secret values in:
152+
- **GitHub Actions:** Environment secrets (Settings → Environments → Add secret). See [Using secrets in GitHub Actions](https://docs.github.com/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-environment).
153+
- **Azure DevOps:** Variable groups marked as secret (Pipelines → Library). See [Use variable groups in pipelines](https://learn.microsoft.com/azure/devops/pipelines/library/variable-groups) and [Set secret variables](https://learn.microsoft.com/azure/devops/pipelines/process/set-secret-variables).
154+
155+
See the [Token Substitution guide](token-substitution.md) for complete setup instructions.
156+
130157
### Backends
131158

132159
```yaml
@@ -241,6 +268,8 @@ loggers:
241268
isBuffered: true
242269
```
243270

271+
> **Tip:** You can also use [pipeline token substitution](token-substitution.md) for logger credentials. Replace the hardcoded value with a placeholder like `{#[APPINSIGHTS_KEY]#}`, and store the actual key in your pipeline's secret store. This keeps secrets out of your repository entirely.
272+
244273
### Subscriptions
245274

246275
```yaml
@@ -298,7 +327,7 @@ policies:
298327

299328
### Version sets, groups, and tags
300329

301-
Overrides are also supported for `versionSets`, `groups`, `tags`, and `workspaces`. Each uses the same `name` + `properties` format:
330+
Overrides are also supported for `versionSets`, `groups`, and `tags`. Each uses the same `name` + `properties` format:
302331

303332
```yaml
304333
versionSets:
@@ -318,6 +347,50 @@ tags:
318347
displayName: "Public API"
319348
```
320349

350+
### Workspaces
351+
352+
Workspaces (Premium/StandardV2/PremiumV2 tiers) support overrides for the workspace container itself:
353+
354+
```yaml
355+
workspaces:
356+
- name: partner-workspace
357+
properties:
358+
displayName: "Partner Workspace (Production)"
359+
description: "Production workspace for partner APIs"
360+
```
361+
362+
#### Workspace-scoped resource overrides
363+
364+
Resources inside a workspace are extracted to `workspaces/<workspace-name>/` subdirectories. To override them, **nest** the child sections directly under the workspace entry (matching the APIOps Toolkit format):
365+
366+
```yaml
367+
workspaces:
368+
- name: partner-workspace
369+
properties:
370+
displayName: "Partner Workspace (Production)"
371+
apis:
372+
- name: orders-api
373+
properties:
374+
serviceUrl: "https://orders-prod.contoso.com/v1"
375+
backends:
376+
- name: orders-backend
377+
properties:
378+
url: "https://orders-prod.contoso.com"
379+
namedValues:
380+
- name: api-key
381+
properties:
382+
secret: true
383+
value: "{#[PARTNER_API_KEY]#}"
384+
loggers:
385+
- name: appinsights-logger
386+
properties:
387+
resourceId: "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/microsoft.insights/components/prod-appinsights"
388+
```
389+
390+
The supported workspace child sections are: `apis`, `backends`, `diagnostics`, `groups`, `loggers`, `namedValues`, `policyFragments`, `products`, `subscriptions`, `tags`, and `versionSets`.
391+
392+
> ⚠️ **Known limitation — tracked in [#118](https://github.com/Azure/apiops-cli/issues/118):** workspace child overrides are *parsed* (the YAML above is accepted with no errors) but are **not yet applied at publish time**. Until #118 is fixed, only the workspace container's own `properties` are honored for workspace-scoped resources. Authoring overrides in this nested shape today is safe and forward-compatible — they will start taking effect automatically once the merger is updated.
393+
321394
## Override rules
322395

323396
### Names must be consistent
@@ -478,6 +551,7 @@ apiops publish --overrides configuration.prod.yaml --dry-run \
478551
## Related
479552

480553
- [`apiops publish` Command Reference](../commands/publish.md)
554+
- [Token Substitution Guide](token-substitution.md)
481555
- [Configuration Reference](../reference/configuration.md)
482556
- [Authentication Guide](authentication.md)
483557
- [Scenarios and Workflows](scenarios-and-workflows.md)

0 commit comments

Comments
 (0)