如何使用Git处理Azure App Services上的机密文件

We have an PHP app, where for encryption of the connection with database we need to provide 3 files that shouldn't be publicly accessible, but should be present on the server to make the DB connection (https://www.cleardb.com/developers/ssl_connections)

Obviously we don't want to store them in the SCM with the app code, so the only idea that comes to my mind is using post-deploy action hook and fetch those files from storage account (with keys and URIs provided in the app parameters).

Is there a nicer/cleaner way to achieve this? :)

Thank you,

You can try to use Custom Deployment Script to execute additional scripts or command during the deployment task. So you can create a php script whose functionality is to download the certificate files from Blob Storage to server file system location. And then in your PHP application, the DB connection can use these files.

Following are the general steps:

  1. Enable composer extension in your portal: enter image description here
  2. Install azure-cli module via npm, refer to https://docs.microsoft.com/en-us/azure/xplat-cli-install for more info.
  3. Create deployment script for php via command azure site deplotmentscript --php
  4. Execute command composer require microsoft/windowsazure, make sure you have a composer.json with the storage sdk dependency.

  5. Create php script in your root directory to download flies from Blob Storage(e.g. named run.php):

    require_once 'vendor/autoload.php';

use WindowsAzure\Common\ServicesBuilder;
use MicrosoftAzure\Storage\Common\ServiceException;
$connectionString = "<connection_string>";
$blobRestProxy = ServicesBuilder::getInstance()->createBlobService($connectionString);

$container = 'certificate';
$blobs = ['client-key.pem','client-cert.pem','cleardb-ca.pem'];

foreach($blobs as $k => $b){
    $blobresult = $blobRestProxy->getBlob($container, $b);
    $source = stream_get_contents($blobresult->getContentStream());
    $result = file_put_contents($b, $source);
}
  6. Modify the deploy.cmd script, add santence php run.php under the step KuduSync.
  7. Deploy your application to Azure Web App via Git.

Any further concern, please feel free to let me know.