External variable database

I am finding significant friction attempting to sell the variable management feature of Octopus Deploy over an in-house built management system that already handles things such as environment variables, credentials and other environment scoped server configuration items. I was wondering if there was an easy way at deployment time to make a call to an external system to get these values instead of managing them in the Octopus database. It’s not ideal, but if there was a way to do this, it would significantly reduce friction for adoption of Octopus Deploy so I’m hoping this is a possibility.

Any ideas would be helpful.

Hi Ben,

Thanks for reaching out. I’m afraid that at the moment there’s no way to tell Octopus to consume the variables from an external source instead of the ones on its database. The closes thing you could get would be to create a tool that gets the variables from your system and inserts them into Octopus using the API.

I want your to know that we have plans to revamp the variable management experience in the next year, and we are more than interested in knowing what are your pain points with the current system, and also which features does your built-in system have that makes it more convenient than the Octopus solution. I’ll make sure to pass this feedback to the team once we re-take that conversation (which already started) next year.

Best regards,
Dalmiro

Well here’s the basic pain points:

Our security team has decided to use a centralized credential management system that automatically cycles and manages credentials. This is accessible via API – I’m assuming via HTTPS or some encrypted stream, but that is unclear at the moment – just for point of reference, the system is called Team Password Manager: http://teampasswordmanager.com/docs/api/. Near as I can tell, credentials are scoped in that application so we could for instance query based on some known criteria to obtain them.

So the security team basically have no love for having to manage credentials in multiple places – i.e. Octopus Deploy and somewhere else for non-Octopus Deploy managed machines, so they’re making things quite difficult.

So when we need to deploy things like Windows Services, Application Pools, Folder Permissions etc. we need to be able to query this Team Password Manager with the criteria to obtain the correct credentials for the target and apply them at deployment time.

I hope that clarifies this particular pain point, I imagine this will be a common pain point across a lot of operational environments, so incorporating this type of facility into any restructure would be a definite win for Octopus, I imagine in a lot of shops.

Cheers,

Ben

Hi Ben,

Thanks a lot for that constructive feedback. I tried looking for a Uservoice suggestion that encapsulates this, but I couldn’t find one. Is there any chance you can create one with the text above that you already wrote(which was great)? If enough users back it up, we might be able to do something about it in the future:

https://octopusdeploy.uservoice.com/

For the time being, the workaround would have to be to build a bridge system that translated the data from your Password Manager to Octopus Variables using the API.

Regards,
Dalmiro

Just to make sure I understand your suggestion – this would be a password management time synchronization between two databases or could a sync be triggered prior to the deployment steps?

Using the Octopus API you can CRUD variables from a project. What I’m suggesting is that you use your Password manager’s API to fetch the values you are looking for, and then insert that value into your Octopus Project using its API.

  • You shouldn’t be directly touching the Octopus database, only trough the API.
  • Octopus creates a snapshot of the existing variables when the release gets created. So your variable sync process would have to run before you create the release and outside of the deployment process.