Variable Substitution in non-package deploy step

I know that I can add variable substitution during package deployment, but I have a slightly different scenario. What I need to do is:

  1. Deploy my package to the Octopus server (I have a tentacle on the server)
  2. Substitute variables based on role/environment
  3. Run a script against some files from that package (an encryption process)
  4. Re-package the files and use that as an artifact for further steps in the process.

My question is - I need to substitute variables in the files that are in the package (step 2 above) - but they need to be specific to a role in the environment that they will ultimately be targeting, and not the octopus server environment.

Note that the unpacking and encryption must be done prior to further deployment so cannot occur on the target machine.

Is it possible to achieve this?


Hi Sean,

Thanks for reaching out!

As you probably already figured out, this isn’t quite the scenario Octopus was built for. The Octopus model encourages you do the transformations on the target where you’ll be deploying things, unless you are deploying to azure where we first do the transformations on the Octopus Server and then we push things to the cloud.

What is currently preventing you from doing all those 4 actions straight into the Octopus Tentacle? Unpacking, transforming, re-packing and sending to the Tentacle does seem like a lot of extra work, so I’m wondering what are your reasons to use this strategy.

Best regards,

Hi Dalmiro,

Thanks for the response.

The main reason is that these files contain sensitive data so need to be encrypted prior to sending to the target machine. Our application(s) on the target machines are able to decrypt these files internally.

I guess from your comments then that accessing the target environment and target role as variables from within a script step (typically powershell) isn’t possible?


Hi Sean,

From your replies I understand that the Tentacle on the Octopus Server where you are initially deploying and replacing the variable (step 2 of your process) is on an Environment and has roles that are not equal to the final target Tentacles (Step 4). I’m still wondering why is this like that.

What exactly prevents you from scoping the variables that will be substituted to the roles/environments of the final Target machines, instead of this Tentacle running on the Octopus Server? If you’d do it this way, you could run the encryption on the Tentacles in step 4, and all you’ll need to do afterwards would be to clear your tracks and remove the un-encrypted copies on those Tentacles using Powershell(*)


(*) When the Octopus Server deploys to a Tentacle, first it sends a copy of the package. This copy remains on the Tentacle machine, and ultimately will hold an un-encrypted copy of your files. In your scenario you’d need to delete this cached package using Powershell once you deployed the package. During the package deploy step there’s a variable called Octopus.Tentacle.CurrentDeployment.PackageFilePath which gives you the full path of that package. Using a post-deploy script in the package step you could run remove-item $OctopusParameters['Octopus.Tentacle.CurrentDeployment.PackageFilePath'] -verbose to delete it once the deployment step is done.


This issue has been closed due to inactivity. If you encounter the same or a similar issue and require help, please open a new discussion (if we asked for logs or extra details in this thread, consider including them in the new thread). If you are the creator of this thread and believe it should not be closed let us know via our support email.