You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: resolve named value reference and schema ref issues in publish
- Remove extract-time normalization that converted {{displayName}} to
{{name}} in logger credentials, breaking publish (APIM resolves refs
by displayName, not name)
- Add publish-time rewrite of {{name}} to {{displayName}} for backward
compatibility with old extracts
- Publish auto-generated named values when user provides an override
(previously always skipped, breaking fresh-environment deploys)
- Guard against publishing secret named values with redacted placeholders
- Strip stale schema refs from query parameters, headers, and template
parameters during operation reconciliation after spec import
- Expand environment-overrides doc with complete examples for all
resource types, auto-generated named value guidance, and new gotchas
Closes#99Closes#95Fixes#144
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copy file name to clipboardExpand all lines: docs/guides/environment-overrides.md
+107-9Lines changed: 107 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -204,6 +204,88 @@ loggers:
204
204
isBuffered: true
205
205
```
206
206
207
+
> **Note:** When you provide a raw `instrumentationKey` value (instead of a `{{namedValue}}` reference), APIM will automatically create a named value to store the credential securely.
208
+
209
+
### Logger credentials with auto-generated named values
210
+
211
+
When APIM creates a logger (e.g., for Application Insights), it auto-generates a named value to store the instrumentation key. These auto-generated named values have 24-character hex IDs (e.g., `66f48e1226dab62c0823e4f8`) and are normally skipped during publish because APIM recreates them automatically.
212
+
213
+
However, when publishing to a **fresh environment**, APIM cannot recreate these named values because the logger doesn't exist yet. To handle this, provide an override for the auto-generated named value:
214
+
215
+
```yaml
216
+
namedValues:
217
+
# Override the auto-generated named value with the production instrumentation key.
218
+
# Use the 24-char hex ID from the extracted artifact filename.
> **Note:** The built-in `master` subscription is automatically skipped during publish.
255
+
256
+
### Products
257
+
258
+
```yaml
259
+
products:
260
+
- name: starter-product
261
+
properties:
262
+
displayName: "Starter (Production)"
263
+
subscriptionRequired: true
264
+
approvalRequired: false
265
+
subscriptionsLimit: 10
266
+
```
267
+
268
+
### Gateways
269
+
270
+
```yaml
271
+
gateways:
272
+
- name: on-prem-gateway
273
+
properties:
274
+
locationData:
275
+
name: "Production datacenter"
276
+
city: "Seattle"
277
+
countryOrRegion: "US"
278
+
```
279
+
280
+
### Policy fragments
281
+
282
+
```yaml
283
+
policyFragments:
284
+
- name: rate-limit-fragment
285
+
properties:
286
+
description: "Production rate limiting policy"
287
+
```
288
+
207
289
### Service-level policies
208
290
209
291
```yaml
@@ -213,21 +295,26 @@ policies:
213
295
format: rawxml
214
296
```
215
297
216
-
### All other resource types
298
+
### Version sets, groups, and tags
217
299
218
-
Overrides are also supported for: `gateways`, `versionSets`, `groups`, `subscriptions`, `products`, `tags`, `policyFragments`, and `workspaces`. Each uses the same `name` + `properties` format:
300
+
Overrides are also supported for `versionSets`, `groups`, `tags`, and `workspaces`. Each uses the same `name` + `properties` format:
219
301
220
302
```yaml
221
-
gateways:
222
-
- name: on-prem-gateway
303
+
versionSets:
304
+
- name: petstore-versions
223
305
properties:
224
-
locationData:
225
-
name: "On-premises datacenter"
306
+
displayName: "Petstore API Versions"
307
+
versioningScheme: Segment
226
308
227
-
products:
228
-
- name: starter-product
309
+
groups:
310
+
- name: partner-developers
229
311
properties:
230
-
displayName: "Starter (Production)"
312
+
displayName: "Partner Developers (Production)"
313
+
314
+
tags:
315
+
- name: public-api
316
+
properties:
317
+
displayName: "Public API"
231
318
```
232
319
233
320
## Override rules
@@ -360,6 +447,17 @@ If you add a new backend in dev but forget to add it to your override files, pub
360
447
361
448
When using Key Vault references, the APIM managed identity needs access to the Key Vault. A common failure mode: overrides reference a Key Vault but APIM lacks the `Key Vault Secrets User` role on that vault.
362
449
450
+
### Gotcha: Auto-generated named values for loggers
451
+
452
+
When you create a logger in APIM (e.g., for Application Insights), APIM auto-generates a named value to store the credential. These have 24-character hex names like `66f48e1226dab62c0823e4f8`. During extract, these are captured as artifacts. During publish:
453
+
454
+
- **Same environment:** Auto-generated named values are skipped (APIM already has them).
455
+
- **Fresh environment:** The logger fails because the named value doesn't exist yet. Provide an override with the target environment's credential value, or override the logger's `credentials` directly.
456
+
457
+
### Gotcha: Redacted secrets
458
+
459
+
Extracted secret named values have their `value` replaced with `*** REDACTED ***`. If you publish these without providing an override with a real value or Key Vault reference, they will be skipped with a warning. Always provide overrides for secret named values when publishing to a different environment.
460
+
363
461
### Dry-run validation
364
462
365
463
Use `--dry-run` to preview publish behavior with overrides:
0 commit comments