Skip to content

Commit b6cc62b

Browse files
authored
Restore relevant environment override doc guidance
1 parent c49e030 commit b6cc62b

1 file changed

Lines changed: 167 additions & 23 deletions

File tree

docs/guides/environment-overrides.md

Lines changed: 167 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,16 @@
11
# Environment Overrides Guide
22

3-
Environment overrides let you promote the same extracted APIM artifacts across environments (dev to test to prod) while changing only environment-specific values.
3+
When promoting API configuration across environments (dev → staging → prod), the API structure stays the same but environment-specific values change — backend URLs, secrets, credentials, and logger endpoints. Override files let you deploy the same extracted artifacts to multiple environments with different property values.
4+
5+
## Why overrides exist
6+
7+
Consider an API backend URL across environments:
8+
9+
- **Dev:** `https://api-dev.contoso.com`
10+
- **Staging:** `https://api-staging.contoso.com`
11+
- **Prod:** `https://api.contoso.com`
12+
13+
If you extract from dev and publish to prod without overrides, dev values can be published to prod. Overrides replace environment-specific values at publish time.
414

515
## Use with publish
616

@@ -17,9 +27,9 @@ apiops publish \
1727

1828
`apiops-cli` uses the APIOps Toolkit override layout:
1929

20-
- Top-level resource sections (`namedValues`, `backends`, `apis`, `diagnostics`, `loggers`)
30+
- Top-level resource sections: `namedValues`, `backends`, `apis`, `diagnostics`, `loggers`
2131
- Each section is a list
22-
- Each list item contains `name` + `properties`
32+
- Each list item contains `name` and `properties`
2333

2434
```yaml
2535
# configuration.prod.yaml
@@ -56,54 +66,161 @@ loggers:
5666
instrumentationKey: "prod-key"
5767
```
5868
59-
## Supported override sections
69+
## Override capabilities by resource type
70+
71+
### Named values
72+
73+
```yaml
74+
namedValues:
75+
- name: api-base-url
76+
properties:
77+
value: "https://api.contoso.com"
78+
- name: database-connection-string
79+
properties:
80+
keyVault:
81+
secretIdentifier: "https://prod-keyvault.vault.azure.net/secrets/db-conn-string"
82+
identityClientId: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
83+
```
84+
85+
| Property | Type | Description |
86+
|----------|------|-------------|
87+
| `value` | `string` | Plain-text value |
88+
| `displayName` | `string` | Display name in the portal |
89+
| `tags` | `string[]` | Resource tags |
90+
| `keyVault.secretIdentifier` | `string` | Key Vault secret URI |
91+
| `keyVault.identityClientId` | `string` | Managed identity client ID for Key Vault access |
92+
93+
### Backends
94+
95+
```yaml
96+
backends:
97+
- name: petstore-backend
98+
properties:
99+
url: "https://petstore-prod.contoso.com"
100+
credentials:
101+
header:
102+
x-api-key:
103+
- "prod-backend-key"
104+
```
105+
106+
| Property | Type | Description |
107+
|----------|------|-------------|
108+
| `url` | `string` | Backend service URL |
109+
| `credentials` | `object` | Authentication credentials (headers, query params, certificates) |
110+
111+
### APIs
112+
113+
```yaml
114+
apis:
115+
- name: petstore-api
116+
properties:
117+
serviceUrl: "https://petstore-prod.contoso.com/v1"
118+
```
119+
120+
| Property | Type | Description |
121+
|----------|------|-------------|
122+
| `serviceUrl` | `string` | Backend service URL for the API |
123+
124+
### Diagnostics
125+
126+
```yaml
127+
diagnostics:
128+
- name: applicationinsights
129+
properties:
130+
loggerId: "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.ApiManagement/service/<apim>/loggers/prod-appinsights"
131+
```
132+
133+
| Property | Type | Description |
134+
|----------|------|-------------|
135+
| `loggerId` | `string` | Full resource ID of the target logger |
60136

61-
| Section | Key properties commonly overridden |
62-
|---------|------------------------------------|
63-
| `namedValues` | `value`, `displayName`, `tags`, `keyVault.secretIdentifier`, `keyVault.identityClientId` |
64-
| `backends` | `url`, `credentials` |
65-
| `apis` | `serviceUrl` |
66-
| `diagnostics` | `loggerId` |
67-
| `loggers` | `resourceId`, `credentials` |
137+
### Loggers
68138

69-
All listed keys belong under each item's `properties` object.
139+
```yaml
140+
loggers:
141+
- name: appinsights-logger
142+
properties:
143+
resourceId: "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/microsoft.insights/components/prod-appinsights"
144+
credentials:
145+
instrumentationKey: "prod-instrumentation-key"
146+
```
147+
148+
| Property | Type | Description |
149+
|----------|------|-------------|
150+
| `resourceId` | `string` | Azure resource ID of the logging target (for example, Application Insights) |
151+
| `credentials` | `object` | Credentials for the logging service |
70152

71-
## Rules
153+
## Override rules
72154

73-
- `name` must match the resource name in extracted artifacts.
74-
- Unmatched names are ignored (they do not fail the publish command).
75-
- Overrides change **properties**, not resource names.
155+
- `name` should correspond to the resource name in extracted artifacts.
156+
- Name matching is case-insensitive during override apply.
157+
- Unmatched names are ignored (they do not fail publish).
158+
- Overrides change resource properties, not resource names.
76159
- Override files are optional when publishing back to the same environment.
77160

78-
## Multi-environment pattern
161+
## Multi-environment setup
79162

80-
Use one file per environment:
163+
Use one override file per environment:
81164

82165
```text
83-
configuration.dev.yaml
84-
configuration.test.yaml
85-
configuration.prod.yaml
166+
project/
167+
├── apim-artifacts/
168+
├── configuration.dev.yaml
169+
├── configuration.staging.yaml
170+
└── configuration.prod.yaml
86171
```
87172

88-
Example differences between environments:
173+
### Example differences between environments
89174

90175
```yaml
91176
# configuration.dev.yaml
92177
namedValues:
93178
- name: api-base-url
94179
properties:
95180
value: "https://api-dev.contoso.com"
181+
backends:
182+
- name: petstore-backend
183+
properties:
184+
url: "https://petstore-dev.contoso.com"
185+
186+
# configuration.staging.yaml
187+
namedValues:
188+
- name: api-base-url
189+
properties:
190+
value: "https://api-staging.contoso.com"
191+
backends:
192+
- name: petstore-backend
193+
properties:
194+
url: "https://petstore-staging.contoso.com"
96195
97196
# configuration.prod.yaml
98197
namedValues:
99198
- name: api-base-url
100199
properties:
101200
value: "https://api.contoso.com"
201+
backends:
202+
- name: petstore-backend
203+
properties:
204+
url: "https://petstore.contoso.com"
205+
```
206+
207+
### CI/CD integration
208+
209+
In your pipeline, pass the environment's override file:
210+
211+
```bash
212+
# Dev
213+
apiops publish --overrides configuration.dev.yaml \
214+
--resource-group rg-dev --service-name apim-dev ...
215+
216+
# Prod
217+
apiops publish --overrides configuration.prod.yaml \
218+
--resource-group rg-prod --service-name apim-prod ...
102219
```
103220

104221
## Key Vault pattern
105222

106-
Prefer Key Vault references for secrets:
223+
For secrets, prefer Key Vault references over plain-text values:
107224

108225
```yaml
109226
namedValues:
@@ -114,9 +231,36 @@ namedValues:
114231
identityClientId: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
115232
```
116233

234+
Requirements:
235+
236+
- A Key Vault in each target environment with the referenced secret.
237+
- A managed identity with `Key Vault Secrets User` access to the vault.
238+
- `identityClientId` must reference an identity accessible to the APIM instance.
239+
240+
## Common patterns and gotchas
241+
242+
### Missing override entries
243+
244+
If a new environment-sensitive resource is added in source artifacts but not added to target override files, source-environment values can be published into other environments.
245+
246+
### Key Vault permissions
247+
248+
A common failure mode is valid Key Vault references with missing identity permissions on the target vault.
249+
250+
### Dry-run validation
251+
252+
Use `--dry-run` to preview publish behavior with overrides:
253+
254+
```bash
255+
apiops publish --overrides configuration.prod.yaml --dry-run \
256+
--resource-group rg-prod --service-name apim-prod \
257+
--subscription-id <sub-id> --source ./apim-artifacts
258+
```
259+
117260
## Related
118261

119262
- [`apiops publish` Command Reference](../commands/publish.md)
120263
- [Configuration Reference](../reference/configuration.md)
121264
- [Authentication Guide](authentication.md)
265+
- [Scenarios and Workflows](scenarios-and-workflows.md)
122266
- [GitHub Actions Integration](../ci-cd/github-actions.md)

0 commit comments

Comments
 (0)