Configuration Transforms: only deploying computed *.config files, and not each environment specific version

Kia ora, Octopus Deploy :wave:

With reference to the Configuration Transforms (, this is a great piece of functionality. I have a question, though.

We are ending up with a whole bunch of *.config files being deployed, for example:

my.Awesome.Command.Line.Tool.Migrations (CA).config
my.Awesome.Command.Line.Tool.Production (CA).config
my.Awesome.Command.Line.Tool.Production (US).config
my.Awesome.Command.Line.Tool.UAT (CA).config

There is a chance that sensitive information could “leak” from one of the environment-specific .config files. For example, someone may have access to the “Test” environment, and have permission to read the content of the files that have been deployed there. They would then be able to read some DB connection strings for the “Production (US)” environment.

How can we prevent the environment/confiuration-specific Configuration Transforms from being deployed, and only have the “computed” my.Awesome.Command.Line.Tool.config file deployed?

Many thanks. Nga mihi,

Hi Jon,
Thank you for reaching out. Sorry for the delayed response.

One way you can protect Sensitive Environmental Information (i.e., connection strings, passwords, etc.) is by combining the Configuration Transform feature with our Variables Substitution functionality.
Variable Substitution replaces sensitive values in a configuration file with a variable. The variable is updated with the appropriate value during the deployment process — preventing data from being deployed to a mismatched environment, unnecessarily.

Take a look at our Environment Specific Configuration Transforms with Sensitive Values documentation and let me know what you think.

Hope this helps and please let me know if you have further questions or concerns.

Thank you,

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.