I am unable to set encryption for the storage account once the storage account created successfully. I am creating the below playbooks for the storage account and encryption.
- name: storage_account_creation | deploy storage account
azure_rm_storageaccount:
state: present
cloud_environment: "AzureCloud"
subscription_id: "XXXX-XXXX-XXXX-XXX"
resource_group_name: "XXXX-XXXX-XXXX-XXXX"
client_id: "XXXX-XXXX-XXXX-XXXX"
secret: "XXXX-XXXX-XXXX-XXXX"
tenant: "XXXX-XXXX-XXXX-XXX"
location: "{{ azloc['stdout_lines'][0] }}"
kind: BlobStorage
access_tier: "Hot"
name: "storageaccount_001"
account_type: "Standard_LRS"
network_acls:
bypass: AzureServices
default_action: deny
encrypt.yml
- name: encrypt | Get keyvault name from id
set_fact:
keyvaultname: "XXXXXXXXXX"
- name: encrypt | Get object id of storage account
shell: az storage account show --subscription "{{ subscription_id }}" -n "{{ Storageaccount_name }}" --query "identity.principalId" --output tsv
register: azsaobjectid
- debug:
var: azsaobjectid
- name: encrypt | Create key vault access policy for new storage account
shell: az keyvault set-policy --subscription "{{ subscription_id }}" -n {{ keyvaultname }}" --key-permissions get wrapKey unwrapKey --object-id "{{ azsaobjectid.stdout_lines[0] }}"
When I execute the scripts I get the below error
fatal: [localhost]: FAILED! =>
msg: |-
The task includes an option with an undefined variable. The error was: list object has no element 0
The error appears to be in 'encrypt.yml': line 10, column 4, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: encrypt | Create key vault access policy for new storage account
^ here
The error details suggest that you are using a variable that hasn't been defined. I suspect this is from your register block in get object id of storage account.
However...
Consider re-writing these tasks to use official azure modules.
Shelling out should be a last resort, and from the look of it, you can accomplish your goal by using the azure_rm_storageaccount_info_module module to gather facts, and azure_rm_keyvault module to set your policy.
Using official modules ensures your playbook is idempotent, easier to read, and your error details will likely become clearer as well.
Related
Our team has set up an ansible-playbook to deploy Azure Function using this reference. We use a user assigned identity to pull the function app image from an ACR like the following:
- name: Force Login using identity
command: az login --identity
- name: Get subscriptionId
command: az account show --query id --output tsv
register: subscriptionId
- name: Get functionapp identity's clientId
command: az identity show --resource-group "{{ functionapp_resource_group }}" --name "{{ functionapp_user_identity }}" --query clientId --output tsv
register: identityId
- name: Use functionapp identity for acr pull
command:
az resource update
--ids /subscriptions/{{ subscriptionId.stdout }}/resourceGroups/{{ functionapp_resource_group }}/providers/Microsoft.Web/sites/{{ functionapp_name }}/config/web
--set properties.acrUseManagedIdentityCreds=True
--set properties.AcrUserManagedIdentityID={{ identityId.stdout }}
- name: Config the functionapp
command:
az functionapp config appsettings set --name "{{ functionapp_name }}"
--resource-group "{{ functionapp_resource_group }}"
--settings
"Key1={{ Value1 }}"
"Key2={{ Value2 }}"
- name: Deploy the functionapp
command:
az functionapp config container set --name "{{ functionapp_name }}"
--resource-group "{{ functionapp_resource_group }}"
--docker-custom-image-name "{{ docker_registry_host }}/{{ image_name }}:{{ image_tag }}"
--docker-registry-server-url "{{ docker_registry_host }}"
Usually, the script works fine. The successful deployment log should be like the following:
However, we encountered a strange failure today. When deploying the image, the Azure Portal shows an incomplete log:
Does anyone know why this failure occurred?
I finally figured out that it may imply there's no further docker log today.
I am trying to get connection string using Powershell and pass this argument to another step in the actions, but I am getting this error:
Input required and not supplied: connection-string
But I am following a similar behaviour that I use before but I am not sure why it is not working, Here is part of my script:
- name: Secrets to Key Vault
uses: azure/powershell#v1
env:
POWERSHELL_TELEMETRY_OPTOUT: 1
with:
inlineScript: |
$sqlConnectionString = (az keyvault secret show --vault-name <keyVaultName> --name <secret-name> --query [value] --output tsv)
echo ::set-output name=sqlConnectionString::$( $sqlConnectionString)
azPSVersion : '3.1.0'
- name: Deploy Core Module
uses: azure/sql-action#v1
id: sqlConnection
with:
server-name: <sqlServerName>
connection-string: ${{ steps.sqlConnection.outputs.sqlConnectionString}}
dacpac-package: './Database.dacpac'
I think problem is related to the output of the variable but I use similar syntax previously just in a simple run and it worked. Could it be related to the behaviour of the Powershell?
Plese add id to you first action:
- name: Secrets to Key Vault
uses: azure/powershell#v1
id: setSqlConnection
env:
POWERSHELL_TELEMETRY_OPTOUT: 1
with:
inlineScript: |
$sqlConnectionString = (az keyvault secret show --vault-name <keyVaultName> --name <secret-name> --query [value] --output tsv)
echo ::set-output name=sqlConnectionString::$( $sqlConnectionString)
azPSVersion : '3.1.0'
- name: Deploy Core Module
uses: azure/sql-action#v1
id: sqlConnection
with:
server-name: <sqlServerName>
connection-string: ${{ steps.setSqlConnection.outputs.sqlConnectionString}}
dacpac-package: './Database.dacpac'
and then use it to access output ${{ steps.setSqlConnection.outputs.sqlConnectionString}}
I am working in azure cloud and wanted to add a simple ServiceProviderClass using the doc from Azure Azure /
secrets-store-csi-driver-provider-azure replacing the secret, keyvaultName and tenantId
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: azure-kvname
spec:
provider: azure
parameters:
usePodIdentity: "false" # [OPTIONAL] if not provided, will default to "false"
keyvaultName: "kvname" # the name of the KeyVault
cloudName: "" # [OPTIONAL for Azure] if not provided, azure environment will default to AzurePublicCloud
objects: |
array:
- |
objectName: secret1
objectType: secret # object types: secret, key or cert
objectVersion: "" # [OPTIONAL] object versions, default to latest if empty
tenantId: "tid" # the tenant ID of the KeyVault
And when I try to apply it to my cluser using the Azure Cloud Bash:
hacker#Azure:~$ kubectl apply -f secrets-provider.yaml
error: unable to recognize "secrets-provider.yaml.yaml": no matches for kind "SecretProviderClass" in version "secrets-store.csi.k8s.io/v1alpha1"
It seems to be that kind and version are incompatible eventhough they are everywhere on the doc.
The problem is actually really simple, the secret-store-csi-driver was not yet install. Thus it was not recognized. Basically make sure you follow the pre-requisistes.
From the Azure Cloud Terminal you can use Helm to install the driver:
helm repo add secrets-store-csi-driver https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts
helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver
There is an ongoing issue with the driver secrets-store-csi-driver-provider-azure#259, for azure you need to explicitly specify --grpc-supported-providers=azure
And now it works:
hacker#Azure:~$ kubectl apply -f secrets-provider.yaml
secretproviderclass.secrets-store.csi.x-k8s.io/azure-kvname created
hacker#Azure:~$ kubectl get SecretProviderClass
NAME AGE
azure-kvname 39s
Hopefully that will help.
I am able to connect to Azure using Ansible by putting my service principle details into the credentials file stored in ~/.azure/credentials
That was OK for development, now (in production) I want to move away from using the text credentials file and pass the credentials to Ansible via the command-line via parameters.
How should this be done?
Any help is appreciated - thanks
I have tried:
ansible-playbook -i ./dev-env/epazure_rm.yml ./dev-env/site.yml -vvvv -u adminuser --extra-vars "AZURE_SUBSCRIPTION_ID=XXX AZURE_CLIENT_ID=XXX AZURE_SECRET=XXX AZURE_TENANT=XXX"
My Azure Dynamic Inventory plugin file looks like this
---
plugin: azure_rm
include_vm_resource_groups:
- rg-devdonal-eastus01
auth_source: auto
subscription_id: "{{ AZURE_SUBSCRIPTION_ID }}"
client_id: "{{ AZURE_CLIENT_ID }}"
secret: "{{ AZURE_SECRET }}"
tenant: "{{ AZURE_TENANT }}"
keyed_groups:
- prefix: tag
key: tags
You can use the environment variables for the credential and then read the variables from the environment, here is the example:
- debug: msg="{{ lookup('env','HOME') }} is an environment variable"
And there is also another issue shows the example.
When i am using terraform modules directly being called from shell scripts it works fine.
But when i am wrapping same shell script which is called from an ansible task it fails. validated all the environment variables for ARM credentials which are being passed. All are fine, but somehow not getting any success to run terraform as an ansible task.
Below is the error I get
Error refreshing state: 1 error(s) occurred:\n\n* module.oracle_server.provider.azurerm: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/****/providers?api-version=2016-02-01: StatusCode=0 -- Original Error: adal:
UPDATEd by the editor
Please update your ansible codes here, more than in comment, lost all format.
- name: Terraform Module
terraform:
project_path: "{{ terraform_module_path }}"
state: "{{ item.infra_state }}"
variables:
platform: "{{ platform }}"
application_name: "{{ application_name }}"
environment: "{{ env }}"
From the error message, it can't properly set the azure credentials, so please check if you include the provider codes or not.
# Configure the Azure Provider
provider "azurerm" {
# whilst the `version` attribute is optional, we recommend pinning to a given version of the Provider
version = "=1.21.0"
}
Reference: https://www.terraform.io/docs/providers/azurerm/