我需要通过 ansible 将我的 secret 部署在 Azure 的 keyvault 中。
如果 secret 是一个新 secret (即之前不存在),则它可以完美工作,则 secret 已正确创建。
当我需要更新 secret 时出现问题,它永远不会被覆盖。 我尝试删除它并再次创建它,但也不起作用,因为它执行软删除,因此可以使用相同的名称再次创建它。
这是我到目前为止尝试过的:
secret 创建(第一次工作正常但不会覆盖它)
- name: "Create endpoint secret."
azure_rm_keyvaultsecret:
secret_name: mysecret
secret_value: "desiredvalue"
keyvault_uri: "https://{{ AZURE_KV_NAME }}.vault.azure.net/"
tags:
environment: "{{ ENV }}"
role: "endpointsecret"
以下是我尝试先删除它然后再次创建它的方法
- name: "Delete endpoint secret."
azure_rm_keyvaultsecret:
secret_name: mysecret
keyvault_uri: "https://{{ AZURE_KV_NAME }}.vault.azure.net/"
state: "absent"
- name: "Create endpoint secret."
azure_rm_keyvaultsecret:
secret_name: mysecret
secret_value: "desiredvalue"
keyvault_uri: "https://{{ AZURE_KV_NAME }}.vault.azure.net/"
tags:
environment: "{{ ENV }}"
role: "endpointsecret"
当尝试这个错误是:
Secret mysecret is currently being deleted and cannot be re-created; retry later
** secret 创建状态:存在(也不会创建新版本)**
- name: "Create endpoint secret."
azure_rm_keyvaultsecret:
secret_name: mysecret
secret_value: "desiredvalue"
keyvault_uri: "https://{{ AZURE_KV_NAME }}.vault.azure.net/"
state: "present"
tags:
environment: "{{ ENV }}"
role: "endpointsecret"
知道如何覆盖(创建新版本) secret 或至少执行硬删除吗?
最佳答案
除了通过ARM部署之外,我没有其他办法
- name: "Create ingestion keyvault secrets."
azure_rm_deployment:
state: present
resource_group_name: "{{ AZURE_RG_NAME }}"
location: "{{ AZURE_RG_LOCATION }}"
template:
$schema: "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
contentVersion: "1.0.0.0"
parameters:
variables:
resources:
- apiVersion: "2018-02-14"
type: "Microsoft.KeyVault/vaults/secrets"
name: "{{AZURE_KV_NAME}}/{{item.name}}"
properties:
value: "{{item.secret}}"
contentType: "string"
loop: "{{ SECRETLIST }}"
register: publish_secrets
async: 300 # Maximum runtime in seconds.
poll: 0 # Fire and continue (never poll)
- name: Wait for the secret deployment task to finish
async_status:
jid: "{{ publish_secrets_item.ansible_job_id }}"
loop: "{{publish_secrets.results}}"
loop_control:
loop_var: "publish_secrets_item"
register: jobs_publish_secrets
until: jobs_publish_secrets.finished
retries: 5
delay: 2
然后在其他文件中将 SECRETLIST 声明为变量:
SECRETLIST :
- name: mysecret
secret: "secretvalue"
- name: othersecret
secret: "secretvalue2"
希望这对遇到类似问题的人有所帮助
关于azure - 是否可以通过azure中的ansible覆盖或创建新版本的 secret ?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56020754/