stackoom
  简体   繁体   中英

Unable to encrypt Azure storage account using ansible

 原文  2020-12-28 16:36:55       azure/ ansible

Question

I am unable to set encryption for the storage account once the storage account created successfully. I am creating the below playbooks for the storage account and encryption.

- name: storage_account_creation | deploy storage account
  azure_rm_storageaccount:
    state: present
    cloud_environment: "AzureCloud"
    subscription_id: "XXXX-XXXX-XXXX-XXX"
    resource_group_name: "XXXX-XXXX-XXXX-XXXX"
    client_id: "XXXX-XXXX-XXXX-XXXX"
    secret: "XXXX-XXXX-XXXX-XXXX"
    tenant: "XXXX-XXXX-XXXX-XXX"
    location: "{{ azloc['stdout_lines'][0] }}"
    kind: BlobStorage
    access_tier: "Hot"
    name: "storageaccount_001"
    account_type: "Standard_LRS"
    network_acls:
      bypass: AzureServices
      default_action: deny

encrypt.yml


 - name: encrypt | Get keyvault name from id 
   set_fact:
     keyvaultname: "XXXXXXXXXX"

 - name: encrypt | Get object id of storage account
   shell: az storage account show --subscription "{{ subscription_id }}" -n "{{ Storageaccount_name }}" --query "identity.principalId" --output tsv
   register: azsaobjectid

 - debug:
    var: azsaobjectid
    
 - name: encrypt | Create key vault access policy for new storage account
   shell: az keyvault set-policy --subscription "{{ subscription_id }}" -n {{ keyvaultname }}" --key-permissions get wrapKey unwrapKey --object-id "{{ azsaobjectid.stdout_lines[0] }}"

When I execute the scripts I get the below error

    fatal: [localhost]: FAILED! =>
      msg: |-
        The task includes an option with an undefined variable. The error was: list object has no element 0
    
        The error appears to be in 'encrypt.yml': line 10, column 4, but may
        be elsewhere in the file depending on the exact syntax problem.
    
    The offending line appears to be:    
         - name:  encrypt | Create key vault access policy for new storage account
           ^ here

1 answers

solution1
 0  2020-12-28 23:21:15

The error details suggest that you are using a variable that hasn't been defined. I suspect this is from your register block in get object id of storage account .

However...

Consider re-writing these tasks to use official azure modules .

Shelling out should be a last resort, and from the look of it, you can accomplish your goal by using the azure_rm_storageaccount_info_module module to gather facts, and azure_rm_keyvault module to set your policy.

Using official modules ensures your playbook is idempotent, easier to read, and your error details will likely become clearer as well.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Encrypt Azure Storage account key in powershell script Is it possible to encrypt the file using key vault and store it in storage account using “Azure Storage Data Movement Library” Unable to create Azure Storage Account Unable to delete Storage Account : Azure Unable to create Storage account on Azure ARM using Web API Encrypt Azure Storage account name and key in PowerShell script Unable to read Storage account and key - Azure Terraform and Azure: Unable to provision Storage Account Unable to programmatically get the keys for Azure Storage Account unable to connect to local Azure storage account
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM