无法使用 ansible 加密 Azure 存储帐户

Question

成功创建存储帐户后，我无法为存储帐户设置加密。 我正在为存储帐户和加密创建以下剧本。

- name: storage_account_creation | deploy storage account
  azure_rm_storageaccount:
    state: present
    cloud_environment: "AzureCloud"
    subscription_id: "XXXX-XXXX-XXXX-XXX"
    resource_group_name: "XXXX-XXXX-XXXX-XXXX"
    client_id: "XXXX-XXXX-XXXX-XXXX"
    secret: "XXXX-XXXX-XXXX-XXXX"
    tenant: "XXXX-XXXX-XXXX-XXX"
    location: "{{ azloc['stdout_lines'][0] }}"
    kind: BlobStorage
    access_tier: "Hot"
    name: "storageaccount_001"
    account_type: "Standard_LRS"
    network_acls:
      bypass: AzureServices
      default_action: deny

---

加密.yml

 - name: encrypt | Get keyvault name from id 
   set_fact:
     keyvaultname: "XXXXXXXXXX"

 - name: encrypt | Get object id of storage account
   shell: az storage account show --subscription "{{ subscription_id }}" -n "{{ Storageaccount_name }}" --query "identity.principalId" --output tsv
   register: azsaobjectid

 - debug:
    var: azsaobjectid
    
 - name: encrypt | Create key vault access policy for new storage account
   shell: az keyvault set-policy --subscription "{{ subscription_id }}" -n {{ keyvaultname }}" --key-permissions get wrapKey unwrapKey --object-id "{{ azsaobjectid.stdout_lines[0] }}"

当我执行脚本时，出现以下错误

---

    fatal: [localhost]: FAILED! =>
      msg: |-
        The task includes an option with an undefined variable. The error was: list object has no element 0
    
        The error appears to be in 'encrypt.yml': line 10, column 4, but may
        be elsewhere in the file depending on the exact syntax problem.
    
    The offending line appears to be:    
         - name:  encrypt | Create key vault access policy for new storage account
           ^ here

Answer 1

错误详细信息表明您正在使用尚未定义的变量。 我怀疑这是来自您在get object id of storage account中的register块。

然而...

考虑重写这些任务以使用官方 azure 模块。

脱壳应该是最后的手段，从外观上看，您可以通过使用azure_rm_storageaccount_info_module模块来收集事实，并使用 azure_rm_keyvault模块来设置您的策略来实现您的目标。

使用官方模块可确保您的剧本是幂等的，更易于阅读，并且您的错误细节也可能会变得更加清晰。