AZ DEVOPS를 사용하여 스토리지 계정 키 회전
이 세션에서는 저장소 계정 키(기본 및 보조)를 회전하고 Azure DevOps를 사용하여 Key Vault에 저장하는 방법을 시연합니다.
이것이 보이는 방식입니다:-
자동화 목표:-
Key Vault를 포함하는 리소스 그룹이 있는지 확인합니다. 리소스 그룹이 없으면 파이프라인이 실패합니다.
지정된 리소스 그룹 내에 저장소 계정이 있는지 확인합니다. 스토리지 계정이 없으면 파이프라인이 실패합니다.
지정된 리소스 그룹 내에 Key Vault가 있는지 확인합니다. Key Vault를 찾을 수 없으면 파이프라인이 실패합니다.
위의 모든 유효성 검사가 성공하면 교체하려는 키 사용자(기본 또는 보조)에 따라 파이프라인이 스토리지 계정 키를 교체하고 키 자격 증명 모음에 저장합니다.
중요 사항:-
YAML 파이프라인은 WINDOWS BUILD AGENT에서만 테스트되었습니다!!!
요구 사항:-
코드 저장소:-
arindam0310018 / 2022년 8월 29일-DevOps__Rotate-Storage-Account-Keys
내 코드 자리 표시자는 어떻게 생겼습니까?
파이프라인 코드 스니펫:-
AZURE DEVOPS YAML 파이프라인(azure-pipelines-storage-account-key-rotation-v1.0.yml):-
trigger:
none
######################
#DECLARE PARAMETERS:-
######################
parameters:
- name: SUBSCRIPTIONID
displayName: Subscription ID Details Follow Below:-
type: string
default: 210e66cb-55cf-424e-8daa-6cad804ab604
values:
- 210e66cb-55cf-424e-8daa-6cad804ab604
- name: RGNAME
displayName: Please Provide the Resource Group Name:-
type: object
default:
- name: STORAGEACCOUNTNAME
displayName: Please Provide the Storage Account Name:-
type: object
default:
- name: KVNAME
displayName: Please Provide the Keyvault Name:-
type: object
default:
- name: STORAGEACCOUNTKEYS
displayName: Choose Storage Account Keys - Primary or Secondary:-
type: string
default: Primary
values:
- Primary
- Secondary
######################
#DECLARE VARIABLES:-
######################
variables:
ServiceConnection: amcloud-cicd-service-connection
BuildAgent: windows-latest
#########################
# Declare Build Agents:-
#########################
pool:
vmImage: $(BuildAgent)
###################
# Declare Stages:-
###################
stages:
- stage: VALIDATE_RG_STORAGE_ACCOUNT_AND_KV
jobs:
- job: VALIDATE_RG_STORAGE_ACCOUNT_AND_KV
displayName: VALIDATE RG STORAGE ACCOUNT & KV
steps:
- task: AzureCLI@2
displayName: SET AZURE ACCOUNT
inputs:
azureSubscription: $(ServiceConnection)
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
az --version
az account set --subscription ${{ parameters.SUBSCRIPTIONID }}
az account show
- task: AzureCLI@2
displayName: VALIDATE RG STORAGE ACCOUNT & RG
inputs:
azureSubscription: $(ServiceConnection)
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
$i = az group exists -n ${{ parameters.RGNAME }}
if ($i -eq "true") {
echo "#####################################################"
echo "Resource Group ${{ parameters.RGNAME }} exists!!!"
echo "#####################################################"
$j = az storage account check-name --name ${{ parameters.STORAGEACCOUNTNAME }} --query "reason" --out tsv
if ($j -eq "AlreadyExists") {
echo "###################################################################"
echo "Storage Account ${{ parameters.STORAGEACCOUNTNAME }} exists!!!"
echo "###################################################################"
$k = az keyvault list --resource-group ${{ parameters.RGNAME }} --query [].name -o tsv
if ($k -eq "${{ parameters.KVNAME }}") {
echo "###################################################################"
echo "Key Vault ${{ parameters.KVNAME }} exists!!!"
echo "###################################################################"
}
else {
echo "###################################################################################################"
echo "Key Vault ${{ parameters.KVNAME }} DOES NOT EXISTS in Resource Group ${{ parameters.RGNAME }}!!!"
echo "###################################################################################################"
exit 1
}
}
else {
echo "#######################################################################################################################"
echo "Storage Account ${{ parameters.STORAGEACCOUNTNAME }} DOES NOT EXISTS in Resource Group ${{ parameters.RGNAME }}!!!"
echo "#######################################################################################################################"
exit 1
}
}
else {
echo "#############################################################"
echo "Resource Group ${{ parameters.RGNAME }} DOES NOT EXISTS!!!"
echo "#############################################################"
exit 1
}
- stage: RENEW_STORAGE_ACCOUNT_PRIMARY_KEY
condition: |
and(succeeded(),
eq('${{ parameters.STORAGEACCOUNTKEYS }}', 'Primary')
)
jobs:
- job: RENEW_STORAGE_ACCOUNT_PRIMARY_KEY
displayName: ROTATE PRIMARY KEY & STORE IN KV
steps:
- task: AzureCLI@2
displayName: ROTATE AND STORE
inputs:
azureSubscription: $(ServiceConnection)
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
$saprimary = az storage account keys renew -g ${{ parameters.RGNAME }} -n ${{ parameters.STORAGEACCOUNTNAME }} --key ${{ parameters.STORAGEACCOUNTKEYS }} --query [0].value -o tsv
az keyvault secret set --name "${{ parameters.STORAGEACCOUNTNAME }}-${{ parameters.STORAGEACCOUNTKEYS }}" --vault-name ${{ parameters.KVNAME }} --value $saprimary
echo "#################################################################################################################################################################"
echo "Storage Account Primary Key has been successfully Rotated and Stored in Key Vault ${{ parameters.KVNAME }} under the Resource Group ${{ parameters.RGNAME }}!!!"
echo "#################################################################################################################################################################"
- stage: RENEW_STORAGE_ACCOUNT_SECONDARY_KEY
condition: |
eq('${{ parameters.STORAGEACCOUNTKEYS }}', 'Secondary')
dependsOn: VALIDATE_RG_STORAGE_ACCOUNT_AND_KV
jobs:
- job: RENEW_STORAGE_ACCOUNT_SECONDARY_KEY
displayName: ROTATE SECONDARY KEY & STORE IN KV
steps:
- task: AzureCLI@2
displayName: ROTATE AND STORE
inputs:
azureSubscription: $(ServiceConnection)
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
$sasecondary = az storage account keys renew -g ${{ parameters.RGNAME }} -n ${{ parameters.STORAGEACCOUNTNAME }} --key ${{ parameters.STORAGEACCOUNTKEYS }} --query [1].value -o tsv
az keyvault secret set --name "${{ parameters.STORAGEACCOUNTNAME }}-${{ parameters.STORAGEACCOUNTKEYS }}" --vault-name ${{ parameters.KVNAME }} --value $sasecondary
echo "#################################################################################################################################################################"
echo "Storage Account Secondary Key has been successfully Rotated and Stored in Key Vault ${{ parameters.KVNAME }} under the Resource Group ${{ parameters.RGNAME }}!!!"
echo "#################################################################################################################################################################"
이제 이해를 돕기 위해 YAML 파이프라인의 각 부분을 설명하겠습니다.
1 부:-
아래는 파이프라인 런타임 변수 코드 스니펫을 따릅니다.
######################
#DECLARE PARAMETERS:-
######################
parameters:
- name: SUBSCRIPTIONID
displayName: Subscription ID Details Follow Below:-
type: string
default: 210e66cb-55cf-424e-8daa-6cad804ab604
values:
- 210e66cb-55cf-424e-8daa-6cad804ab604
- name: RGNAME
displayName: Please Provide the Resource Group Name:-
type: object
default:
- name: STORAGEACCOUNTNAME
displayName: Please Provide the Storage Account Name:-
type: object
default:
- name: KVNAME
displayName: Please Provide the Keyvault Name:-
type: object
default:
- name: STORAGEACCOUNTKEYS
displayName: Choose Storage Account Keys - Primary or Secondary:-
type: string
default: Primary
values:
- Primary
- Secondary
2 부:-
아래는 파이프라인 변수 코드 스니펫을 따릅니다.
######################
#DECLARE VARIABLES:-
######################
variables:
ServiceConnection: amcloud-cicd-service-connection
BuildAgent: windows-latest
노트:-
그에 따라 변수 값을 변경하십시오.
전체 YAML 파이프라인은 런타임 매개변수 및 변수를 사용하여 빌드됩니다. 어떤 값도 하드코딩되지 않습니다.
부품 #3:-
이것은 3단계 파이프라인입니다.
1단계 - VALIDATE_RG_STORAGE_ACCOUNT_AND_KV:-
이 단계에서 파이프라인은 리소스 그룹, 스토리지 계정 및 Key Vault의 유효성을 검사합니다. Azure 리소스 중 하나라도 사용할 수 없으면 파이프라인이 실패하고 다른 2단계는 건너뜁니다.
- stage: VALIDATE_RG_STORAGE_ACCOUNT_AND_KV
jobs:
- job: VALIDATE_RG_STORAGE_ACCOUNT_AND_KV
displayName: VALIDATE RG STORAGE ACCOUNT & KV
steps:
- task: AzureCLI@2
displayName: SET AZURE ACCOUNT
inputs:
azureSubscription: $(ServiceConnection)
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
az --version
az account set --subscription ${{ parameters.SUBSCRIPTIONID }}
az account show
- task: AzureCLI@2
displayName: VALIDATE RG STORAGE ACCOUNT & RG
inputs:
azureSubscription: $(ServiceConnection)
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
$i = az group exists -n ${{ parameters.RGNAME }}
if ($i -eq "true") {
echo "#####################################################"
echo "Resource Group ${{ parameters.RGNAME }} exists!!!"
echo "#####################################################"
$j = az storage account check-name --name ${{ parameters.STORAGEACCOUNTNAME }} --query "reason" --out tsv
if ($j -eq "AlreadyExists") {
echo "###################################################################"
echo "Storage Account ${{ parameters.STORAGEACCOUNTNAME }} exists!!!"
echo "###################################################################"
$k = az keyvault list --resource-group ${{ parameters.RGNAME }} --query [].name -o tsv
if ($k -eq "${{ parameters.KVNAME }}") {
echo "###################################################################"
echo "Key Vault ${{ parameters.KVNAME }} exists!!!"
echo "###################################################################"
}
else {
echo "###################################################################################################"
echo "Key Vault ${{ parameters.KVNAME }} DOES NOT EXISTS in Resource Group ${{ parameters.RGNAME }}!!!"
echo "###################################################################################################"
exit 1
}
}
else {
echo "#######################################################################################################################"
echo "Storage Account ${{ parameters.STORAGEACCOUNTNAME }} DOES NOT EXISTS in Resource Group ${{ parameters.RGNAME }}!!!"
echo "#######################################################################################################################"
exit 1
}
}
else {
echo "#############################################################"
echo "Resource Group ${{ parameters.RGNAME }} DOES NOT EXISTS!!!"
echo "#############################################################"
exit 1
}
2단계 - RENEW_STORAGE_ACCOUNT_PRIMARY_KEY:-
이 단계에서 파이프라인에는 조건이 있습니다.
조건 #1: 이전 단계가 성공적이어야 합니다.
조건 #2: 사용자는 "기본"옵션을 선택해야 합니다.
- stage: RENEW_STORAGE_ACCOUNT_PRIMARY_KEY
condition: |
and(succeeded(),
eq('${{ parameters.STORAGEACCOUNTKEYS }}', 'Primary')
)
아래는 저장소 계정 기본 키를 갱신/회전하고 언급된 KEYVAULT에 저장하도록 정의된 논리를 따릅니다.
jobs:
- job: RENEW_STORAGE_ACCOUNT_PRIMARY_KEY
displayName: ROTATE PRIMARY KEY & STORE IN KV
steps:
- task: AzureCLI@2
displayName: ROTATE AND STORE
inputs:
azureSubscription: $(ServiceConnection)
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
$saprimary = az storage account keys renew -g ${{ parameters.RGNAME }} -n ${{ parameters.STORAGEACCOUNTNAME }} --key ${{ parameters.STORAGEACCOUNTKEYS }} --query [0].value -o tsv
az keyvault secret set --name "${{ parameters.STORAGEACCOUNTNAME }}-${{ parameters.STORAGEACCOUNTKEYS }}" --vault-name ${{ parameters.KVNAME }} --value $saprimary
echo "#################################################################################################################################################################"
echo "Storage Account Primary Key has been successfully Rotated and Stored in Key Vault ${{ parameters.KVNAME }} under the Resource Group ${{ parameters.RGNAME }}!!!"
echo "#################################################################################################################################################################"
3단계 - RENEW_STORAGE_ACCOUNT_SECONDARY_KEY:-
이 단계에서 파이프라인에는 조건이 있습니다.
조건 #1: 사용자는 옵션 "Secondary"를 선택해야 합니다.
조건 #2: 단계 #1에 따라 다름: VALIDATE_RG_STORAGE_ACCOUNT_AND_KV .
- stage: RENEW_STORAGE_ACCOUNT_SECONDARY_KEY
condition: |
eq('${{ parameters.STORAGEACCOUNTKEYS }}', 'Secondary')
dependsOn: VALIDATE_RG_STORAGE_ACCOUNT_AND_KV
아래는 저장소 계정 보조 키를 갱신/회전하고 언급된 KEYVAULT에 저장하도록 정의된 논리를 따릅니다.
jobs:
- job: RENEW_STORAGE_ACCOUNT_SECONDARY_KEY
displayName: ROTATE SECONDARY KEY & STORE IN KV
steps:
- task: AzureCLI@2
displayName: ROTATE AND STORE
inputs:
azureSubscription: $(ServiceConnection)
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
$sasecondary = az storage account keys renew -g ${{ parameters.RGNAME }} -n ${{ parameters.STORAGEACCOUNTNAME }} --key ${{ parameters.STORAGEACCOUNTKEYS }} --query [1].value -o tsv
az keyvault secret set --name "${{ parameters.STORAGEACCOUNTNAME }}-${{ parameters.STORAGEACCOUNTKEYS }}" --vault-name ${{ parameters.KVNAME }} --value $sasecondary
echo "#################################################################################################################################################################"
echo "Storage Account Secondary Key has been successfully Rotated and Stored in Key Vault ${{ parameters.KVNAME }} under the Resource Group ${{ parameters.RGNAME }}!!!"
echo "#################################################################################################################################################################"
이제 테스트할 시간입니다!!!...
테스트 케이스:-
테스트 사례 #1: 리소스 그룹, 저장소 계정 및 키 자격 증명 모음 유효성 검사:-
원하는 출력: 리소스 그룹이 존재하지 않으면 파이프라인이 실패합니다.
원하는 출력: 스토리지 계정이 없으면 파이프라인이 실패합니다.
원하는 출력: 키 자격 증명 모음이 없으면 파이프라인이 실패합니다.
테스트 사례 #2: 스토리지 계정 기본 키 회전/갱신 및 키 볼트에 저장:-
테스트 사례 #3: 스토리지 계정 보조 키 회전/갱신 및 키 볼트에 저장:-
세션을 즐기셨기를 바랍니다!!!
안전 유지 | 계속 학습 | 지식 전파
Reference
이 문제에 관하여(AZ DEVOPS를 사용하여 스토리지 계정 키 회전), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://dev.to/arindam0310018/rotate-storage-account-keys-using-az-devops-n71텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)