AZ DEVOPS를 사용하여 스토리지 계정 키 회전

동료 기술 옹호자 및 전문가에게 인사드립니다.

이 세션에서는 저장소 계정 키(기본 및 보조)를 회전하고 Azure DevOps를 사용하여 Key Vault에 저장하는 방법을 시연합니다.


이것이 보이는 방식입니다:-







자동화 목표:-


Key Vault를 포함하는 리소스 그룹이 있는지 확인합니다. 리소스 그룹이 없으면 파이프라인이 실패합니다.

지정된 리소스 그룹 내에 저장소 계정이 있는지 확인합니다. 스토리지 계정이 없으면 파이프라인이 실패합니다.

지정된 리소스 그룹 내에 Key Vault가 있는지 확인합니다. Key Vault를 찾을 수 없으면 파이프라인이 실패합니다.

위의 모든 유효성 검사가 성공하면 교체하려는 키 사용자(기본 또는 보조)에 따라 파이프라인이 스토리지 계정 키를 교체하고 키 자격 증명 모음에 저장합니다.



중요 사항:-



YAML 파이프라인은 WINDOWS BUILD AGENT에서만 테스트되었습니다!!!


요구 사항:-


  • Azure 구독.
  • Azure DevOps 조직 및 프로젝트.
  • 구독 또는 리소스 그룹에 필수 RBAC(기여자)가 적용된 서비스 주체.
  • Azure DevOps의 Azure Resource Manager 서비스 연결.



  • 코드 저장소:-




    arindam0310018 / 2022년 8월 29일-DevOps__Rotate-Storage-Account-Keys









    내 코드 자리 표시자는 어떻게 생겼습니까?






    파이프라인 코드 스니펫:-





    AZURE DEVOPS YAML 파이프라인(azure-pipelines-storage-account-key-rotation-v1.0.yml):-





    trigger:
      none
    
    ######################
    #DECLARE PARAMETERS:-
    ######################
    parameters:
    - name: SUBSCRIPTIONID
      displayName: Subscription ID Details Follow Below:-
      type: string
      default: 210e66cb-55cf-424e-8daa-6cad804ab604
      values:
      - 210e66cb-55cf-424e-8daa-6cad804ab604
    
    - name: RGNAME
      displayName: Please Provide the Resource Group Name:-
      type: object
      default: 
    
    - name: STORAGEACCOUNTNAME
      displayName: Please Provide the Storage Account Name:-
      type: object
      default:
    
    - name: KVNAME
      displayName: Please Provide the Keyvault Name:-
      type: object
      default: 
    
    - name: STORAGEACCOUNTKEYS
      displayName: Choose Storage Account Keys - Primary or Secondary:-
      type: string
      default: Primary
      values:
      - Primary
      - Secondary 
    
    ######################
    #DECLARE VARIABLES:-
    ######################
    variables:
      ServiceConnection: amcloud-cicd-service-connection
      BuildAgent: windows-latest
    
    #########################
    # Declare Build Agents:-
    #########################
    pool:
      vmImage: $(BuildAgent)
    
    ###################
    # Declare Stages:-
    ###################
    
    stages:
    
    - stage: VALIDATE_RG_STORAGE_ACCOUNT_AND_KV 
      jobs:
      - job: VALIDATE_RG_STORAGE_ACCOUNT_AND_KV 
        displayName: VALIDATE RG STORAGE ACCOUNT & KV
        steps:
        - task: AzureCLI@2
          displayName: SET AZURE ACCOUNT
          inputs:
            azureSubscription: $(ServiceConnection)
            scriptType: ps
            scriptLocation: inlineScript
            inlineScript: |
              az --version
              az account set --subscription ${{ parameters.SUBSCRIPTIONID }}
              az account show  
        - task: AzureCLI@2
          displayName: VALIDATE RG STORAGE ACCOUNT & RG
          inputs:
            azureSubscription: $(ServiceConnection)
            scriptType: ps
            scriptLocation: inlineScript
            inlineScript: |      
              $i = az group exists -n ${{ parameters.RGNAME }}
                if ($i -eq "true") {
                  echo "#####################################################"
                  echo "Resource Group ${{ parameters.RGNAME }} exists!!!"
                  echo "#####################################################"
                  $j = az storage account check-name --name ${{ parameters.STORAGEACCOUNTNAME }} --query "reason" --out tsv
                    if ($j -eq "AlreadyExists") {
                      echo "###################################################################"
                      echo "Storage Account ${{ parameters.STORAGEACCOUNTNAME }} exists!!!"
                      echo "###################################################################"
                      $k = az keyvault list --resource-group ${{ parameters.RGNAME }} --query [].name -o tsv        
                        if ($k -eq "${{ parameters.KVNAME }}") {
                          echo "###################################################################"
                          echo "Key Vault ${{ parameters.KVNAME }} exists!!!"
                          echo "###################################################################"
                        }
                      else {
                        echo "###################################################################################################"
                        echo "Key Vault ${{ parameters.KVNAME }} DOES NOT EXISTS in Resource Group ${{ parameters.RGNAME }}!!!"
                        echo "###################################################################################################"
                        exit 1
                      }
                    }  
                    else {
                      echo "#######################################################################################################################"
                      echo "Storage Account ${{ parameters.STORAGEACCOUNTNAME }} DOES NOT EXISTS in Resource Group ${{ parameters.RGNAME }}!!!"
                      echo "#######################################################################################################################"
                      exit 1
                    }              
                }
                else {
                  echo "#############################################################"
                  echo "Resource Group ${{ parameters.RGNAME }} DOES NOT EXISTS!!!"
                  echo "#############################################################"
                  exit 1
                }
    
    - stage: RENEW_STORAGE_ACCOUNT_PRIMARY_KEY
      condition: |
         and(succeeded(),
           eq('${{ parameters.STORAGEACCOUNTKEYS }}', 'Primary')
         ) 
      jobs:
      - job: RENEW_STORAGE_ACCOUNT_PRIMARY_KEY 
        displayName: ROTATE PRIMARY KEY & STORE IN KV
        steps:
        - task: AzureCLI@2
          displayName: ROTATE AND STORE
          inputs:
            azureSubscription: $(ServiceConnection)
            scriptType: ps
            scriptLocation: inlineScript
            inlineScript: |
              $saprimary = az storage account keys renew -g ${{ parameters.RGNAME }} -n ${{ parameters.STORAGEACCOUNTNAME }} --key ${{ parameters.STORAGEACCOUNTKEYS }} --query [0].value -o tsv
              az keyvault secret set --name "${{ parameters.STORAGEACCOUNTNAME }}-${{ parameters.STORAGEACCOUNTKEYS }}" --vault-name ${{ parameters.KVNAME }} --value $saprimary
              echo "#################################################################################################################################################################"
              echo "Storage Account Primary Key has been successfully Rotated and Stored in Key Vault ${{ parameters.KVNAME }} under the Resource Group ${{ parameters.RGNAME }}!!!"
              echo "#################################################################################################################################################################"
    
    - stage: RENEW_STORAGE_ACCOUNT_SECONDARY_KEY
      condition: |
           eq('${{ parameters.STORAGEACCOUNTKEYS }}', 'Secondary')
      dependsOn: VALIDATE_RG_STORAGE_ACCOUNT_AND_KV   
      jobs:
      - job: RENEW_STORAGE_ACCOUNT_SECONDARY_KEY 
        displayName: ROTATE SECONDARY KEY & STORE IN KV
        steps:
        - task: AzureCLI@2
          displayName: ROTATE AND STORE
          inputs:
            azureSubscription: $(ServiceConnection)
            scriptType: ps
            scriptLocation: inlineScript
            inlineScript: |
              $sasecondary = az storage account keys renew -g ${{ parameters.RGNAME }} -n ${{ parameters.STORAGEACCOUNTNAME }} --key ${{ parameters.STORAGEACCOUNTKEYS }} --query [1].value -o tsv
              az keyvault secret set --name "${{ parameters.STORAGEACCOUNTNAME }}-${{ parameters.STORAGEACCOUNTKEYS }}" --vault-name ${{ parameters.KVNAME }} --value $sasecondary
              echo "#################################################################################################################################################################"
              echo "Storage Account Secondary Key has been successfully Rotated and Stored in Key Vault ${{ parameters.KVNAME }} under the Resource Group ${{ parameters.RGNAME }}!!!"
              echo "#################################################################################################################################################################"
    
    


    이제 이해를 돕기 위해 YAML 파이프라인의 각 부분을 설명하겠습니다.


    1 부:-





    아래는 파이프라인 런타임 변수 코드 스니펫을 따릅니다.





    ######################
    #DECLARE PARAMETERS:-
    ######################
    parameters:
    - name: SUBSCRIPTIONID
      displayName: Subscription ID Details Follow Below:-
      type: string
      default: 210e66cb-55cf-424e-8daa-6cad804ab604
      values:
      - 210e66cb-55cf-424e-8daa-6cad804ab604
    
    - name: RGNAME
      displayName: Please Provide the Resource Group Name:-
      type: object
      default: 
    
    - name: STORAGEACCOUNTNAME
      displayName: Please Provide the Storage Account Name:-
      type: object
      default:
    
    - name: KVNAME
      displayName: Please Provide the Keyvault Name:-
      type: object
      default: 
    
    - name: STORAGEACCOUNTKEYS
      displayName: Choose Storage Account Keys - Primary or Secondary:-
      type: string
      default: Primary
      values:
      - Primary
      - Secondary 
    
    



    2 부:-





    아래는 파이프라인 변수 코드 스니펫을 따릅니다.





    ######################
    #DECLARE VARIABLES:-
    ######################
    variables:
      ServiceConnection: amcloud-cicd-service-connection
      BuildAgent: windows-latest
    
    



    노트:-


    그에 따라 변수 값을 변경하십시오.

    전체 YAML 파이프라인은 런타임 매개변수 및 변수를 사용하여 빌드됩니다. 어떤 값도 하드코딩되지 않습니다.



    부품 #3:-





    이것은 3단계 파이프라인입니다.





    1단계 - VALIDATE_RG_STORAGE_ACCOUNT_AND_KV:-


    이 단계에서 파이프라인은 리소스 그룹, 스토리지 계정 및 Key Vault의 유효성을 검사합니다. Azure 리소스 중 하나라도 사용할 수 없으면 파이프라인이 실패하고 다른 2단계는 건너뜁니다.



    - stage: VALIDATE_RG_STORAGE_ACCOUNT_AND_KV 
      jobs:
      - job: VALIDATE_RG_STORAGE_ACCOUNT_AND_KV 
        displayName: VALIDATE RG STORAGE ACCOUNT & KV
        steps:
        - task: AzureCLI@2
          displayName: SET AZURE ACCOUNT
          inputs:
            azureSubscription: $(ServiceConnection)
            scriptType: ps
            scriptLocation: inlineScript
            inlineScript: |
              az --version
              az account set --subscription ${{ parameters.SUBSCRIPTIONID }}
              az account show  
        - task: AzureCLI@2
          displayName: VALIDATE RG STORAGE ACCOUNT & RG
          inputs:
            azureSubscription: $(ServiceConnection)
            scriptType: ps
            scriptLocation: inlineScript
            inlineScript: |      
              $i = az group exists -n ${{ parameters.RGNAME }}
                if ($i -eq "true") {
                  echo "#####################################################"
                  echo "Resource Group ${{ parameters.RGNAME }} exists!!!"
                  echo "#####################################################"
                  $j = az storage account check-name --name ${{ parameters.STORAGEACCOUNTNAME }} --query "reason" --out tsv
                    if ($j -eq "AlreadyExists") {
                      echo "###################################################################"
                      echo "Storage Account ${{ parameters.STORAGEACCOUNTNAME }} exists!!!"
                      echo "###################################################################"
                      $k = az keyvault list --resource-group ${{ parameters.RGNAME }} --query [].name -o tsv        
                        if ($k -eq "${{ parameters.KVNAME }}") {
                          echo "###################################################################"
                          echo "Key Vault ${{ parameters.KVNAME }} exists!!!"
                          echo "###################################################################"
                        }
                      else {
                        echo "###################################################################################################"
                        echo "Key Vault ${{ parameters.KVNAME }} DOES NOT EXISTS in Resource Group ${{ parameters.RGNAME }}!!!"
                        echo "###################################################################################################"
                        exit 1
                      }
                    }  
                    else {
                      echo "#######################################################################################################################"
                      echo "Storage Account ${{ parameters.STORAGEACCOUNTNAME }} DOES NOT EXISTS in Resource Group ${{ parameters.RGNAME }}!!!"
                      echo "#######################################################################################################################"
                      exit 1
                    }              
                }
                else {
                  echo "#############################################################"
                  echo "Resource Group ${{ parameters.RGNAME }} DOES NOT EXISTS!!!"
                  echo "#############################################################"
                  exit 1
                }
    



    2단계 - RENEW_STORAGE_ACCOUNT_PRIMARY_KEY:-


    이 단계에서 파이프라인에는 조건이 있습니다.

    조건 #1: 이전 단계가 성공적이어야 합니다.

    조건 #2: 사용자는 "기본"옵션을 선택해야 합니다.



    - stage: RENEW_STORAGE_ACCOUNT_PRIMARY_KEY
      condition: |
         and(succeeded(),
           eq('${{ parameters.STORAGEACCOUNTKEYS }}', 'Primary')
         ) 
    



    아래는 저장소 계정 기본 키를 갱신/회전하고 언급된 KEYVAULT에 저장하도록 정의된 논리를 따릅니다.





    jobs:
      - job: RENEW_STORAGE_ACCOUNT_PRIMARY_KEY 
        displayName: ROTATE PRIMARY KEY & STORE IN KV
        steps:
        - task: AzureCLI@2
          displayName: ROTATE AND STORE
          inputs:
            azureSubscription: $(ServiceConnection)
            scriptType: ps
            scriptLocation: inlineScript
            inlineScript: |
              $saprimary = az storage account keys renew -g ${{ parameters.RGNAME }} -n ${{ parameters.STORAGEACCOUNTNAME }} --key ${{ parameters.STORAGEACCOUNTKEYS }} --query [0].value -o tsv
              az keyvault secret set --name "${{ parameters.STORAGEACCOUNTNAME }}-${{ parameters.STORAGEACCOUNTKEYS }}" --vault-name ${{ parameters.KVNAME }} --value $saprimary
              echo "#################################################################################################################################################################"
              echo "Storage Account Primary Key has been successfully Rotated and Stored in Key Vault ${{ parameters.KVNAME }} under the Resource Group ${{ parameters.RGNAME }}!!!"
              echo "#################################################################################################################################################################"
    
    



    3단계 - RENEW_STORAGE_ACCOUNT_SECONDARY_KEY:-


    이 단계에서 파이프라인에는 조건이 있습니다.

    조건 #1: 사용자는 옵션 "Secondary"를 선택해야 합니다.

    조건 #2: 단계 #1에 따라 다름: VALIDATE_RG_STORAGE_ACCOUNT_AND_KV .



    - stage: RENEW_STORAGE_ACCOUNT_SECONDARY_KEY
      condition: |
           eq('${{ parameters.STORAGEACCOUNTKEYS }}', 'Secondary')
      dependsOn: VALIDATE_RG_STORAGE_ACCOUNT_AND_KV  
    
    



    아래는 저장소 계정 보조 키를 갱신/회전하고 언급된 KEYVAULT에 저장하도록 정의된 논리를 따릅니다.





    jobs:
      - job: RENEW_STORAGE_ACCOUNT_SECONDARY_KEY 
        displayName: ROTATE SECONDARY KEY & STORE IN KV
        steps:
        - task: AzureCLI@2
          displayName: ROTATE AND STORE
          inputs:
            azureSubscription: $(ServiceConnection)
            scriptType: ps
            scriptLocation: inlineScript
            inlineScript: |
              $sasecondary = az storage account keys renew -g ${{ parameters.RGNAME }} -n ${{ parameters.STORAGEACCOUNTNAME }} --key ${{ parameters.STORAGEACCOUNTKEYS }} --query [1].value -o tsv
              az keyvault secret set --name "${{ parameters.STORAGEACCOUNTNAME }}-${{ parameters.STORAGEACCOUNTKEYS }}" --vault-name ${{ parameters.KVNAME }} --value $sasecondary
              echo "#################################################################################################################################################################"
              echo "Storage Account Secondary Key has been successfully Rotated and Stored in Key Vault ${{ parameters.KVNAME }} under the Resource Group ${{ parameters.RGNAME }}!!!"
              echo "#################################################################################################################################################################"
    
    


    이제 테스트할 시간입니다!!!...


    테스트 케이스:-





    테스트 사례 #1: 리소스 그룹, 저장소 계정 및 키 자격 증명 모음 유효성 검사:-


    원하는 출력: 리소스 그룹이 존재하지 않으면 파이프라인이 실패합니다.





    원하는 출력: 스토리지 계정이 없으면 파이프라인이 실패합니다.





    원하는 출력: 키 자격 증명 모음이 없으면 파이프라인이 실패합니다.





    테스트 사례 #2: 스토리지 계정 기본 키 회전/갱신 및 키 볼트에 저장:-











    테스트 사례 #3: 스토리지 계정 보조 키 회전/갱신 및 키 볼트에 저장:-












    세션을 즐기셨기를 바랍니다!!!

    안전 유지 | 계속 학습 | 지식 전파

    좋은 웹페이지 즐겨찾기