Tutorial: Gunakan Azure Key Vault untuk menyimpan rahasia VM dengan Ansible
Dalam mulai cepat ini, Anda akan membuat dan mengambil rahasia dari Azure key vault dengan Ansible.
Penting
Ansible 2.9 (atau lebih baru) diperlukan untuk menjalankan sampel playbook dalam artikel ini.
Dalam artikel ini, Anda akan mempelajari cara:
- Buat instans Azure Key Vault
- Buat penyimpanan rahasia di Azure key vault
- Dapatkan rahasia dari Azure Key Vault
Prasyarat
- Langganan Azure: Jika Anda tidak memiliki langganan Azure, buat akun gratis sebelum memulai.
- Perwakilan layanan Azure: Buat perwakilan layanan, catat nilai-nilai berikut: appId, displayName, kata sandi, dan penyewa.
Instal Ansible: Lakukan salah satu opsi berikut:
- Menginstal dan mengonfigurasi Ansibel pada mesin virtual Linux
- Konfigurasikan Azure Cloud Shell
Membuat brankas kunci Azure
Ansible membutuhkan grup sumber daya untuk menyebarkan sumber daya Anda.
Buat playbook Ansible bernama
create_kv.ymltambahkan tugas berikut untuk membuat grup sumber daya:--- - name: Create Azure key vault hosts: localhost connection: local tasks: - name: Create resource group azure_rm_resourcegroup: name: ansible-kv-test-rg location: eastusTentukan variabel yang diperlukan untuk ID penyewa, ID objek perwakilan layanan, dan nama vault.
--- vars: tenant_id: <tenantId> object_id: <servicePrincipalObjectId> vault_name: <vaultName>Ganti
<tenantId>,<servicePrincipalObjectId>dan<vaultName>dengan nilai yang sesuai. ObjectId digunakan untuk memberikan akses ke rahasia di dalam key vault.Poin kunci:
- Nama Azure key vault harus unik secara global. key vault dan kunci/rahasia di dalamnya diakses melalui
https://{vault-name}.vault.azure.netURI.
- Nama Azure key vault harus unik secara global. key vault dan kunci/rahasia di dalamnya diakses melalui
Konfigurasikan instans Azure key vault dengan menambahkan tugas
create_kv.yml.--- - name: Create key vault instance azure_rm_keyvault: resource_group: ansible-kv-test-rg vault_name: "{{ vault_name }}" enabled_for_deployment: yes vault_tenant: "{{ tenant_id }}" sku: name: standard access_policies: - tenant_id: "{{ tenant_id }}" object_id: "{{ object_id }}" secrets: - get - list - set - deleteJalankan playbook
create_kv.yml.ansible-playbook create_kv.ymlPLAY [localhost] ******************************************************************************************************* TASK [Gathering Facts] ************************************************************************************************* ok: [localhost] TASK [Create resource group] ******************************************************************************************* ok: [localhost] TASK [Create key vault instance] ************************************************************************************ ok: [localhost] PLAY RECAP ************************************************************************************************************* localhost : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Selesaikan pembuatan playbook Azure key vault
Bagian ini mencantumkan seluruh sampel playbook Ansible untuk membuat Azure key vault.
- hosts: localhost
connection: local
vars:
tenant_id: <tenantId>
object_id: <servicePrincipalObjectId>
vault_name: <vaultName>
tasks:
- name: Create resource group
azure_rm_resourcegroup:
name: ansible-kv-test-rg
location: eastus
- name: Create instance of Key Vault
azure_rm_keyvault:
resource_group: ansible-kv-test-rg
vault_name: "{{ vault_name }}"
enabled_for_deployment: yes
vault_tenant: "{{ tenant_id }}"
sku:
name: standard
access_policies:
- tenant_id: "{{ tenant_id }}"
object_id: "{{ object_id }}"
secrets:
- get
- list
- set
- delete
Menyimpan rahasia di key vault
Sebelum rahasia dapat dibuat, Anda akan memerlukan keyvault URI.
Buat playbook lain bernama
create_kv_secret.yml. Salin kode berikut ke dalam playbook:--- - hosts: localhost connection: local tasks: - name: Get Key Vault by name azure_rm_keyvault_info: resource_group: ansible-kv-test-rg name: <vaultName> register: keyvault - name: set KeyVault uri fact set_fact: keyvaulturi="{{ keyvault['keyvaults'][0]['vault_uri'] }}" - name: Create a secret azure_rm_keyvaultsecret: secret_name: adminPassword secret_value: <secretValue> keyvault_uri: "{{ keyvaulturi }}"Ganti
<vaultName>dengan nama key vault Anda dan<secretValue>dengan nilai untuk rahasia.Poin kunci:
- Modul
azure_rm_keyvault_infodanset_factsmendaftarkan URI key vault sebagai variabel. Variabel itu kemudian diteruskan ke modulazure_rm_keyvaultsecretuntuk membuat rahasia.
- Modul
Jalankan playbook
create_kv_secret.yml.ansible-playbook create_kv_secret.ymlPLAY [localhost] ******************************************************************************************************* TASK [Gathering Facts] ************************************************************************************************* ok: [localhost] TASK [Get Key Vault by name] ******************************************************************************************* ok: [localhost] TASK [set KeyVault uri fact] ******************************************************************************************* ok: [localhost] TASK [Create a secret] ************************************************************************************************* ok: [localhost] PLAY RECAP ************************************************************************************************************* localhost : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Dapatkan rahasia dari key vault
Rahasia yang disimpan di Azure key vault dapat digunakan untuk mengisi variabel Ansible.
Buat playbook baru yang bernama
get_kv_secrets.ymluntuk mengambil rahasia key vault dengan Ansible.Ansible 2.9 dengan azure_preview_modules
--- - hosts: localhost connection: local roles: - { role: azure.azure_preview_modules } vars: tenant_id: <tenantId> vault_name: <vaultName> secret_name: adminPassword client_id: <servicePrincipalApplicationId> client_secret: <servicePrincipalSecret> tasks: - name: Get Key Vault by name azure_rm_keyvault_info: resource_group: ansible-kv-test-rg name: "{{ vault_name }}" register: keyvault - name: Set key vault URI fact set_fact: keyvaulturi="{{ keyvault['keyvaults'][0]['vault_uri'] }}" - name: Set key vault secret fact set_fact: secretValue={{ lookup('azure_keyvault_secret',secret_name,vault_url=keyvaulturi, client_id=client_id, secret=client_secret, tenant_id=tenant_id) }} - name: Output key vault secret debug: msg: "{{ secretValue }}"Ganti
<tenantId>,<vaultName>,<servicePrincipalApplicationId>, dan<servicePrincipalSecret>dengan nilai yang sesuai.Untuk mempelajari lebih lanjut tentang
azure_preview_modules, lihat halaman Ansible Galaxy.Ansible 2.10 dengan azure.azcollection
--- - hosts: localhost connection: local collections: - azure.azcollection vars: vault_name: ansible-kv-test-01 secret_name: adminPassword tasks: - name: Get Key Vault by name azure_rm_keyvault_info: resource_group: ansible-kv-test-rg name: "{{ vault_name }}" register: keyvault - name: Set key vault URI fact set_fact: keyvaulturi="{{ keyvault['keyvaults'][0]['vault_uri'] }}" - name: Get secret value azure_rm_keyvaultsecret_info: vault_uri: "{{ keyvaulturi }}" name: "{{ secret_name }}" register: kvSecret - name: set secret fact set_fact: secretValue="{{ kvSecret['secrets'][0]['secret'] }}" - name: Output key vault secret debug: msg="{{ secretValue }}"Ganti
<vaultName>dengan nilai yang sesuai.Untuk mempelajari tentang
azcollection, lihat Ansible collection for Azure.Jalankan playbook
get-secret-value.yml.ansible-playbook get-secret-value.ymlTASK [Output key vault secret] ************************************************* ok: [localhost] => { "msg": "<plainTextPassword>" }Konfirmasikan output yang diganti
<plainTextPassword>adalah nilai teks biasa dari rahasia yang sebelumnya dibuat di Azure key vault.
Selesaikan sampel playbook Ansible
Bagian ini mencantumkan seluruh sampel playbook Ansible untuk mengonfigurasi VM Windows Azure menggunakan rahasia key vault.
---
- name: Create Azure VM
hosts: localhost
connection: local
gather_facts: false
collections:
- azure.azcollection
vars:
vault_uri: <key_vault_uri>
secret_name: <key_vault_secret_name>
tasks:
- name: Get latest version of a secret
azure_rm_keyvaultsecret_info:
vault_uri: "{{ vault_uri }}"
name: "{{ secret_name }}"
register: kvSecret
- name: Set secret fact
set_fact: secret_value="{{ kvSecret['secrets'][0]['secret'] }}"
- name: Create resource group
azure_rm_resourcegroup:
name: myResourceGroup
location: eastus
- name: Create virtual network
azure_rm_virtualnetwork:
resource_group: myResourceGroup
name: vNet
address_prefixes: "10.0.0.0/16"
- name: Add subnet
azure_rm_subnet:
resource_group: myResourceGroup
name: subnet
address_prefix: "10.0.1.0/24"
virtual_network: vNet
- name: Create public IP address
azure_rm_publicipaddress:
resource_group: myResourceGroup
allocation_method: Static
name: pip
register: output_ip_address
- name: Output public IP
debug:
msg: "The public IP is {{ output_ip_address.state.ip_address }}"
- name: Create Network Security Group
azure_rm_securitygroup:
resource_group: myResourceGroup
name: networkSecurityGroup
rules:
- name: 'allow_rdp'
protocol: Tcp
destination_port_range: 3389
access: Allow
priority: 1001
direction: Inbound
- name: Create a network interface
azure_rm_networkinterface:
name: nic
resource_group: myResourceGroup
virtual_network: vNet
subnet_name: subnet
security_group: networkSecurityGroup
ip_configurations:
- name: default
public_ip_address_name: pip
primary: True
- name: Create VM
azure_rm_virtualmachine:
resource_group: myResourceGroup
name: win-vm
vm_size: Standard_DS1_v2
admin_username: azureuser
admin_password: "{{ secret_value }}"
network_interfaces: nic
os_type: Windows
image:
offer: WindowsServer
publisher: MicrosoftWindowsServer
sku: 2019-Datacenter
version: latest
no_log: true
Ganti <key_vault_uri> dan <key_vault_secret_name> dengan nilai yang sesuai.
Membersihkan sumber daya
Simpan kode berikut sebagai
delete_rg.yml.--- - hosts: localhost tasks: - name: Deleting resource group - "{{ name }}" azure_rm_resourcegroup: name: "{{ name }}" state: absent register: rg - debug: var: rgJalankan playbook menggunakan perintah ansible-playbook. Ganti tempat penampung dengan nama grup sumber daya yang akan dihapus. Semua sumber daya dalam grup sumber daya akan dihapus.
ansible-playbook delete_rg.yml --extra-vars "name=<resource_group>"Poin utama:
- Karena variabel
registerdan bagiandebugdari playbook, hasilnya akan ditampilkan ketika perintah selesai.
- Karena variabel