Bagikan melalui


Tutorial: Gunakan Azure Key Vault untuk menyimpan rahasia VM dengan Ansible

Dalam mulai cepat ini, Anda akan membuat dan mengambil rahasia dari Azure key vault dengan Ansible.

Penting

Ansible 2.9 (atau lebih baru) diperlukan untuk menjalankan sampel playbook dalam artikel ini.

Dalam artikel ini, Anda akan mempelajari cara:

  • Buat instans Azure Key Vault
  • Buat penyimpanan rahasia di Azure key vault
  • Dapatkan rahasia dari Azure Key Vault

Prasyarat

  • Langganan Azure: Jika Anda tidak memiliki langganan Azure, buat akun gratis sebelum memulai.
  • Perwakilan layanan Azure: Buat perwakilan layanan, catat nilai-nilai berikut: appId, displayName, kata sandi, dan penyewa.

Membuat brankas kunci Azure

Ansible membutuhkan grup sumber daya untuk menyebarkan sumber daya Anda.

  1. Buat playbook Ansible bernama create_kv.yml tambahkan tugas berikut untuk membuat grup sumber daya:

    ---
    - name: Create Azure key vault
      hosts: localhost
      connection: local
      tasks:
    
      - name: Create resource group
        azure_rm_resourcegroup:
          name: ansible-kv-test-rg
          location: eastus
    
  2. Tentukan variabel yang diperlukan untuk ID penyewa, ID objek perwakilan layanan, dan nama vault.

    ---
    vars:
      tenant_id: <tenantId>
      object_id: <servicePrincipalObjectId>
      vault_name: <vaultName>
    

    Ganti <tenantId>, <servicePrincipalObjectId> dan <vaultName> dengan nilai yang sesuai. ObjectId digunakan untuk memberikan akses ke rahasia di dalam key vault.

    Poin kunci:

    • Nama Azure key vault harus unik secara global. key vault dan kunci/rahasia di dalamnya diakses melalui https://{vault-name}.vault.azure.net URI.
  3. Konfigurasikan instans Azure key vault dengan menambahkan tugas create_kv.yml.

    ---
    - name: Create key vault instance
      azure_rm_keyvault:
        resource_group: ansible-kv-test-rg
        vault_name: "{{ vault_name }}"
        enabled_for_deployment: yes
        vault_tenant: "{{ tenant_id }}"
        sku:
          name: standard
        access_policies:
          - tenant_id: "{{ tenant_id }}"
            object_id: "{{ object_id }}"
            secrets:
              - get
              - list
              - set
              - delete
    
  4. Jalankan playbook create_kv.yml.

    ansible-playbook create_kv.yml
    
    PLAY [localhost] *******************************************************************************************************
    
    TASK [Gathering Facts] *************************************************************************************************
    ok: [localhost]
    
    TASK [Create resource group] *******************************************************************************************
    ok: [localhost]
    
    TASK [Create key vault instance] ************************************************************************************
    ok: [localhost]
    
    PLAY RECAP *************************************************************************************************************
    localhost                  : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
    

Selesaikan pembuatan playbook Azure key vault

Bagian ini mencantumkan seluruh sampel playbook Ansible untuk membuat Azure key vault.

- hosts: localhost
  connection: local

  vars:
    tenant_id: <tenantId>
    object_id: <servicePrincipalObjectId>
    vault_name: <vaultName>

  tasks:
  - name: Create resource group 
    azure_rm_resourcegroup:
      name: ansible-kv-test-rg
      location: eastus

  - name: Create instance of Key Vault
    azure_rm_keyvault:
      resource_group: ansible-kv-test-rg
      vault_name: "{{ vault_name }}"
      enabled_for_deployment: yes
      vault_tenant: "{{ tenant_id }}"
      sku:
        name: standard
      access_policies:
        - tenant_id: "{{ tenant_id }}"
          object_id: "{{ object_id }}"
          secrets:
            - get
            - list
            - set
            - delete

Menyimpan rahasia di key vault

Sebelum rahasia dapat dibuat, Anda akan memerlukan keyvault URI.

  1. Buat playbook lain bernama create_kv_secret.yml. Salin kode berikut ke dalam playbook:

    ---
    - hosts: localhost
      connection: local
    
      tasks:
    
      - name: Get Key Vault by name
        azure_rm_keyvault_info:
          resource_group: ansible-kv-test-rg
          name: <vaultName>
        register: keyvault
    
      - name: set KeyVault uri fact
        set_fact: keyvaulturi="{{ keyvault['keyvaults'][0]['vault_uri'] }}"
    
      - name: Create a secret
        azure_rm_keyvaultsecret:
          secret_name: adminPassword
          secret_value: <secretValue>
          keyvault_uri: "{{ keyvaulturi }}"
    

    Ganti <vaultName> dengan nama key vault Anda dan <secretValue> dengan nilai untuk rahasia.

    Poin kunci:

    • Modul azure_rm_keyvault_info dan set_facts mendaftarkan URI key vault sebagai variabel. Variabel itu kemudian diteruskan ke modul azure_rm_keyvaultsecret untuk membuat rahasia.
  2. Jalankan playbook create_kv_secret.yml.

    ansible-playbook create_kv_secret.yml
    
    PLAY [localhost] *******************************************************************************************************
    
    TASK [Gathering Facts] *************************************************************************************************
    ok: [localhost]
    
    TASK [Get Key Vault by name] *******************************************************************************************
    ok: [localhost]
    
    TASK [set KeyVault uri fact] *******************************************************************************************
    ok: [localhost]
    
    TASK [Create a secret] *************************************************************************************************
    ok: [localhost]
    
    PLAY RECAP *************************************************************************************************************
    localhost                  : ok=4    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
    

Dapatkan rahasia dari key vault

Rahasia yang disimpan di Azure key vault dapat digunakan untuk mengisi variabel Ansible.

  1. Buat playbook baru yang bernama get_kv_secrets.yml untuk mengambil rahasia key vault dengan Ansible.

    Ansible 2.9 dengan azure_preview_modules

    ---
    - hosts: localhost
      connection: local
      roles: 
        -  { role: azure.azure_preview_modules }
    
      vars:
        tenant_id: <tenantId>
        vault_name: <vaultName>
        secret_name: adminPassword
        client_id: <servicePrincipalApplicationId>
        client_secret: <servicePrincipalSecret>
    
      tasks:
      - name: Get Key Vault by name
        azure_rm_keyvault_info:
          resource_group: ansible-kv-test-rg
          name: "{{ vault_name }}"
        register: keyvault
    
      - name: Set key vault URI fact
        set_fact: keyvaulturi="{{ keyvault['keyvaults'][0]['vault_uri'] }}"
    
      - name: Set key vault secret fact
        set_fact: secretValue={{ lookup('azure_keyvault_secret',secret_name,vault_url=keyvaulturi, client_id=client_id, secret=client_secret, tenant_id=tenant_id) }}
    
      - name: Output key vault secret
        debug:
          msg: "{{ secretValue }}"
    

    Ganti <tenantId>, <vaultName>, <servicePrincipalApplicationId>, dan <servicePrincipalSecret> dengan nilai yang sesuai.

    Untuk mempelajari lebih lanjut tentang azure_preview_modules, lihat halaman Ansible Galaxy.

    Ansible 2.10 dengan azure.azcollection

    ---
    - hosts: localhost
      connection: local
      collections:
        - azure.azcollection
    
      vars:
        vault_name: ansible-kv-test-01
        secret_name: adminPassword
    
      tasks:
    
      - name: Get Key Vault by name
        azure_rm_keyvault_info:
          resource_group: ansible-kv-test-rg
          name: "{{ vault_name }}"
        register: keyvault
    
      - name: Set key vault URI fact
        set_fact: keyvaulturi="{{ keyvault['keyvaults'][0]['vault_uri'] }}"
    
      - name: Get secret value
        azure_rm_keyvaultsecret_info:
          vault_uri: "{{ keyvaulturi }}"
          name: "{{ secret_name }}"
        register: kvSecret
    
      - name: set secret fact
        set_fact: secretValue="{{ kvSecret['secrets'][0]['secret'] }}"
    
      - name: Output key vault secret
        debug: 
          msg="{{ secretValue }}"
    

    Ganti <vaultName> dengan nilai yang sesuai.

    Untuk mempelajari tentang azcollection, lihat Ansible collection for Azure.

  2. Jalankan playbook get-secret-value.yml.

    ansible-playbook get-secret-value.yml
    
    TASK [Output key vault secret] *************************************************
    ok: [localhost] => {
        "msg": "<plainTextPassword>"
    }
    

    Konfirmasikan output yang diganti <plainTextPassword> adalah nilai teks biasa dari rahasia yang sebelumnya dibuat di Azure key vault.

Selesaikan sampel playbook Ansible

Bagian ini mencantumkan seluruh sampel playbook Ansible untuk mengonfigurasi VM Windows Azure menggunakan rahasia key vault.

---
- name: Create Azure VM
  hosts: localhost
  connection: local
  gather_facts: false
  collections:
    - azure.azcollection

  vars:
    vault_uri: <key_vault_uri>
    secret_name: <key_vault_secret_name>

  tasks:

  - name: Get latest version of a secret
    azure_rm_keyvaultsecret_info:
      vault_uri: "{{ vault_uri }}"
      name: "{{ secret_name }}"
    register: kvSecret

  - name: Set secret fact
    set_fact: secret_value="{{ kvSecret['secrets'][0]['secret'] }}"

  - name: Create resource group
    azure_rm_resourcegroup:
      name: myResourceGroup
      location: eastus

  - name: Create virtual network
    azure_rm_virtualnetwork:
      resource_group: myResourceGroup
      name: vNet
      address_prefixes: "10.0.0.0/16"

  - name: Add subnet
    azure_rm_subnet:
      resource_group: myResourceGroup
      name: subnet
      address_prefix: "10.0.1.0/24"
      virtual_network: vNet

  - name: Create public IP address
    azure_rm_publicipaddress:
      resource_group: myResourceGroup
      allocation_method: Static
      name: pip
    register: output_ip_address

  - name: Output public IP
    debug:
      msg: "The public IP is {{ output_ip_address.state.ip_address }}"
  
  - name: Create Network Security Group
    azure_rm_securitygroup:
      resource_group: myResourceGroup
      name: networkSecurityGroup
      rules:
        - name: 'allow_rdp'
          protocol: Tcp
          destination_port_range: 3389
          access: Allow
          priority: 1001
          direction: Inbound

  - name: Create a network interface
    azure_rm_networkinterface:
      name: nic
      resource_group: myResourceGroup
      virtual_network: vNet
      subnet_name: subnet
      security_group: networkSecurityGroup
      ip_configurations:
        - name: default
          public_ip_address_name: pip
          primary: True

  - name: Create VM
    azure_rm_virtualmachine:
      resource_group: myResourceGroup
      name: win-vm
      vm_size: Standard_DS1_v2
      admin_username: azureuser
      admin_password: "{{ secret_value }}"
      network_interfaces: nic
      os_type: Windows
      image:
          offer: WindowsServer
          publisher: MicrosoftWindowsServer
          sku: 2019-Datacenter
          version: latest
    no_log: true

Ganti <key_vault_uri> dan <key_vault_secret_name> dengan nilai yang sesuai.

Membersihkan sumber daya

  1. Simpan kode berikut sebagai delete_rg.yml.

    ---
    - hosts: localhost
      tasks:
        - name: Deleting resource group - "{{ name }}"
          azure_rm_resourcegroup:
            name: "{{ name }}"
            state: absent
          register: rg
        - debug:
            var: rg
    
  2. Jalankan playbook menggunakan perintah ansible-playbook. Ganti tempat penampung dengan nama grup sumber daya yang akan dihapus. Semua sumber daya dalam grup sumber daya akan dihapus.

    ansible-playbook delete_rg.yml --extra-vars "name=<resource_group>"
    

    Poin utama:

    • Karena variabel register dan bagian debug dari playbook, hasilnya akan ditampilkan ketika perintah selesai.

Langkah berikutnya