CODEWITHSUNDEEP
azureansibleazure-keyvault
SCouto
SCouto

Reputation: 7928

Is it possible to overwrite or create a new version of a secret through ansible in azure?

I need to deploy my secrets in Azure's keyvault through ansible.

If the secret is a new one (i.e. it didnt exist before) it works perfectly, the secret is created properly.

Problem came when I need to update the secret, it is never overwritten. I tried to delete it and create it again but is not working either since it performs a soft delete so it can be created again with the same name.

Here what I tried so far:

Secret creation (working fine the first time but not overwriting it)

 - name: "Create endpoint secret."
    azure_rm_keyvaultsecret:
      secret_name: mysecret
      secret_value: "desiredvalue"
      keyvault_uri: "https://{{ AZURE_KV_NAME }}.vault.azure.net/"
      tags:
          environment: "{{ ENV }}"
          role: "endpointsecret"

Here is how I try to delete it first and then creating it again

  - name: "Delete endpoint secret."
    azure_rm_keyvaultsecret:
      secret_name: mysecret
      keyvault_uri: "https://{{ AZURE_KV_NAME }}.vault.azure.net/"
      state: "absent"

  - name: "Create endpoint secret."
        azure_rm_keyvaultsecret:
          secret_name: mysecret
          secret_value: "desiredvalue"
          keyvault_uri: "https://{{ AZURE_KV_NAME }}.vault.azure.net/"
          tags:
              environment: "{{ ENV }}"
              role: "endpointsecret"

When trying this error is:

Secret mysecret is currently being deleted and cannot be re-created; retry later

**Secret creation with state: present (it's not creating a new version either) **

 - name: "Create endpoint secret."
    azure_rm_keyvaultsecret:
      secret_name: mysecret
      secret_value: "desiredvalue"
      keyvault_uri: "https://{{ AZURE_KV_NAME }}.vault.azure.net/"
      state: "present"
      tags:
          environment: "{{ ENV }}"
          role: "endpointsecret"

Any idea how to overwrite ( create a new version )a secret or at least perform a hard delete?

Upvotes: 3

Views: 520

Answers (1)

SCouto
SCouto

Reputation: 7928

I find no way other than deploy it through ARM

- name: "Create ingestion keyvault secrets."
  azure_rm_deployment:
    state: present
    resource_group_name: "{{ AZURE_RG_NAME }}"
    location: "{{ AZURE_RG_LOCATION }}"
    template:
      $schema: "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
      contentVersion: "1.0.0.0"
      parameters:
      variables:
      resources:
        - apiVersion: "2018-02-14"
          type: "Microsoft.KeyVault/vaults/secrets"
          name: "{{AZURE_KV_NAME}}/{{item.name}}"
          properties:
            value: "{{item.secret}}"
            contentType: "string"
  loop: "{{ SECRETLIST }}"
  register: publish_secrets
  async: 300  # Maximum runtime in seconds.
  poll: 0  # Fire and continue (never poll)

- name: Wait for the secret deployment task to finish
  async_status:
    jid: "{{ publish_secrets_item.ansible_job_id }}"
  loop: "{{publish_secrets.results}}"
  loop_control:
    loop_var: "publish_secrets_item"
  register: jobs_publish_secrets
  until: jobs_publish_secrets.finished
  retries: 5
  delay: 2

And then in other file the SECRETLIST declared as a variable:

SECRETLIST :
  - name: mysecret
    secret: "secretvalue"
  - name: othersecret
    secret: "secretvalue2"

Hope this helps to anyone with a similar problem

Upvotes: 1

Related Questions