Skip to main content

Ansible Azure Storage table


Client gave us controlled Azure Subscriptions where we are not able to create anything manually using Azure portal. Client’s Dev team has setup Ansible and some roles to work with Azure Resources (e.g. there are roles to create logic apps, storage account, service bus, azure function etc.). In order to create/modify any resource in Azure, we have to use pre-defined Ansible roles.

Development team has a requirement to use Azure Storage Table in the code. There is no role available in client’s Ansible Role repository to create storage account.

REST API Approach

To create storage table, there are REST APIs, which we can use, but problem with REST API is that we need to have Authorization Header in the request, and in order to get the authorization header, we need to authenticate using Storage Account connection string. Since we have controlled environments, storage account connection strings (which are stored in Key Vault as Secrets) are not accessible to everyone and we cannot use the sensitive information like Key in the code.
Even after creating the Authorization for REST APIs, we were getting the following error while making a REST API call to create Azure storage table:
"msg": "Status code was 403 and not [200]: HTTP Error 403: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature."
Official documentation about REST API for Storage Table

Ansible Approach

Ansible has predefined modules for Azure available to work with Azure resources e.g. in our case, we used TableService. We created a python module, which creates the Azure Storage table for us using Table Services.
Reference: https://github.com/rgl/azure-content/blob/master/articles/storage/storage-python-how-to-use-table-storage.md  

Following is the code snippet for the module
from azure.storage.table import TableService

def create_azure_table_using_symmetric_key(data):

    account_key = data['account_key']
    account_name = data['account_name']
    table_name = data['table_name']

    table_service = TableService(account_name, account_key)
    table_service.create_table(table_name)

    return False, {'status': True }

def main():
    module = AnsibleModule(
        argument_spec=dict(
            account_key=dict(required=True, type='str'),
            account_name=dict(required=True, type='str'),
            table_name=dict(required=True, type='str'),
        )
    )

    is_error, result = create_azure_table_using_symmetric_key(module.params)

    if not is_error:
        module.exit_json(changed=False, meta=result)
    else:
        module.fail_json(msg="Error creating Azure Storage Table", meta=result)


Following is the playbook we used in Ansible:
- name: Get Storage Account Key to enable SAS token generation
  include_role:
    name: ansible-role-azure-keyvault-secrets
  vars:
    azure_keyvault_secrets:
    - name: "{{ azure_storage_acc_key_secretname }}"

- name: Create Azure Storage Table
  create_table:
    account_key: "{{ kvsecrets[azure_storage_acc_key_secretname] }}"
    account_name: "{{ azure_storage_acc_name }}"
    table_name: "{{ azure_storage_table_name }}"

here we are fetching a secret from KeyVault using another Ansible role and calling create_table module created above.

Labels:

Comments

Post a Comment

Popular posts from this blog

What is release, and what is a deployment?

T o understand the concepts and the technical implementation in many tools, you need to know how tool vendors define the difference between a release and a deployment. A  release  is a package or container containing a versioned set of artifacts specified in a release pipeline in your CI/CD process. It also includes a snapshot of all the information required to carry out all the tasks and activities in a release pipeline, such as: The stages or environments. The tasks for each one. The values of task parameters and variables. The release policies such as triggers, approvers, and release queuing options. On the other hand,  Deployment  is the action of running the tasks for one stage, which results in a tested and deployed application and other activities specified for that stage. Starting a release starts each deployment based on the settings and policies defined in the original release pipeline. There can be multiple deployments of each release, even for one stage. ...
Post a Comment
Read more

PowerShell: Get Actual Error

I was having hard time to find the reason why I was not able to find a custom method in a .Net DLL. Find your Assembly: PS C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts > [appdomain]::currentdomain . getassemblies() | Where - Object FullName - Match "MyAssembly" GAC Version Location --- ------- -------- False v4 . 0.30319 C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts\Tools\MyAssembly . dll PS C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts & gt; $ a = [appdomain]::currentdomain . getassemblies() | Where - Object FullName - Match "MyAssembly" PS C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts & gt; $ a GAC Version Location --- ------- -------- False v4 . 0.30319 C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts\Tools\MyAssembly . dll When I was trying to get the Types in the assembly, I was getting the exception: PS C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts > ...
Post a Comment
Read more

Enable Trace on Dynamcis 365 on premise using PowerShell

Enable trace settings through Windows PowerShell Note These changes made in Windows PowerShell do not update the Registry. These changes update the DeploymentProperties and ServerSettingsProperties tables in the MSCRM_CONFIG database. Register the cmdlets 1.      Log in to the administrator account on your Microsoft Dynamics CRM server. 2.      In a Windows PowerShell window, type the following command: Add-PSSnapin Microsoft.Crm.PowerShell To obtain a list of the current settings, type the following command: Get-CrmSetting TraceSettings Set the trace settings 1.      Type the following command: $setting = Get-CrmSetting TraceSettings 2.      Type the following command to enable tracing: $setting.Enabled=$True 3.      Type the following command to set the trace settings: Set-CrmSetting $setting 4.      Type the following command...
Post a Comment
Read more