Skip to main content

Ansible Azure Storage table


Client gave us controlled Azure Subscriptions where we are not able to create anything manually using Azure portal. Client’s Dev team has setup Ansible and some roles to work with Azure Resources (e.g. there are roles to create logic apps, storage account, service bus, azure function etc.). In order to create/modify any resource in Azure, we have to use pre-defined Ansible roles.

Development team has a requirement to use Azure Storage Table in the code. There is no role available in client’s Ansible Role repository to create storage account.

REST API Approach

To create storage table, there are REST APIs, which we can use, but problem with REST API is that we need to have Authorization Header in the request, and in order to get the authorization header, we need to authenticate using Storage Account connection string. Since we have controlled environments, storage account connection strings (which are stored in Key Vault as Secrets) are not accessible to everyone and we cannot use the sensitive information like Key in the code.
Even after creating the Authorization for REST APIs, we were getting the following error while making a REST API call to create Azure storage table:
"msg": "Status code was 403 and not [200]: HTTP Error 403: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature."
Official documentation about REST API for Storage Table

Ansible Approach

Ansible has predefined modules for Azure available to work with Azure resources e.g. in our case, we used TableService. We created a python module, which creates the Azure Storage table for us using Table Services.
Reference: https://github.com/rgl/azure-content/blob/master/articles/storage/storage-python-how-to-use-table-storage.md  

Following is the code snippet for the module
from azure.storage.table import TableService

def create_azure_table_using_symmetric_key(data):

    account_key = data['account_key']
    account_name = data['account_name']
    table_name = data['table_name']

    table_service = TableService(account_name, account_key)
    table_service.create_table(table_name)

    return False, {'status': True }

def main():
    module = AnsibleModule(
        argument_spec=dict(
            account_key=dict(required=True, type='str'),
            account_name=dict(required=True, type='str'),
            table_name=dict(required=True, type='str'),
        )
    )

    is_error, result = create_azure_table_using_symmetric_key(module.params)

    if not is_error:
        module.exit_json(changed=False, meta=result)
    else:
        module.fail_json(msg="Error creating Azure Storage Table", meta=result)


Following is the playbook we used in Ansible:
- name: Get Storage Account Key to enable SAS token generation
  include_role:
    name: ansible-role-azure-keyvault-secrets
  vars:
    azure_keyvault_secrets:
    - name: "{{ azure_storage_acc_key_secretname }}"

- name: Create Azure Storage Table
  create_table:
    account_key: "{{ kvsecrets[azure_storage_acc_key_secretname] }}"
    account_name: "{{ azure_storage_acc_name }}"
    table_name: "{{ azure_storage_table_name }}"

here we are fetching a secret from KeyVault using another Ansible role and calling create_table module created above.

Labels:

Comments

Post a Comment

Popular posts from this blog

What is release, and what is a deployment?

T o understand the concepts and the technical implementation in many tools, you need to know how tool vendors define the difference between a release and a deployment. A  release  is a package or container containing a versioned set of artifacts specified in a release pipeline in your CI/CD process. It also includes a snapshot of all the information required to carry out all the tasks and activities in a release pipeline, such as: The stages or environments. The tasks for each one. The values of task parameters and variables. The release policies such as triggers, approvers, and release queuing options. On the other hand,  Deployment  is the action of running the tasks for one stage, which results in a tested and deployed application and other activities specified for that stage. Starting a release starts each deployment based on the settings and policies defined in the original release pipeline. There can be multiple deployments of each release, even for one stage. ...
Post a Comment
Read more

PowerShell: Get Actual Error

I was having hard time to find the reason why I was not able to find a custom method in a .Net DLL. Find your Assembly: PS C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts > [appdomain]::currentdomain . getassemblies() | Where - Object FullName - Match "MyAssembly" GAC Version Location --- ------- -------- False v4 . 0.30319 C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts\Tools\MyAssembly . dll PS C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts & gt; $ a = [appdomain]::currentdomain . getassemblies() | Where - Object FullName - Match "MyAssembly" PS C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts & gt; $ a GAC Version Location --- ------- -------- False v4 . 0.30319 C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts\Tools\MyAssembly . dll When I was trying to get the Types in the assembly, I was getting the exception: PS C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts > ...
Post a Comment
Read more

Considerations for deployment to stages

When you have a clear view of the different stages you'll deploy, you need to think about when you want to deploy to these stages.  Continuous Delivery is about deploying multiple times a day and can deploy on-demand. When we define our cadence, questions that we should ask ourselves are: Do we want to deploy our application? Do we want to deploy multiple times a day? Can we deploy to a stage? Is it used? A typical scenario we often see is continuous deployment during the development stage. Every new change ends up there once it's completed and builds. Deploying to the next phase doesn't always occur multiple times but only at night. When designing your release strategy, choose your triggers carefully and consider the required release cadence. Some things we need to take into consideration are: What is your target environment? Does one team use it, or do multiple teams use it? If a single team uses it, you can deploy it frequently. Otherwise, it would be best if you were a ...
Post a Comment
Read more