Skip to main content

Ansible Azure Storage table


Client gave us controlled Azure Subscriptions where we are not able to create anything manually using Azure portal. Client’s Dev team has setup Ansible and some roles to work with Azure Resources (e.g. there are roles to create logic apps, storage account, service bus, azure function etc.). In order to create/modify any resource in Azure, we have to use pre-defined Ansible roles.

Development team has a requirement to use Azure Storage Table in the code. There is no role available in client’s Ansible Role repository to create storage account.

REST API Approach

To create storage table, there are REST APIs, which we can use, but problem with REST API is that we need to have Authorization Header in the request, and in order to get the authorization header, we need to authenticate using Storage Account connection string. Since we have controlled environments, storage account connection strings (which are stored in Key Vault as Secrets) are not accessible to everyone and we cannot use the sensitive information like Key in the code.
Even after creating the Authorization for REST APIs, we were getting the following error while making a REST API call to create Azure storage table:
"msg": "Status code was 403 and not [200]: HTTP Error 403: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature."
Official documentation about REST API for Storage Table

Ansible Approach

Ansible has predefined modules for Azure available to work with Azure resources e.g. in our case, we used TableService. We created a python module, which creates the Azure Storage table for us using Table Services.
Reference: https://github.com/rgl/azure-content/blob/master/articles/storage/storage-python-how-to-use-table-storage.md  

Following is the code snippet for the module
from azure.storage.table import TableService

def create_azure_table_using_symmetric_key(data):

    account_key = data['account_key']
    account_name = data['account_name']
    table_name = data['table_name']

    table_service = TableService(account_name, account_key)
    table_service.create_table(table_name)

    return False, {'status': True }

def main():
    module = AnsibleModule(
        argument_spec=dict(
            account_key=dict(required=True, type='str'),
            account_name=dict(required=True, type='str'),
            table_name=dict(required=True, type='str'),
        )
    )

    is_error, result = create_azure_table_using_symmetric_key(module.params)

    if not is_error:
        module.exit_json(changed=False, meta=result)
    else:
        module.fail_json(msg="Error creating Azure Storage Table", meta=result)


Following is the playbook we used in Ansible:
- name: Get Storage Account Key to enable SAS token generation
  include_role:
    name: ansible-role-azure-keyvault-secrets
  vars:
    azure_keyvault_secrets:
    - name: "{{ azure_storage_acc_key_secretname }}"

- name: Create Azure Storage Table
  create_table:
    account_key: "{{ kvsecrets[azure_storage_acc_key_secretname] }}"
    account_name: "{{ azure_storage_acc_name }}"
    table_name: "{{ azure_storage_table_name }}"

here we are fetching a secret from KeyVault using another Ansible role and calling create_table module created above.

Labels:

Comments

Post a Comment

Popular posts from this blog

PowerShell: Get Actual Error

I was having hard time to find the reason why I was not able to find a custom method in a .Net DLL. Find your Assembly: PS C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts > [appdomain]::currentdomain . getassemblies() | Where - Object FullName - Match "MyAssembly" GAC Version Location --- ------- -------- False v4 . 0.30319 C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts\Tools\MyAssembly . dll PS C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts & gt; $ a = [appdomain]::currentdomain . getassemblies() | Where - Object FullName - Match "MyAssembly" PS C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts & gt; $ a GAC Version Location --- ------- -------- False v4 . 0.30319 C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts\Tools\MyAssembly . dll When I was trying to get the Types in the assembly, I was getting the exception: PS C:\vstsagent\A1\_work\r1\a\_DevOps_CI\Scripts > ...
Post a Comment
Read more

What is release, and what is a deployment?

T o understand the concepts and the technical implementation in many tools, you need to know how tool vendors define the difference between a release and a deployment. A  release  is a package or container containing a versioned set of artifacts specified in a release pipeline in your CI/CD process. It also includes a snapshot of all the information required to carry out all the tasks and activities in a release pipeline, such as: The stages or environments. The tasks for each one. The values of task parameters and variables. The release policies such as triggers, approvers, and release queuing options. On the other hand,  Deployment  is the action of running the tasks for one stage, which results in a tested and deployed application and other activities specified for that stage. Starting a release starts each deployment based on the settings and policies defined in the original release pipeline. There can be multiple deployments of each release, even for one stage. ...
Post a Comment
Read more

Release approvals

Continuous Delivery is all about delivering on-demand.  But, as we discussed in the differences between release and deployment, delivery, or deployment, it's only the technical part of the Continuous Delivery process.  It's all about how you can technically install the software on an environment, but it doesn't say anything about the process that needs to be in place for a release. Release approvals don't control  how  but control  if  you want to deliver multiple times a day. Manual approvals also suit a significant need. Organizations that start with Continuous Delivery often lack a certain amount of trust. They don't dare to release without manual approval. After a while, when they find that the approval doesn't add value and the release always succeeds, the manual approval is often replaced by an automatic check. Things to consider when you're setting up a release approval are: What do we want to achieve with the approval? Is it an approval that we need...
Post a Comment
Read more