Regenerate Secrets #503
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Regenerate Secrets | |
on: | |
schedule: | |
- cron: "0 0 * * *" | |
env: | |
COSMOSDB_NAME: qatranslator-je-cosmosdb | |
FUNCTIONS_NAME: qatranslator-je-func | |
RESOURCE_GROUP: qatranslator-je | |
VAULT_NAME: qatranslator-je-vault | |
# 短期間でAzure Functionsのアプリケーション設定を複数回更新すると、正常終了したのにも関わらず更新しない場合があるため | |
# 直列的に実行するようにJob/Stepを構成する | |
jobs: | |
regenerate-secrets: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Login Azure as Contributor | |
uses: azure/login@v2 | |
with: | |
creds: '{"clientId":"${{ vars.AZURE_AD_SP_CONTRIBUTOR_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_AD_SP_CONTRIBUTOR_CLIENT_SECRET }}","subscriptionId":"${{ vars.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ vars.AZURE_TENANT_ID }}"}' | |
- name: Regenerate Cosmos DB Secondary Key | |
run: | | |
az cosmosdb keys regenerate \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--key-kind secondary | |
regeneratedSecondaryKey=$( \ | |
az cosmosdb keys list \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--type keys \ | |
--query secondaryMasterKey \ | |
-o tsv \ | |
) | |
secretUri=$( \ | |
az keyvault secret set \ | |
--vault-name ${{ env.VAULT_NAME }} \ | |
-n cosmos-db-primary-key \ | |
--value ${regeneratedSecondaryKey} \ | |
--query id \ | |
-o tsv | |
) | |
az functionapp config appsettings set \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.FUNCTIONS_NAME }} \ | |
--settings "COSMOSDB_KEY=@Microsoft.KeyVault(SecretUri=${secretUri})" | |
- name: Regenerate Cosmos DB Primary Key | |
run: | | |
az cosmosdb keys regenerate \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--key-kind primary | |
regeneratedPrimaryKey=$( \ | |
az cosmosdb keys list \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--type keys \ | |
--query primaryMasterKey \ | |
-o tsv \ | |
) | |
secretUri=$( \ | |
az keyvault secret set \ | |
--vault-name ${{ env.VAULT_NAME }} \ | |
-n cosmos-db-primary-key \ | |
--value ${regeneratedPrimaryKey} \ | |
--query id \ | |
-o tsv | |
) | |
az functionapp config appsettings set \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.FUNCTIONS_NAME }} \ | |
--settings "COSMOSDB_KEY=@Microsoft.KeyVault(SecretUri=${secretUri})" | |
- name: Regenerate Cosmos DB Secondary Readonly Key | |
run: | | |
az cosmosdb keys regenerate \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--key-kind secondaryReadonly | |
regeneratedSecondaryReadonlyKey=$( \ | |
az cosmosdb keys list \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--type read-only-keys \ | |
--query secondaryReadonlyMasterKey \ | |
-o tsv \ | |
) | |
secretUri=$( \ | |
az keyvault secret set \ | |
--vault-name ${{ env.VAULT_NAME }} \ | |
-n cosmos-db-primary-readonly-key \ | |
--value ${regeneratedSecondaryReadonlyKey} \ | |
--query id \ | |
-o tsv | |
) | |
az functionapp config appsettings set \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.FUNCTIONS_NAME }} \ | |
--settings "COSMOSDB_READONLY_KEY=@Microsoft.KeyVault(SecretUri=${secretUri})" | |
- name: Regenerate Cosmos DB Primary Readonly Key | |
run: | | |
az cosmosdb keys regenerate \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--key-kind primaryReadonly | |
regeneratedPrimaryReadonlyKey=$( \ | |
az cosmosdb keys list \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--type read-only-keys \ | |
--query primaryReadonlyMasterKey \ | |
-o tsv \ | |
) | |
secretUri=$( \ | |
az keyvault secret set \ | |
--vault-name ${{ env.VAULT_NAME }} \ | |
-n cosmos-db-primary-readonly-key \ | |
--value ${regeneratedPrimaryReadonlyKey} \ | |
--query id \ | |
-o tsv | |
) | |
az functionapp config appsettings set \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.FUNCTIONS_NAME }} \ | |
--settings "COSMOSDB_READONLY_KEY=@Microsoft.KeyVault(SecretUri=${secretUri})" |