Regenerate Secrets #43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Regenerate Secrets | |
on: | |
schedule: | |
- cron: "0 0 * * *" | |
env: | |
COGNITIVE_NAME: qatranslator-je-cognitive | |
COSMOSDB_NAME: qatranslator-je-cosmosdb | |
FUNCTIONS_NAME: qatranslator-je-func | |
RESOURCE_GROUP: qatranslator-je | |
VAULT_NAME: qatranslator-je-vault | |
# 短期間でAzure Functionsのアプリケーション設定を複数回更新すると、正常終了したのにも関わらず更新しない場合があるため | |
# 直列的に実行するようにJob/Stepを構成する | |
jobs: | |
regenerate-secrets: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Login Azure as Contributor | |
uses: azure/login@v1 | |
with: | |
creds: '{"clientId":"${{ vars.AZURE_AD_SP_CONTRIBUTOR_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_AD_SP_CONTRIBUTOR_CLIENT_SECRET }}","subscriptionId":"${{ vars.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ vars.AZURE_TENANT_ID }}"}' | |
- name: Regenerate Cognitive Key2 | |
run: | | |
regeneratedKey2=$( \ | |
az cognitiveservices account keys regenerate \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COGNITIVE_NAME }} \ | |
--key-name key2 \ | |
--query key2 \ | |
-o tsv \ | |
) | |
secretUri=$( \ | |
az keyvault secret set \ | |
--vault-name ${{ env.VAULT_NAME }} \ | |
-n cognitive-key \ | |
--value ${regeneratedKey2} \ | |
--query id \ | |
-o tsv | |
) | |
az functionapp config appsettings set \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.FUNCTIONS_NAME }} \ | |
--settings "COGNITIVE_KEY=@Microsoft.KeyVault(SecretUri=${secretUri})" | |
- name: Regenerate Cognitive Key1 | |
run: | | |
regeneratedKey1=$( \ | |
az cognitiveservices account keys regenerate \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COGNITIVE_NAME }} \ | |
--key-name key1 \ | |
--query key1 \ | |
-o tsv \ | |
) | |
secretUri=$( \ | |
az keyvault secret set \ | |
--vault-name ${{ env.VAULT_NAME }} \ | |
-n cognitive-key \ | |
--value ${regeneratedKey1} \ | |
--query id \ | |
-o tsv | |
) | |
az functionapp config appsettings set \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.FUNCTIONS_NAME }} \ | |
--settings "COGNITIVE_KEY=@Microsoft.KeyVault(SecretUri=${secretUri})" | |
- name: Regenerate Cosmos DB Secondary Key | |
run: | | |
az cosmosdb keys regenerate \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--key-kind secondary | |
regeneratedSecondaryKey=$( \ | |
az cosmosdb keys list \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--type keys \ | |
--query secondaryMasterKey \ | |
-o tsv \ | |
) | |
secretUri=$( \ | |
az keyvault secret set \ | |
--vault-name ${{ env.VAULT_NAME }} \ | |
-n cosmos-db-primary-key \ | |
--value ${regeneratedSecondaryKey} \ | |
--query id \ | |
-o tsv | |
) | |
az functionapp config appsettings set \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.FUNCTIONS_NAME }} \ | |
--settings "COSMOSDB_KEY=@Microsoft.KeyVault(SecretUri=${secretUri})" | |
- name: Regenerate Cosmos DB Primary Key | |
run: | | |
az cosmosdb keys regenerate \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--key-kind primary | |
regeneratedPrimaryKey=$( \ | |
az cosmosdb keys list \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--type keys \ | |
--query primaryMasterKey \ | |
-o tsv \ | |
) | |
secretUri=$( \ | |
az keyvault secret set \ | |
--vault-name ${{ env.VAULT_NAME }} \ | |
-n cosmos-db-primary-key \ | |
--value ${regeneratedPrimaryKey} \ | |
--query id \ | |
-o tsv | |
) | |
az functionapp config appsettings set \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.FUNCTIONS_NAME }} \ | |
--settings "COSMOSDB_KEY=@Microsoft.KeyVault(SecretUri=${secretUri})" | |
- name: Regenerate Cosmos DB Secondary Readonly Key | |
run: | | |
az cosmosdb keys regenerate \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--key-kind secondaryReadonly | |
regeneratedSecondaryReadonlyKey=$( \ | |
az cosmosdb keys list \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--type read-only-keys \ | |
--query secondaryReadonlyMasterKey \ | |
-o tsv \ | |
) | |
secretUri=$( \ | |
az keyvault secret set \ | |
--vault-name ${{ env.VAULT_NAME }} \ | |
-n cosmos-db-primary-readonly-key \ | |
--value ${regeneratedSecondaryReadonlyKey} \ | |
--query id \ | |
-o tsv | |
) | |
az functionapp config appsettings set \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.FUNCTIONS_NAME }} \ | |
--settings "COSMOSDB_READONLY_KEY=@Microsoft.KeyVault(SecretUri=${secretUri})" | |
- name: Regenerate Cosmos DB Primary Readonly Key | |
run: | | |
az cosmosdb keys regenerate \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--key-kind primaryReadonly | |
regeneratedPrimaryReadonlyKey=$( \ | |
az cosmosdb keys list \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.COSMOSDB_NAME }} \ | |
--type read-only-keys \ | |
--query primaryReadonlyMasterKey \ | |
-o tsv \ | |
) | |
secretUri=$( \ | |
az keyvault secret set \ | |
--vault-name ${{ env.VAULT_NAME }} \ | |
-n cosmos-db-primary-readonly-key \ | |
--value ${regeneratedPrimaryReadonlyKey} \ | |
--query id \ | |
-o tsv | |
) | |
az functionapp config appsettings set \ | |
-g ${{ env.RESOURCE_GROUP }} \ | |
-n ${{ env.FUNCTIONS_NAME }} \ | |
--settings "COSMOSDB_READONLY_KEY=@Microsoft.KeyVault(SecretUri=${secretUri})" |