-
Notifications
You must be signed in to change notification settings - Fork 0
130 lines (123 loc) · 4.75 KB
/
regenerate-secrets.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: Regenerate Secrets
on:
schedule:
- cron: "0 0 * * *"
env:
COSMOSDB_NAME: qatranslator-je-cosmosdb
FUNCTIONS_NAME: qatranslator-je-func
RESOURCE_GROUP: qatranslator-je
VAULT_NAME: qatranslator-je-vault
# 短期間でAzure Functionsのアプリケーション設定を複数回更新すると、正常終了したのにも関わらず更新しない場合があるため
# 直列的に実行するようにJob/Stepを構成する
jobs:
regenerate-secrets:
runs-on: ubuntu-latest
steps:
- name: Login Azure as Contributor
uses: azure/login@v2
with:
creds: '{"clientId":"${{ vars.AZURE_AD_SP_CONTRIBUTOR_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_AD_SP_CONTRIBUTOR_CLIENT_SECRET }}","subscriptionId":"${{ vars.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ vars.AZURE_TENANT_ID }}"}'
- name: Regenerate Cosmos DB Secondary Key
run: |
az cosmosdb keys regenerate \
-g ${{ env.RESOURCE_GROUP }} \
-n ${{ env.COSMOSDB_NAME }} \
--key-kind secondary
regeneratedSecondaryKey=$( \
az cosmosdb keys list \
-g ${{ env.RESOURCE_GROUP }} \
-n ${{ env.COSMOSDB_NAME }} \
--type keys \
--query secondaryMasterKey \
-o tsv \
)
secretUri=$( \
az keyvault secret set \
--vault-name ${{ env.VAULT_NAME }} \
-n cosmos-db-primary-key \
--value ${regeneratedSecondaryKey} \
--query id \
-o tsv
)
az functionapp config appsettings set \
-g ${{ env.RESOURCE_GROUP }} \
-n ${{ env.FUNCTIONS_NAME }} \
--settings "COSMOSDB_KEY=@Microsoft.KeyVault(SecretUri=${secretUri})"
- name: Regenerate Cosmos DB Primary Key
run: |
az cosmosdb keys regenerate \
-g ${{ env.RESOURCE_GROUP }} \
-n ${{ env.COSMOSDB_NAME }} \
--key-kind primary
regeneratedPrimaryKey=$( \
az cosmosdb keys list \
-g ${{ env.RESOURCE_GROUP }} \
-n ${{ env.COSMOSDB_NAME }} \
--type keys \
--query primaryMasterKey \
-o tsv \
)
secretUri=$( \
az keyvault secret set \
--vault-name ${{ env.VAULT_NAME }} \
-n cosmos-db-primary-key \
--value ${regeneratedPrimaryKey} \
--query id \
-o tsv
)
az functionapp config appsettings set \
-g ${{ env.RESOURCE_GROUP }} \
-n ${{ env.FUNCTIONS_NAME }} \
--settings "COSMOSDB_KEY=@Microsoft.KeyVault(SecretUri=${secretUri})"
- name: Regenerate Cosmos DB Secondary Readonly Key
run: |
az cosmosdb keys regenerate \
-g ${{ env.RESOURCE_GROUP }} \
-n ${{ env.COSMOSDB_NAME }} \
--key-kind secondaryReadonly
regeneratedSecondaryReadonlyKey=$( \
az cosmosdb keys list \
-g ${{ env.RESOURCE_GROUP }} \
-n ${{ env.COSMOSDB_NAME }} \
--type read-only-keys \
--query secondaryReadonlyMasterKey \
-o tsv \
)
secretUri=$( \
az keyvault secret set \
--vault-name ${{ env.VAULT_NAME }} \
-n cosmos-db-primary-readonly-key \
--value ${regeneratedSecondaryReadonlyKey} \
--query id \
-o tsv
)
az functionapp config appsettings set \
-g ${{ env.RESOURCE_GROUP }} \
-n ${{ env.FUNCTIONS_NAME }} \
--settings "COSMOSDB_READONLY_KEY=@Microsoft.KeyVault(SecretUri=${secretUri})"
- name: Regenerate Cosmos DB Primary Readonly Key
run: |
az cosmosdb keys regenerate \
-g ${{ env.RESOURCE_GROUP }} \
-n ${{ env.COSMOSDB_NAME }} \
--key-kind primaryReadonly
regeneratedPrimaryReadonlyKey=$( \
az cosmosdb keys list \
-g ${{ env.RESOURCE_GROUP }} \
-n ${{ env.COSMOSDB_NAME }} \
--type read-only-keys \
--query primaryReadonlyMasterKey \
-o tsv \
)
secretUri=$( \
az keyvault secret set \
--vault-name ${{ env.VAULT_NAME }} \
-n cosmos-db-primary-readonly-key \
--value ${regeneratedPrimaryReadonlyKey} \
--query id \
-o tsv
)
az functionapp config appsettings set \
-g ${{ env.RESOURCE_GROUP }} \
-n ${{ env.FUNCTIONS_NAME }} \
--settings "COSMOSDB_READONLY_KEY=@Microsoft.KeyVault(SecretUri=${secretUri})"