Automatically deploy both ends of a VPN tunnel using Ansible and Azure KeyVault. At one end it deploys and Azure Virtual Network Gateway, and at the other it configures an ASA 5506 firewall.
The Azure DevOps Pipeline runs on an Ubuntu Agent running on-prem, so it can access the ASA through its LAN interface.
To logon to Azure Ansible uses credentials stored in the ~/.azure/credentials file of the user running the Azure Pipelines Agent.
The credentials file has this format:
[default]
subscription_id=xxx
client_id=xxx
secret=xxx
tenant=xxx
The only time the service account secret is displayed is during the account creation with the command
az ad sp create-for-rbac --name service-account-name-here
After the service account is created to get a new password use the command
az ad sp create-for-rbac --name service-account-name --query password -o tsv
Once you have your service account password, you can generate the file with these commands:
mkdir ~/.azure
echo "[default]" > ~/.azure/credentials
echo "subscription_id=$(az account show --query '{subscriptionid:id}' -o tsv)" >> ~/.azure/credentials
echo "client_id=$(az ad sp list --display-name ansible-service-name-here --query '{clientId:[0].appId}' -o tsv)" >> ~/.azure/credentials
echo "secret=service-principal-password-here" >> ~/.azure/credentials
echo "tenant=$(az account show --query '{tenantId:tenantId}' -o tsv)" >> ~/.azure/credentials
To avoid writing usernames, passwords or the VPN shared key, the playbook retrieves these secrets from an Azure KeyVault. The KeyVault used in the project also restricts access to one public IP and specifies a user with read-only access and another with full access.
You can use the button below to deploy a KeyVault with the same properties as the one the playbook uses. The KeyVault deployment proceess requires the objectid of each user.
To get the objectid for the read-only service principal run this command:
az ad sp list --display-name ansible-service-name-here | grep objectId
To get the objectid for the admin user run this command:
az ad user list --upn admin-user@your-domain-here_com | grep objectId
To get public ip of the server running the Azure Pipelines Agent run this command:
dig +short myip.opendns.com @resolver1.opendns.com
You will need to update the playbook variable keyvaulturl with the url of your own KeyVault.
The repository includes a playbook vpnrm.yml to undo all the changes made to the firewall and delete the Azure Resource Group, Virtual Network Gateway, and all other resources the project created.
This blog explains in detail some aspects of the playblooks, including how to setup the self-hosted Azure Pipelines agent.
I have also posted a video that shows the deployment of the KeyVault and execution of the playbooks.
😃