0

I have an Azure DevOps pipeline that runs every month to renew an SSL certificate with Let's Encrypt via terraform. The certificate is saved to an Azure Key Vault with policy-enforced soft delete and purge protection. since terraform's idea of updating a certificate is NOT creating a new version of an existing Key Vault entry but rather deleting the entry and creating a new one (which it can't do for the reason stated above), the current workaround is creating a new certificate entry appended with current year and month and then downloading the certificate value to the agent as secret file and then creating a new version of the existing entry (without year and date in the name). Before creating a new entry the pipeline is supposed to delete the one created during previous run, which is done by checking the key vault for existence of an entry with a name over 12 characters long. The pipeline has run successfully before but the latest run 4 days ago gave the following error message:

ERROR: 'NoneType' object is not iterable

The azure cli task has not been updated recently and the version of the task is the same, I don't see where this has suddenly come from. Even though the task fails, it does remove the entry from the keyvault successfully.

Here is the code of the task in question

      - task: AzureCLI@2
        displayName: Delete the cert from previous run
        inputs:
          scriptType: pscore
          azureSubscription: 'Prod service connection'
          scriptLocation: inlineScript
          inlineScript: | 
            $cert_array = az keyvault certificate list --vault-name "prodVAULTNAME" --query "[?contains(name, ``DOMAINNAME``) && length(name) >=``12``].name"
            $cert_to_delete = $cert_array[1].ToString().Trim(' ') -replace '"', ''
            if ($cert_to_delete.length -gt 12) {
              az keyvault certificate delete --vault-name ${{variables.vaultname}} -n $cert_to_delete
            }

Please, before you ask me to test the script locally or anything like that, read the post to the end. Thank you!

From what I found online this looks like a python error message but can't see any relation to the azure cli task in azure devops. Any input is appreciated.

Expected result: the task runs successfully, i.e. the certificate entry in the key vault is moved to a soft-deleted state and the pipeline execution continues.

Actual result: the task seemingly fails with an error message stated above and the pipeline execution stops. The certificate entry in key vault does move to soft-deleted state though.

Evgenii Fedosov
  • 1
  • 5
  • Before attempting to iterate over $cert_array, make sure it is not None. Try this updated script and check- inlineScript: | $cert_array = az keyvault certificate list --vault-name "prodVAULTNAME" --query "[?contains(name, ``DOMAINNAME``) && length(name) >=``12``].name" if ($cert_array -ne $null) { $cert_to_delete = $cert_array[1].ToString().Trim(' ') -replace '"', '' if ($cert_to_delete.length -gt 12) { az keyvault certificate delete --vault-name ${{variables.vaultname}} -n $cert_to_delete } } – SiddheshDesai Jul 07 '23 at 13:17
  • Thanks for your suggestion. I tried that but the result is the same. Also, you may have noticed that the array is apparently not empty as the delete command actually works. – Evgenii Fedosov Jul 07 '23 at 13:41
  • Does the PowerShell script run locally and fail in the pipeline? Always test locally first. – Daniel Mann Jul 07 '23 at 15:08
  • @DanielMann the script does work, it deletes the key vault entry successfully, but the pipeline still fails ¯\_(ツ)_/¯ – Evgenii Fedosov Jul 10 '23 at 08:16
  • Can you try this code -$cert_array = az keyvault certificate list --vault-name "prodVAULTNAME" --query "[?contains(name, 'DOMAINNAME') && length(name) >= 12].name" if ($cert_array -ne $null -and $cert_array.Length -ge 2) { $cert_to_delete = $cert_array[1].ToString().Trim(' ') -replace '"', '' if ($cert_to_delete.length -gt 12) { az keyvault certificate delete --vault-name ${{variables.vaultname}} -n $cert_to_delete } } else { Write-Host "No certificates found to delete." } – SiddheshDesai Jul 10 '23 at 10:41

1 Answers1

0

I figured out the issue. Looks like the task was reiterating over both conditions after checking the first one. The resolution to this was nest the second condition within the first one:

            $cert_array = az keyvault certificate list --vault-name "prodVAULTNAME" --query "[?contains(name, ``DOMAINNAME``) && length(name) >=``12``].name" 
            if ($cert_array -ne $null) { 
              $cert_to_delete = $cert_array[1].ToString().Trim(' ') -replace '"', ''
              if ($cert_to_delete.length -gt 12) { 
                az keyvault certificate delete --vault-name ${{variables.vaultname}} -n $cert_to_delete 
              }
            }
Evgenii Fedosov
  • 1
  • 5