如何让 AzureCLI@2 忽略 "az keyvault certificate delete" 的结果?
How to make AzureCLI@2 ignore the result of "az keyvault certificate delete"?
在每晚构建的 Azure 管道中,我正在执行以下步骤:
- 通过 ARM 模板部署密钥库,
- 然后尝试删除其中的自签名证书,
- 然后再次导入证书 -
- 最后通过另一个 ARM 模板部署服务结构,使用指纹证书。
这是管道的摘录:
# purge the self-signed cert from the Keyvault to avoid conflict; ignore failures (DOES NOT WORK?)
- task: AzureCLI@2
inputs:
azureSubscription: '${{ parameters.ArmConnection }}'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
continueOnError: true
failOnStandardError: false
powerShellErrorActionPreference: 'silentlyContinue'
inlineScript: |
az keyvault certificate delete --vault-name $(KeyVaultName) --id 'https://$(KeyVaultName).vault.azure.net/certificates/my-self-signed-cert'
az keyvault certificate purge --vault-name $(KeyVaultName) --id 'https://$(KeyVaultName).vault.azure.net/deletedcertificates/my-self-signed-cert'
# import the self-signed certificate my-self-signed-cert into the Keyvault
- task: AzurePowerShell@5
inputs:
azureSubscription: '${{ parameters.ArmConnection }}'
ScriptType: 'InlineScript'
azurePowerShellVersion: '3.1.0'
Inline: |
$Pwd = ConvertTo-SecureString -String 'MyPassword' -Force -AsPlainText
$Base64 = 'MIIKqQI__3000_CHARS_HERE____HP1ICAgfQ=='
$Cert = Import-AzKeyVaultCertificate -VaultName $(KeyVaultName) -Name my-self-signed-cert -CertificateString $Base64 -Password $Pwd
echo "##vso[task.setvariable variable=Thumbprint;isOutput=true]$Cert.Thumbprint"
起初上面的代码是工作的,但后来我在密钥库的 ARM 模板中禁用了软删除功能:
"properties": {
"enableSoftDelete": false,
"enabledForDeployment": true,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": true,
或者我的问题的导火索可能只是手动删除了 keyvault...
无论如何,现在我收到重复的管道错误:
我想知道为什么 "az" 失败没有被忽略,尽管我设置了 failOnStandardError: false 和 powerShellErrorActionPreference: 'silentlyContinue'?
此外,我尝试用 "try / catch" 包围两个 "az" 命令,但错误仍然存在:
##[debug]which 'az'
##[debug]found: 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd'
##[debug]scriptType=pscore
##[debug]scriptLocation=inlineScript
##[debug]scriptArguments=null
##[debug]powerShellErrorActionPreference=silentlyContinue
##[debug]Agent.Version=2.169.0
##[debug]Agent.TempDirectory=d:\a\_temp
##[debug]scriptPath=d:\a\s
##[debug]inlineScript=az keyvault certificate delete --vault-name my-nightly-my-keyvault --id 'https://my-nightly-my-keyvault.vault.azure.net/certificates/my-self-signed-cert'
--vault-name my-nightly-my-keyvault --id 'https://my-nightly-my-keyvault.vault.azure.net/deletedcertificates/my-self-signed-cert'
##[debug]powerShellIgnoreLASTEXITCODE=false
...lines skipped...
A certificate with (name/id) my-self-signed-cert was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182
Operation "purge" is not enabled for this vault.
##[debug]$LASTEXITCODE: 1
##[debug]Exit code 1 received from tool 'C:\Program Files\PowerShell\pwsh.exe'
##[debug]STDIO streams have closed for tool 'C:\Program Files\PowerShell\pwsh.exe'
##[debug]task result: Failed
##[error]Script failed with exit code: 1
##[debug]Processed: ##vso[task.issue type=error;]Script failed with exit code: 1
##[debug]Processed: ##vso[task.complete result=Failed;]Script failed with exit code: 1
##[debug]which 'az'
##[debug]found: 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd'
##[debug]which 'az'
##[debug]found: 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd'
##[debug]C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd arg: account clear
##[debug]C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd arg: account clear
##[debug]exec tool: C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd
##[debug]exec tool: C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd
##[debug]arguments:
##[debug]arguments:
##[debug] account
##[debug] account
##[debug] clear
##[debug] clear
[command]C:\windows\system32\cmd.exe /D /S /C ""C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" account clear"
##[section]Finishing: AzureCLI
检查您的 yaml 格式。 continueOnError 不是任务的输入,而是任务本身的一个 属性。所以你的任务应该是:
- task: AzureCLI@2
inputs:
azureSubscription: 'xxx'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
failOnStandardError: false
inlineScript: |
az keyvault certificate delete --vault-name $(KeyVaultName) --id 'https://$(KeyVaultName).vault.azure.net/certificates/my-self-signed-cert'
az keyvault certificate purge --vault-name $(KeyVaultName) --id 'https://$(KeyVaultName).vault.azure.net/deletedcertificates/my-self-signed-cert'
powerShellErrorActionPreference: 'silentlyContinue'
continueOnError: true
如果 属性 有效,尽管在 Azure CLI task:
中抛出错误,您的后续任务将继续执行
作为解决方法,添加 exit 0 对我有所帮助 -
# purge the self-signed cert from the Keyvault to avoid conflict; ignore failures (DOES NOT WORK?)
- task: AzureCLI@2
inputs:
azureSubscription: '${{ parameters.ArmConnection }}'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
continueOnError: true
failOnStandardError: false
powerShellErrorActionPreference: 'silentlyContinue'
inlineScript: |
az keyvault certificate delete --vault-name $(KeyVaultName) --id 'https://$(KeyVaultName).vault.azure.net/certificates/my-self-signed-cert'
az keyvault certificate purge --vault-name $(KeyVaultName) --id 'https://$(KeyVaultName).vault.azure.net/deletedcertificates/my-self-signed-cert'
exit 0
然后我有 a better answer at Github to use ignoreLASTEXITCODE: true 或 AzureCLI 任务(这是我的情况)使用 powerShellIgnoreLASTEXITCODE: true
在每晚构建的 Azure 管道中,我正在执行以下步骤:
- 通过 ARM 模板部署密钥库,
- 然后尝试删除其中的自签名证书,
- 然后再次导入证书 -
- 最后通过另一个 ARM 模板部署服务结构,使用指纹证书。
这是管道的摘录:
# purge the self-signed cert from the Keyvault to avoid conflict; ignore failures (DOES NOT WORK?)
- task: AzureCLI@2
inputs:
azureSubscription: '${{ parameters.ArmConnection }}'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
continueOnError: true
failOnStandardError: false
powerShellErrorActionPreference: 'silentlyContinue'
inlineScript: |
az keyvault certificate delete --vault-name $(KeyVaultName) --id 'https://$(KeyVaultName).vault.azure.net/certificates/my-self-signed-cert'
az keyvault certificate purge --vault-name $(KeyVaultName) --id 'https://$(KeyVaultName).vault.azure.net/deletedcertificates/my-self-signed-cert'
# import the self-signed certificate my-self-signed-cert into the Keyvault
- task: AzurePowerShell@5
inputs:
azureSubscription: '${{ parameters.ArmConnection }}'
ScriptType: 'InlineScript'
azurePowerShellVersion: '3.1.0'
Inline: |
$Pwd = ConvertTo-SecureString -String 'MyPassword' -Force -AsPlainText
$Base64 = 'MIIKqQI__3000_CHARS_HERE____HP1ICAgfQ=='
$Cert = Import-AzKeyVaultCertificate -VaultName $(KeyVaultName) -Name my-self-signed-cert -CertificateString $Base64 -Password $Pwd
echo "##vso[task.setvariable variable=Thumbprint;isOutput=true]$Cert.Thumbprint"
起初上面的代码是工作的,但后来我在密钥库的 ARM 模板中禁用了软删除功能:
"properties": {
"enableSoftDelete": false,
"enabledForDeployment": true,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": true,
或者我的问题的导火索可能只是手动删除了 keyvault...
无论如何,现在我收到重复的管道错误:
我想知道为什么 "az" 失败没有被忽略,尽管我设置了 failOnStandardError: false 和 powerShellErrorActionPreference: 'silentlyContinue'?
此外,我尝试用 "try / catch" 包围两个 "az" 命令,但错误仍然存在:
##[debug]which 'az'
##[debug]found: 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd'
##[debug]scriptType=pscore
##[debug]scriptLocation=inlineScript
##[debug]scriptArguments=null
##[debug]powerShellErrorActionPreference=silentlyContinue
##[debug]Agent.Version=2.169.0
##[debug]Agent.TempDirectory=d:\a\_temp
##[debug]scriptPath=d:\a\s
##[debug]inlineScript=az keyvault certificate delete --vault-name my-nightly-my-keyvault --id 'https://my-nightly-my-keyvault.vault.azure.net/certificates/my-self-signed-cert'
--vault-name my-nightly-my-keyvault --id 'https://my-nightly-my-keyvault.vault.azure.net/deletedcertificates/my-self-signed-cert'
##[debug]powerShellIgnoreLASTEXITCODE=false
...lines skipped...
A certificate with (name/id) my-self-signed-cert was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182
Operation "purge" is not enabled for this vault.
##[debug]$LASTEXITCODE: 1
##[debug]Exit code 1 received from tool 'C:\Program Files\PowerShell\pwsh.exe'
##[debug]STDIO streams have closed for tool 'C:\Program Files\PowerShell\pwsh.exe'
##[debug]task result: Failed
##[error]Script failed with exit code: 1
##[debug]Processed: ##vso[task.issue type=error;]Script failed with exit code: 1
##[debug]Processed: ##vso[task.complete result=Failed;]Script failed with exit code: 1
##[debug]which 'az'
##[debug]found: 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd'
##[debug]which 'az'
##[debug]found: 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd'
##[debug]C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd arg: account clear
##[debug]C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd arg: account clear
##[debug]exec tool: C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd
##[debug]exec tool: C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd
##[debug]arguments:
##[debug]arguments:
##[debug] account
##[debug] account
##[debug] clear
##[debug] clear
[command]C:\windows\system32\cmd.exe /D /S /C ""C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" account clear"
##[section]Finishing: AzureCLI
检查您的 yaml 格式。 continueOnError 不是任务的输入,而是任务本身的一个 属性。所以你的任务应该是:
- task: AzureCLI@2
inputs:
azureSubscription: 'xxx'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
failOnStandardError: false
inlineScript: |
az keyvault certificate delete --vault-name $(KeyVaultName) --id 'https://$(KeyVaultName).vault.azure.net/certificates/my-self-signed-cert'
az keyvault certificate purge --vault-name $(KeyVaultName) --id 'https://$(KeyVaultName).vault.azure.net/deletedcertificates/my-self-signed-cert'
powerShellErrorActionPreference: 'silentlyContinue'
continueOnError: true
如果 属性 有效,尽管在 Azure CLI task:
作为解决方法,添加 exit 0 对我有所帮助 -
# purge the self-signed cert from the Keyvault to avoid conflict; ignore failures (DOES NOT WORK?)
- task: AzureCLI@2
inputs:
azureSubscription: '${{ parameters.ArmConnection }}'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
continueOnError: true
failOnStandardError: false
powerShellErrorActionPreference: 'silentlyContinue'
inlineScript: |
az keyvault certificate delete --vault-name $(KeyVaultName) --id 'https://$(KeyVaultName).vault.azure.net/certificates/my-self-signed-cert'
az keyvault certificate purge --vault-name $(KeyVaultName) --id 'https://$(KeyVaultName).vault.azure.net/deletedcertificates/my-self-signed-cert'
exit 0
然后我有 a better answer at Github to use ignoreLASTEXITCODE: true 或 AzureCLI 任务(这是我的情况)使用 powerShellIgnoreLASTEXITCODE: true