I have an Azure DevOps pipeline that runs every month to renew an SSL certificate with Let's Encrypt via terraform. The certificate is saved to an Azure Key Vault with policy-enforced soft delete and purge protection. since terraform's idea of updating a certificate is NOT creating a new version of an existing Key Vault entry but rather deleting the entry and creating a new one (which it can't do for the reason stated above), the current workaround is creating a new certificate entry appended with current year and month and then downloading the certificate value to the agent as secret file and then creating a new version of the existing entry (without year and date in the name). Before creating a new entry the pipeline is supposed to delete the one created during previous run, which is done by checking the key vault for existence of an entry with a name over 12 characters long. The pipeline has run successfully before but the latest run 4 days ago gave the following error message:
ERROR: 'NoneType' object is not iterable
The azure cli task has not been updated recently and the version of the task is the same, I don't see where this has suddenly come from. Even though the task fails, it does remove the entry from the keyvault successfully.
Here is the code of the task in question
- task: AzureCLI@2
displayName: Delete the cert from previous run
inputs:
scriptType: pscore
azureSubscription: 'Prod service connection'
scriptLocation: inlineScript
inlineScript: |
$cert_array = az keyvault certificate list --vault-name "prodVAULTNAME" --query "[?contains(name, ``DOMAINNAME``) && length(name) >=``12``].name"
$cert_to_delete = $cert_array[1].ToString().Trim(' ') -replace '"', ''
if ($cert_to_delete.length -gt 12) {
az keyvault certificate delete --vault-name ${{variables.vaultname}} -n $cert_to_delete
}
Please, before you ask me to test the script locally or anything like that, read the post to the end. Thank you!
From what I found online this looks like a python error message but can't see any relation to the azure cli task in azure devops. Any input is appreciated.
Expected result: the task runs successfully, i.e. the certificate entry in the key vault is moved to a soft-deleted state and the pipeline execution continues.
Actual result: the task seemingly fails with an error message stated above and the pipeline execution stops. The certificate entry in key vault does move to soft-deleted state though.
I figured out the issue. Looks like the task was reiterating over both conditions after checking the first one. The resolution to this was nest the second condition within the first one:
$cert_array = az keyvault certificate list --vault-name "prodVAULTNAME" --query "[?contains(name, ``DOMAINNAME``) && length(name) >=``12``].name"
if ($cert_array -ne $null) {
$cert_to_delete = $cert_array[1].ToString().Trim(' ') -replace '"', ''
if ($cert_to_delete.length -gt 12) {
az keyvault certificate delete --vault-name ${{variables.vaultname}} -n $cert_to_delete
}
}