Try SpotterManage Key Vault instance
| "added in version" 2.5 of ansible.builtin"
Authors: Zim Kalinowski (@zikalino)
preview | supported by community
pipInstall with pip install ansible==2.9.17
Create, update and delete instance of Key Vault.
- name: Create instance of Key Vault
azure_rm_keyvault:
resource_group: myResourceGroup
vault_name: samplekeyvault
enabled_for_deployment: yes
vault_tenant: 72f98888-8666-4144-9199-2d7cd0111111
sku:
name: standard
access_policies:
- tenant_id: 72f98888-8666-4144-9199-2d7cd0111111
object_id: 99998888-8666-4144-9199-2d7cd0111111
keys:
- get
- list
sku:
description:
- SKU details.
suboptions:
family:
description:
- SKU family name.
name:
choices:
- standard
- premium
description:
- SKU name to specify whether the key vault is a standard vault or a premium vault.
required: true
tags:
description:
- Dictionary of string:string pairs to assign as metadata to the object.
- Metadata tags on the object will be updated with any provided values.
- To remove tags set append_tags option to false.
type: dict
state:
choices:
- absent
- present
default: present
description:
- Assert the state of the KeyVault. Use C(present) to create or update an KeyVault
and C(absent) to delete it.
secret:
description:
- Azure client secret. Use when authenticating with a Service Principal.
type: str
tenant:
description:
- Azure tenant ID. Use when authenticating with a Service Principal.
type: str
ad_user:
description:
- Active Directory username. Use when authenticating with an Active Directory user
rather than service principal.
type: str
profile:
description:
- Security profile found in ~/.azure/credentials file.
type: str
location:
description:
- Resource location. If not set, location from the resource group will be used as
default.
password:
description:
- Active Directory user password. Use when authenticating with an Active Directory
user rather than service principal.
type: str
client_id:
description:
- Azure client ID. Use when authenticating with a Service Principal.
type: str
vault_name:
description:
- Name of the vault.
required: true
api_profile:
default: latest
description:
- Selects an API profile to use when communicating with Azure services. Default value
of C(latest) is appropriate for public clouds; future values will allow use with
Azure Stack.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
append_tags:
default: true
description:
- Use to control if tags field is canonical or just appends to existing tags.
- When canonical, any tags not found in the tags parameter will be removed from the
object's metadata.
type: bool
auth_source:
choices:
- auto
- cli
- credential_file
- env
- msi
default: auto
description:
- Controls the source of the credentials to use for authentication.
- Can also be set via the C(ANSIBLE_AZURE_AUTH_SOURCE) environment variable.
- When set to C(auto) (the default) the precedence is module parameters -> C(env)
-> C(credential_file) -> C(cli).
- When set to C(env), the credentials will be read from the environment variables
- When set to C(credential_file), it will read the profile from C(~/.azure/credentials).
- When set to C(cli), the credentials will be sources from the Azure CLI profile.
C(subscription_id) or the environment variable C(AZURE_SUBSCRIPTION_ID) can be used
to identify the subscription ID if more than one is present otherwise the default
az cli subscription is used.
- When set to C(msi), the host machine must be an azure resource with an enabled MSI
extension. C(subscription_id) or the environment variable C(AZURE_SUBSCRIPTION_ID)
can be used to identify the subscription ID if the resource is granted access to
more than one subscription, otherwise the first subscription is chosen.
- The C(msi) was added in Ansible 2.6.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
recover_mode:
description:
- Create vault in recovery mode.
type: bool
vault_tenant:
description:
- The Azure Active Directory tenant ID that should be used for authenticating requests
to the key vault.
resource_group:
description:
- The name of the Resource Group to which the server belongs.
required: true
access_policies:
description:
- An array of 0 to 16 identities that have access to the key vault.
- All identities in the array must use the same tenant ID as the key vault's tenant
ID.
suboptions:
application_id:
description:
- Application ID of the client making request on behalf of a principal.
certificates:
choices:
- get
- list
- delete
- create
- import
- update
- managecontacts
- getissuers
- listissuers
- setissuers
- deleteissuers
- manageissuers
- recover
- purge
description:
- List of permissions to certificates.
keys:
choices:
- encrypt
- decrypt
- wrapkey
- unwrapkey
- sign
- verify
- get
- list
- create
- update
- import
- delete
- backup
- restore
- recover
- purge
description:
- List of permissions to keys.
object_id:
description:
- The object ID of a user, service principal or security group in the Azure Active
Directory tenant for the vault.
- The object ID must be unique for the list of access policies.
- Please note this is not application id. Object id can be obtained by running
"az ad sp show --id <application id>".
required: true
secrets:
choices:
- get
- list
- set
- delete
- backup
- restore
- recover
- purge
description:
- List of permissions to secrets.
storage:
description:
- List of permissions to storage accounts.
tenant_id:
description:
- The Azure Active Directory tenant ID that should be used for authenticating
requests to the key vault.
- Current keyvault C(tenant_id) value will be used if not specified.
subscription_id:
description:
- Your Azure subscription Id.
type: str
cloud_environment:
default: AzureCloud
description:
- For cloud environments other than the US public cloud, the environment name (as
defined by Azure Python SDK, eg, C(AzureChinaCloud), C(AzureUSGovernment)), or a
metadata discovery endpoint URL (required for Azure Stack). Can also be set via
credential file profile or the C(AZURE_CLOUD_ENVIRONMENT) environment variable.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
adfs_authority_url:
description:
- Azure AD authority url. Use when authenticating with Username/password, and has
your own ADFS authority.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
enable_soft_delete:
description:
- Property to specify whether the soft delete functionality is enabled for this key
vault.
type: bool
cert_validation_mode:
choices:
- ignore
- validate
description:
- Controls the certificate validation behavior for Azure endpoints. By default, all
modules will validate the server certificate, but when an HTTPS proxy is in use,
or against Azure Stack, it may be necessary to disable this behavior by passing
C(ignore). Can also be set via credential file profile or the C(AZURE_CERT_VALIDATION)
environment variable.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
enabled_for_deployment:
description:
- Property to specify whether Azure Virtual Machines are permitted to retrieve certificates
stored as secrets from the key vault.
type: bool
enabled_for_disk_encryption:
description:
- Property to specify whether Azure Disk Encryption is permitted to retrieve secrets
from the vault and unwrap keys.
type: bool
enabled_for_template_deployment:
description:
- Property to specify whether Azure Resource Manager is permitted to retrieve secrets
from the key vault.
type: bool
id: description: - The Azure Resource Manager resource ID for the key vault. returned: always sample: id type: str