Try SpotterAdd, reconfigure or remove Standard Key Provider on vCenter server
Authors: Diane Wang (@Tomorrow9) <dianew@vmware.com>
Install with ansible-galaxy collection install community.vmware:==4.2.0
collections:
- name: community.vmware
version: 4.2.0This module is used for adding, reconfiguring or removing Standard Key Provider on vCenter server. Refer to VMware docs for more information: L(Standard Key Provider, https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-6DB1E745-9624-43EA-847C-DD2F767CB94B.html)
- name: Add a new Standard Key Provider with client certificate and private key
community.vmware.vcenter_standard_key_provider:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
name: 'test_standard_kp'
state: 'present'
mark_default: true
kms_info:
- kms_name: test_kms_1
kms_ip: 192.168.1.10
make_kms_trust_vc:
upload_client_cert: "/tmp/test_cert.pem"
upload_client_key: "/tmp/test_cert_key.pem"
register: add_skp_result
- name: Remove the KMS from the key provider cluster
community.vmware.vcenter_standard_key_provider:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
name: 'test_standard_kp'
state: 'present'
kms_info:
- kms_name: test_kms_1
remove_kms: true
register: remove_kms_result
- name: Remove the Standard Key Provider
community.vmware.vcenter_standard_key_provider:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
name: 'test_standard_kp'
state: 'absent'
register: remove_kp_result
name:
description: Name of the Key Provider to be added, reconfigured or removed from vCenter.
required: true
type: str
port:
default: 443
description:
- The port number of the vSphere vCenter or ESXi server.
- If the value is not specified in the task, the value of environment variable E(VMWARE_PORT)
will be used instead.
type: int
state:
choices:
- present
- absent
default: present
description:
- If set to V(absent), the named Key Provider will be removed from vCenter.
- If set to V(present), the named existing Key Provider will be reconfigured or new
Key Provider will be added.
type: str
hostname:
description:
- The hostname or IP address of the vSphere vCenter or ESXi server.
- If the value is not specified in the task, the value of environment variable E(VMWARE_HOST)
will be used instead.
type: str
kms_info:
default: []
description:
- The information of an external key server (KMS).
- O(kms_info.kms_name), O(kms_info.kms_ip) are required when adding a Standard Key
Provider.
- If O(kms_info.kms_port) is not specified, the default port 5696 will be used.
- O(kms_info.kms_ip), O(kms_info.kms_port) can be reconfigured for an existing KMS
with name O(kms_info.kms_name).
elements: dict
suboptions:
kms_ip:
description: IP address of the external KMS.
type: str
kms_name:
description: Name of the KMS to be configured.
type: str
kms_port:
description: Port of the external KMS.
type: int
remove_kms:
description: Remove the configured KMS with name O(kms_info.kms_name) from the
KMIP cluster.
type: bool
type: list
password:
aliases:
- pass
- pwd
description:
- The password of the vSphere vCenter or ESXi server.
- If the value is not specified in the task, the value of environment variable E(VMWARE_PASSWORD)
will be used instead.
type: str
username:
aliases:
- admin
- user
description:
- The username of the vSphere vCenter or ESXi server.
- If the value is not specified in the task, the value of environment variable E(VMWARE_USER)
will be used instead.
type: str
proxy_host:
description:
- Address of a proxy that will receive all HTTPS requests and relay them.
- The format is a hostname or a IP.
- If the value is not specified in the task, the value of environment variable E(VMWARE_PROXY_HOST)
will be used instead.
required: false
type: str
proxy_port:
description: Port of the proxy server.
required: false
type: int
kms_password:
description: Password to authenticate to the KMS.
type: str
kms_username:
description: Username to authenticate to the KMS.
type: str
mark_default:
default: false
description:
- Set specified Key Provider with name O(name) as the default Key Provider.
- If new added Key Provider is the only key provider in vCenter, then will mark it
as default after adding.
type: bool
proxy_server:
description: Address of the proxy server to connect to KMS.
type: str
validate_certs:
default: true
description:
- Allows connection when SSL certificates are not valid. Set to V(false) when certificates
are not trusted.
- If the value is not specified in the task, the value of environment variable E(VMWARE_VALIDATE_CERTS)
will be used instead.
type: bool
make_kms_trust_vc:
description:
- After adding the Standard Key Provider to the vCenter Server, you can establish
a trusted connection, the exact process depends on the certificates that the key
provider accepts, and on your company policy.
- Three methods implemented here, (1) upload client certificate and private key through
O(make_kms_trust_vc.upload_client_cert) and O(make_kms_trust_vc.upload_client_key)
parameters, (2) generate, update, download vCenter self signed certificate through
O(make_kms_trust_vc.download_self_signed_cert) parameter, (3) download generated
Certificate Signing Request(CSR) through O(make_kms_trust_vc.download_client_csr)
parameter, send it to KMS then upload the KMS signed CSR through O(make_kms_trust_vc.upload_kms_signed_client_csr)
parameter.
- This is not set to be mandatory, if not set, please go to vCenter to setup trust
connection with KMS manually.
suboptions:
download_client_csr:
description:
- The absolute path on local machine for keeping vCenter generated CSR.
- Then upload the KMS signed CSR using O(make_kms_trust_vc.upload_kms_signed_client_csr)
to vCenter.
type: path
download_self_signed_cert:
description: The absolute path on local machine for keeping vCenter generated
self signed client cert.
type: path
upload_client_cert:
description:
- The absolute file path of client certificate.
- Request a certificate and private key from the KMS vendor. The files are X509
files in PEM format.
- The certificate might be already trusted by the KMS server.
type: path
upload_client_key:
description: The absolute file path of client private key to be uploaded together
with O(make_kms_trust_vc.upload_client_cert).
type: path
upload_kms_signed_client_csr:
description: The absolute file path of KMS signed CSR downloaded from O(make_kms_trust_vc.download_client_csr).
type: path
type: dict
key_provider_clusters:
description: the Key Provider cluster info
returned: always
sample:
- has_backup: null
key_id: null
key_provide_id: test_standard
management_type: null
servers:
- address: 192.168.1.10
name: test_kms
port: 5696
protocol: ''
proxy: ''
proxy_port: null
user_name: ''
tpm_required: null
use_as_default: true
type: list