Try SpotterManages PKI attributes of Enterprise Sonic
| "added in version" 2.3.0 of dellemc.enterprise_sonic"
Authors: Eric Seifert (@seiferteric)
This plugin has a corresponding action plugin.
Install with ansible-galaxy collection install dellemc.enterprise_sonic:==2.4.0
collections:
- name: dellemc.enterprise_sonic
version: 2.4.0Manages PKI attributes of Enterprise Sonic
# Using "merged" state for initial config
#
# Before state:
# -------------
#
# sonic# show running-configuration | grep crypto
# sonic#
#
- name: PKI Config Test
hosts: datacenter
gather_facts: false
connection: httpapi
collections:
- dellemc.enterprise_sonic
tasks:
- name: "Initial Config"
sonic_pki:
config:
security_profiles:
- profile_name: rest
ocsp_responder_list:
- http://example.com/ocspa
- http://example.com/ocspb
certificate_name: host
trust_store: default-ts
trust_stores:
- name: default-ts
ca_name:
- CA2
state: merged
# After state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb
# Using "deleted" state to remove configuration
#
# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocsp
#
- name: PKI Delete Test
hosts: datacenter
gather_facts: true
connection: httpapi
collections:
- dellemc.enterprise_sonic
tasks:
- name: Remove trust_store from security-profile
sonic_pki:
config:
security_profiles:
- profile_name: rest
trust_store: default-ts
state: deleted
# After state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocsp
# Using "overridden" state
# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb
#
- name: PKI Overridden Test
hosts: datacenter
gather_facts: false
connection: httpapi
collections:
- dellemc.enterprise_sonic
tasks:
- name: "Overridden Config"
sonic_pki:
config:
security_profiles:
- profile_name: telemetry
ocsp_responder_list:
- http://example.com/ocspb
revocation_check: true
trust_store: telemetry-ts
certificate_name: host
trust_stores:
- name: telemetry-ts
ca_name: CA
state: overridden
# After state:
# -----------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store telemetry-ts ca-cert CA
# crypto security-profile telemetry revocation_check true
# crypto security-profile trust_store telemetry telemetry-ts
# crypto security-profile certificate telemetry host
# crypto security-profile ocsp-list telemetry http://example.com/ocspb
# Using "replaced" state to update config
# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb
#
- name: PKI Replace Test
hosts: datacenter
gather_facts: false
connection: httpapi
collections:
- dellemc.enterprise_sonic
tasks:
- name: "Replace Config"
sonic_pki:
config:
security_profiles:
- profile_name: rest
ocsp_responder_list:
- http://example.com/ocsp
revocation_check: false
trust_store: default-ts
certificate_name: host
state: replaced
state:
choices:
- merged
- deleted
- replaced
- overridden
default: merged
description:
- The state of the configuration after module completion.
type: str
config:
description: The provided configuration
suboptions:
security_profiles:
description: Application Security Profiles
elements: dict
suboptions:
cdp_list:
description: Global list of CDP's
elements: str
type: list
certificate_name:
description: Host Certificate Name
type: str
key_usage_check:
description: Require key usage is enforced
type: bool
ocsp_responder_list:
description: Global list of OCSP responders
elements: str
type: list
peer_name_check:
description: Require peer name is verified
type: bool
profile_name:
description: Profile Name
required: true
type: str
revocation_check:
description: Require certificate revocation check succeeds
type: bool
trust_store:
description: Name of associated trust_store
type: str
type: list
trust_stores:
description: Store of CA Certificates
elements: dict
suboptions:
ca_name:
description: List of CA certificates in the trust store.
elements: str
type: list
name:
description: The name of the Trust Store
required: true
type: str
type: list
type: dict
after:
description: The resulting configuration model invocation.
returned: when changed
sample: "The configuration returned will always be in the same format\n of the parameters\
\ above.\n"
type: dict
before:
description: The configuration prior to the model invocation.
returned: always
sample: "The configuration returned will always be in the same format\n of the parameters\
\ above.\n"
type: dict
commands:
description: The set of commands pushed to the remote device.
returned: always
sample:
- command 1
- command 2
- command 3
type: list