freeipa.ansible_freeipa.ipavault (1.11.1) — module

Install collection

Install with ansible-galaxy collection install freeipa.ansible_freeipa:==1.11.1

Add to requirements.yml

  collections:
    - name: freeipa.ansible_freeipa
      version: 1.11.1

Description

Manage vaults and secret vaults. KRA service must be enabled.

Usage examples

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Ensure vault symvault is present
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: symvault
    username: admin
    vault_type: symmetric
    password: SomeVAULTpassword
    salt: MTIzNDU2Nzg5MAo=

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Ensure group ipausers is a vault member.
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: symvault
    username: admin
    groups: ipausers
    action: member

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Ensure group ipausers is not a vault member.
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: symvault
    username: admin
    groups: ipausers
    action: member
    state: absent

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Ensure vault users are present.
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: symvault
    username: admin
    users:
    - user01
    - user02
    action: member

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Ensure vault users are absent.
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: symvault
    username: admin
    users:
    - user01
    - user02
    action: member
    status: absent

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Ensure user owns vault.
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: symvault
    username: admin
    action: member
    owners: user01

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Ensure user does not own vault.
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: symvault
    username: admin
    owners: user01
    action: member
    status: absent

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Ensure data is archived to a symmetric vault
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: symvault
    username: admin
    password: SomeVAULTpassword
    data: >
      Data archived.
      More data archived.
    action: member

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Retrieve data archived from a symmetric vault
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: symvault
    username: admin
    password: SomeVAULTpassword
    state: retrieved
  register: result

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- debug:
    msg: "{{ result.vault.data }}"

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Change password of a symmetric vault
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: symvault
    username: admin
    old_password: SomeVAULTpassword
    new_password: SomeNEWpassword

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Ensure vault symvault is absent
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: symvault
    user: admin
    state: absent

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Ensure asymmetric vault is present.
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: asymvault
    username: user01
    description: An asymmetric vault
    vault_type: asymmetric
    public_key: |
      LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTR
      HTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi
      9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM
      295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlV
      bFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVk
      tLS0tLQo=

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Ensure data is archived in an asymmetric vault
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: asymvault
    username: admin
    data: >
      Data archived.
      More data archived.
    action: member

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Retrive data archived in an asymmetric vault, using a private key file.
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: asymvault
    username: admin
    private_key_file: private.pem
    state: retrieved

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

# Ensure asymmetric vault is absent.
- freeipa.ansible_freeipa.ipavault:
    ipaadmin_password: SomeADMINpassword
    name: asymvault
    username: user01
    vault_type: asymmetric
    state: absent

Inputs

    
in:
    aliases:
    - datafile_in
    description: Path to file with data to be stored in the vault.
    required: false
    type: str

out:
    aliases:
    - datafile_out
    description: Path to file to store data retrieved from the vault.
    required: false
    type: str

data:
    aliases:
    - ipavaultdata
    - vault_data
    description: Data to be stored in the vault.
    required: false
    type: str

name:
    aliases:
    - cn
    description: The vault name
    elements: str
    required: true
    type: list

state:
    choices:
    - present
    - absent
    - retrieved
    default: present
    description: State to ensure
    type: str

users:
    description: Users that are member of the vault.
    elements: str
    required: false
    type: list

action:
    choices:
    - vault
    - data
    - member
    default: vault
    description: Work on vault or member level.
    type: str

groups:
    description: Groups that are member of the vault.
    elements: str
    required: false
    type: list

owners:
    aliases:
    - ownerusers
    description: Users that are owners of the vault.
    elements: str
    required: false
    type: list

shared:
    description: Vault is shared.
    required: false
    type: bool

service:
    description: Any service can own one or more service vaults.
    required: false
    type: str

password:
    aliases:
    - ipavaultpassword
    - vault_password
    - old_password
    description: password to be used on symmetric vault.
    required: false
    type: str

services:
    description: Services that are member of the container.
    elements: str
    required: false
    type: list

username:
    aliases:
    - user
    description: Any user can own one or more user vaults.
    required: false
    type: str

vault_salt:
    aliases:
    - ipavaultsalt
    - salt
    description: Vault salt.
    required: false
    type: str

vault_type:
    aliases:
    - ipavaulttype
    choices:
    - standard
    - symmetric
    - asymmetric
    description: Vault types are based on security level.
    required: false
    type: str

description:
    description: The vault description
    required: false
    type: str

ownergroups:
    description: Groups that are owners of the vault.
    elements: str
    required: false
    type: list

private_key:
    aliases:
    - ipavaultprivatekey
    - vault_private_key
    description: Base64 encode private key.
    required: false
    type: str

new_password:
    description: new password to be used on symmetric vault.
    required: false
    type: str

ownerservices:
    description: Services that are owners of the vault.
    elements: str
    required: false
    type: list

password_file:
    aliases:
    - vault_password_file
    - old_password_file
    description: file with password to be used on symmetric vault.
    required: false
    type: str

ipaapi_context:
    choices:
    - server
    - client
    description: 'The context in which the module will execute. Executing in a

      server context is preferred. If not provided context will be

      determined by the execution environment.

      '
    required: false
    type: str

private_key_file:
    aliases:
    - vault_private_key_file
    description: Path to file with private key.
    required: false
    type: str

vault_public_key:
    aliases:
    - ipavaultpublickey
    - public_key
    - new_public_key
    description: Base64 encode public key.
    required: false
    type: str

ipaadmin_password:
    description: The admin password.
    required: false
    type: str

ipaapi_ldap_cache:
    default: true
    description: Use LDAP cache for IPA connection.
    type: bool

new_password_file:
    description: file with new password to be used on symmetric vault.
    required: false
    type: str

ipaadmin_principal:
    default: admin
    description: The admin principal.
    type: str

vault_public_key_file:
    aliases:
    - public_key_file
    - new_public_key_file
    description: Path to file with public key.
    required: false
    type: str

Outputs

vault:
  contains:
    data:
      description: The vault data.
      returned: always
      type: str
  description: Vault dict with archived data.
  returned: If state is `retrieved`.
  type: dict