maxhoesel / maxhoesel.smallstep / 0.2.1 / module / ca_provisioner Manage provisioners for a Smallstep CA server | "added in version" 2.10.0 of maxhoesel.smallstep" Authors: Max Hösel (@maxhoesel)maxhoesel.smallstep.ca_provisioner (0.2.1) — module
Install with ansible-galaxy collection install maxhoesel.smallstep:==0.2.1
collections: - name: maxhoesel.smallstep version: 0.2.1
Use this module to create and remove provisioners from a Smallstep CA server.
- name: Add a single JWK provisioner maxhoesel.smallstep.ca_provisioner: name: max@smallstep.com type: JWK # Key and password files must already exist on the remote host jwk_key_files: /tmp/step-ca/max-laptop.jwk jwk_password_file: /tmp/step-ca/max-laptop.pass jwk_encrypt_password: a-secret-password state: present
- name: Add a single JWK provisioner using an auto-generated asymmetric key pair maxhoesel.smallstep.ca_provisioner: name: max@smallstep.com type: JWK # Password file must already exist on the remote host jwk_password_file: /tmp/step-ca/max-laptop.pass jwk_encrypt_password: a-secret-password jwk_create: yes state: present
- name: Add a list of provisioners for a single name maxhoesel.smallstep.ca_provisioner: name: max@smallstep.com type: JWK # Key and password files must already exist on the remote host jwk_key_files: - /tmp/step-ca/max-laptop.jwk - /tmp/max-phone.pem - /tmp/max-work.pem jwk_password_file: /tmp/step-ca/max-laptop.pass jwk_encrypt_password: a-secret-password state: present
- name: Add a single OIDC provisioner maxhoesel.smallstep.ca_provisioner: name: Google type: OIDC oidc_client_id: 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com oidc_configuration_endpoint: https://accounts.google.com/.well-known/openid-configuration
- name: Add an OIDC provisioner with two administrators maxhoesel.smallstep.ca_provisioner: name: Google type: OIDC oidc_client_id: 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com oidc_configuration_endpoint: https://accounts.google.com/.well-known/openid-configuration oidc_admin_email: - mariano@smallstep.com - max@smallstep.com oidc_domain: smallstep.com
- name: Add an AWS provisioner on one account with a one hour of instance age maxhoesel.smallstep.ca_provisioner: name: Amazon type: AWS aws_account: 123456789 instance_age: 1h
- name: Add an GCP provisioner with two service accounts and two project ids maxhoesel.smallstep.ca_provisioner: name: Google type: GCP gcp_service_account: - 1234567890-compute@developer.gserviceaccount.com - 9876543210-compute@developer.gserviceaccount.com gcp_project: - identity - accounting
- name: Add an Azure provisioner with two service groups maxhoesel.smallstep.ca_provisioner: name: Azure type: Azure azure_tenant: bc9043e2-b645-4c1c-a87a-78f8644bfe57 azure_resource_group: - identity - accounting
- name: Add an GCP provisioner that will only accept the SANs provided in the identity token maxhoesel.smallstep.ca_provisioner: name: Google type: GCP disable_custom_sans: yes gcp_project: internal
- name: Add an ACME provisioner maxhoesel.smallstep.ca_provisioner: name: acme-smallstep type: ACME
- name: Add an X5C provisioner. maxhoesel.smallstep.ca_provisioner: name: x5c-smallstep type: X5C # Key file must already exist on the remote host x5c_root_file: /tmp/x5c_root.crt
- name: Add a K8s Service Account provisioner maxhoesel.smallstep.ca_provisioner: name: my-kube-provisioner type: K8sSA # Key file must already exist on the remote host k8s_pem_keys_file: /tmp/keys.pub
- name: Add an SSH-POP provisioner maxhoesel.smallstep.ca_provisioner: name: sshpop-smallstep type: SSHPOP
- name: Remove a JWK provisioner maxhoesel.smallstep.ca_provisioner: name: my-jwk-provisioner type: JWK
ssh: default: false description: Whether to enable SSH on the new provisioners. type: bool name: description: The name of the provisioner to add/remove. required: true type: choices: - JWK - OIDC - AWS - GCP - Azure - ACME - X5C - K8sSA - SSHPOP description: The type of provisioner to create or remove (case-sensitive). required: true state: choices: - present - absent default: present description: Whether the provisioner should be present or absent. ca_config: default: ~/.step/config/ca.json description: The path to the certificate authority configuration file. Defaults to the C(step) default of C($STEPPATH/config/ca.json). jwk_create: default: false description: Create a new ECDSA key pair using curve P-256 and populate a new JWK provisioner with it. type: bool aws_account: description: The AWS account id used to validate the identity documents. Also accepts a list for passing multiple ids. gcp_project: description: The Google project id used to validate the identity tokens. Also accepts a list for passing multiple ids. oidc_domain: description: The domain used to validate the email claim in an OpenID Connect provisioner. Also accepts a list for multiple domains. azure_tenant: description: The Microsoft Azure tenant id used to validate the identity tokens. instance_age: description: "The maximum duration to grant a certificate in AWS and GCP provisioners.\ \ A duration is sequence of decimal numbers, each with optional fraction and a unit\ \ suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or\ \ '\xB5s'), 'ms', 's', 'm', 'h'.\n" jwk_key_files: description: List of private (or public) keys in JWK or PEM format to be added to the provisioner. x5c_root_file: description: Root certificate (chain) file used to validate the signature on X5C provisioning tokens. oidc_client_id: description: The id used to validate the audience in an OpenID Connect token. step_executable: default: step description: Path or name of the step tool used to manage the step-ca server oidc_admin_email: description: 'The email of an admin user in an OpenID Connect provisioner, this user will not have restrictions in the certificates to sign. Also accepts a list for multiple administrators. ' jwk_password_file: description: The path to the file containing the password to encrypt or decrypt the private key k8s_pem_keys_file: description: 'Public key file for validating signatures on K8s Service Account Tokens. PEM formatted bundle (can have multiple PEM blocks in the same file) of public keys and x509 Certificates. ' aws_iid_roots_file: description: The path to the file containing the certificates used to validate the instance identity documents in AWS. oidc_client_secret: description: The secret used to obtain the OpenID Connect Tokens. disable_custom_sans: default: false description: On cloud provisioners, if enabled only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR. type: bool gcp_service_account: description: The Google service account email or id used to validate the identity tokens. Also accepts a list for passing multiple ids. oidc_listen_address: description: The callback address used in the OpenID Connect flow (e.g. ':10000'). azure_resource_group: description: The Microsoft Azure resource group name used to validate the identity tokens. Also accepts a list for passing multiple names. jwk_encrypt_password: description: Password used to encrypt the JWK provisioner key. Required when creating a JWK provisioner no_log: true disable_trust_on_first_use: default: false description: 'On cloud provisioners, if enabled multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted. ' type: bool oidc_configuration_endpoint: description: OpenID Connect configuration url.