maxhoesel / maxhoesel.smallstep / 0.23.1 / module / step_ca_provisioner_claims
Removed in 0.24.0
Reason:These features are now available in step_ca_provisioner. This module directly edits the CA.json config, which is not recommended. | Alternative:Use M(maxhoesel.smallstep.step_ca_provisioner)s ssh_/x509_ flags instead.
Manage default or provisioner claims on a C(step-ca) server
| "added in version" 0.2.1 of maxhoesel.smallstep"
Authors: Max Hösel (@maxhoesel)
Install with ansible-galaxy collection install maxhoesel.smallstep:==0.23.1
collections: - name: maxhoesel.smallstep version: 0.23.1
This module can add, update or remove claims (such as certificate duration) on a step-ca server. You can either modify the claims of an individual provisioner, or change the default global claims.
- name: Change the TLS cert duration of a provisioner maxhoesel.smallstep.step_ca_provisioner_claims: name: webtokens-1 type: JWK min_tls_cert_duration: 24h max_tls_cert_duration: 720h default_tls_cert_duration: 168h
- name: Change default (global) claims maxhoesel.smallstep.step_ca_provisioner_claims: global_claims: yes min_tls_cert_duration: 24h max_tls_cert_duration: 720h default_tls_cert_duration: 168h
- name: Overwrite the claims of a provisioner with the given parameters maxhoesel.smallstep.step_ca_provisioner_claims: name: webtokens-1 type: JWK exclusive: yes min_tls_cert_duration: 24h max_tls_cert_duration: 720h default_tls_cert_duration: 168h
name: description: 'The name of the provisioner to modify. If multiple provisioners have the same name, all provisioners will be modified unless I(type) is set. Has no effect if I(global) is true ' type: str type: choices: - JWK - OIDC - AWS - GCP - Azure - ACME - X5C - K8sSA - SSHPOP description: 'Only modify the provisioner that has this type. Only effective if multiple provisioners with the same name exist. Has no effect if I(global) is true. Case-sensitive ' type: str ca_config: default: CI($STEPPATH)/config/ca.json description: The path to the certificate authority configuration file on the host. type: path exclusive: default: false description: Replace all existing claims for the selected scope with the ones defined in the module parameters. type: bool enable_SSHCA: description: Enable this provisioner to generate SSH Certificates. type: bool global_claims: default: false description: If enabled, modify the global defaults instead of specific provisioners. In this case, I(name) and I(type) are ignored. type: bool disable_renewal: description: Disable renewals with this provisioner. type: bool max_host_ssh_duration: description: Do not allow certificates with a duration greater than this value. type: str max_tls_cert_duration: description: Do not allow certificates with a duration greater than this value. type: str max_user_ssh_duration: description: Do not allow certificates with a duration greater than this value. type: str min_host_ssh_duration: description: Do not allow certificates with a duration less than this value. type: str min_tls_cert_duration: description: Do not allow certificates with a duration less than this value. type: str min_user_ssh_duration: description: Do not allow certificates with a duration less than this value. type: str disable_issued_at_check: description: 'Disable a check verifying that provisioning tokens must be issued after the CA has booted. This claim is one prevention against token reuse. The default value is false. Do not change this unless you know what you are doing. ' type: bool default_host_ssh_duration: description: If no certificate validity period is specified, use this value. type: str default_tls_cert_duration: description: If no certificate validity period is specified, use this value. type: str default_user_ssh_duration: description: If no certificate validity period is specified, use this value. type: str
claims: description: 'Dictionary contianing the claims of the selected scope. Dict of dict if multiple provisioners were selected, with the provisioner type as key ' returned: always type: dict