Try SpotterManage a Smallstep collection
Authors: Joe Doss (@jdoss)
Install with ansible-galaxy collection install smallstep.agent:==0.0.1
collections:
- name: smallstep.agent
version: 0.0.1Manage a Smallstep collection
- name: Manage Smallstep Collection for AWS
smallstep.agent.collection:
slug: "aws-nginx-demo"
name: "AWS NGINX Demo"
admin_emails:
- jdoss@smallstep.com
device_type:
aws_vm:
accounts:
- "123456789011"
- "222233334444"
disable_custom_sans: True
api_token: "eyJUzI1NiI..."
- name: Manage Smallstep Collection for Azure
smallstep.agent.collection:
slug: "azure-nginx-demo"
name: "Azure NGINX Demo"
admin_emails:
- jdoss@smallstep.com
device_type:
azure_vm:
resource_groups:
- my-resource-group
- my-other-resource-group
tenant_id:
- 847cb745-de21-4622-9c05-f15b069c3f04
disable_custom_sans: True
api_token: "eyJUzI1NiI..."
- name: Manage Smallstep Collection for GCP
smallstep.agent.collection:
slug: "gcp-nginx-demo"
name: "GCP NGINX Demo"
admin_emails:
- jdoss@smallstep.com
device_type:
gcp_vm:
project_ids:
- prod
- dev
service_accounts:
- production@prod.iam.gserviceaccount.com
- development@dev.iam.gserviceaccount.com
disable_custom_sans: True
api_token: "eyJUzI1NiI..."
name:
description:
- The name of the collection.
- Required.
type: str
slug:
description:
- The slug of the collection.
- Required.
type: str
state:
choices:
- absent
- present
default: present
description:
- State of the instance.
type: str
api_host:
description: The Smallstep host used when connecting.
env:
- name: SMALLSTEP_API_HOST
type: str
api_token:
description:
- The Smallstep API Token used when connecting.
- Required.
env:
- name: SMALLSTEP_API_host
type: str
device_type:
description:
- The device type of the collection
- Required.
elements: dict
required: true
suboptions:
aws_vm:
elements: dict
suboptions:
accounts:
description:
- The list of AWS account IDs that are allowed to use this provisioner.
- Required for AWS device type.
elements: str
required: true
type: list
disable_custom_sans:
description:
- By default custom SANs are valid, but if this option is set to true only
the SANs available in the instance identity document will be valid.
- These are the private IP and the DNS ip-..compute.internal.
type: bool
type: list
azure_vm:
suboptions:
audience:
default: https://management.azure.com/
description:
- Defaults to https://management.azure.com/ but it can be changed if necessary.
required: false
type: str
disable_custom_sans:
description:
- By default custom SANs are valid, but if this option is set to true only
the SANs available in the instance identity document will be valid.
- These are the private IP and the DNS ip-..compute.internal.
required: false
type: bool
resource_groups:
description:
- The list of Azure resource group names that are allowed to use this provisioner.
- Required for Azure device type.
elements: str
required: true
type: list
tenant_id:
description:
- The Azure account tenant ID for this provisioner.
- This ID is the Directory ID available in the Azure Active Directory properties.
- Required for Azure device type.
required: true
type: bool
type: dict
gcp_vm:
suboptions:
disable_custom_sans:
description:
- By default custom SANs are valid, but if this option is set to true only
the SANs available in the instance identity document will be valid.
- These are the private IP and the DNS entries of the device.
required: false
type: bool
project_ids:
description:
- List of GCP Project IDs that are allowed to use this provisioner.
- Required for GCP device type.
elements: str
required: true
type: list
service_accounts:
description:
- List of GCP service accounts that are allowed to use this provisioner.
- Required for GCP device type.
elements: str
required: true
type: list
type: dict
tpm:
suboptions:
attestor_intermediates:
description:
- The pem-encoded list of certificates used to verify the attestation certificates
submitted by agents. Ignored if the team already has an attestation authority.
- Required if the team does not already have an attestation authority.
required: false
type: str
attestor_roots:
description:
- The pem-encoded list of intermediate certificates used to build a chain
of trust to verify the attestation certificates submitted by agents.
- Ignored if the team already has an attestation authority.
required: false
type: str
force_cn:
description:
- Force one of the SANs to become the Common Name, if a Common Name is not
provided.
required: false
type: bool
require_eab:
description:
- Only ACME clients that have been preconfigured with valid EAB credentials
will be able to create an account with this provisioner.
required: false
type: bool
type: dict
type: dict
admin_emails:
description:
- Users that will have admin access to manage the agents authority,
- Required.
elements: str
required: true
type: list
smallstep_collection:
contains: null
description: Manage a Smallstep Collection
returned: Always
smallstep_collection:
collection_slug: hotdog-production
device_type:
aws_vm:
accounts:
- '123456787908'
disable_custom_sans: false
display_name: Hotdog App production
fingerprint: 6a57e47f8aee2ff162415f9d592ccf52ab3681c964c66c122aadd1287ff57112
response:
deviceType: aws-vm
deviceTypeConfiguration:
accounts:
- '123456787908'
displayName: Hotdog App production
slug: hotdog-production
team: jdoss
type: complex