Try SpotterCCKM module for AWS Custom Key Store
| "added in version" 1.0.0 of thalesgroup.ciphertrust"
Authors: Anurag Jain, Developer Advocate Thales Group
Install with ansible-galaxy collection install thalesgroup.ciphertrust:==1.0.0
collections:
- name: thalesgroup.ciphertrust
version: 1.0.0This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with CCKM for AWS Custom Key Store
- name: "Create AWS CKS"
thalesgroup.ciphertrust.cckm_aws_custom_keystore:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
op_type: create
kms:
description: Name or ID of the AWS Account container in which to create the key store.
type: str
name:
description: Unique name for the custom key store
type: str
cks_id:
description: AWS Custom Key Store ID
type: str
job_id:
description: Synchronization Job ID
type: str
region:
description: Name of the available AWS regions
type: str
op_type:
choices:
- create
- update
- create-synchronization-job
- cancel-synchronization-job
- create-virtual-key
- update-virtual-key
- create-hyok-key
- cks_op
- hyok_op
description: Operation to be performed
required: true
type: str
regions:
description: Regions from which the AWS custom key stores will be synchronized. If
not specified, custom key stores from all regions are synchronized. synchronize_all
and kms, regions are mutually exclusive. Specify either synchronize_all or kms and
regions.
type: list
kms_list:
description: Name or ID of KMS resource from which the AWS custom key stores will
be synchronized. synchronize_all and kms, regions are mutually exclusive. Specify
either synchronize_all or kms and regions.
type: list
aws_param:
description: Parameters related to AWS interaction with a custom key store
type: dict
deletable:
description: Mouse over a property in the schema to view its details.
type: bool
key_users:
description: IAM users who can use the KMS key in cryptographic operations. Key users
are mutually exclusive to policy and policy template. If no policy parameters are
specified, the default policy is used.
type: list
localNode:
description:
- this holds the connection parameters required to communicate with an instance of
CipherTrust Manager (CM)
- holds IP/FQDN of the server, username, password, and port
required: true
suboptions:
password:
description: admin password of CM
required: true
type: str
server_ip:
description: CM Server IP or FQDN
required: true
type: str
server_port:
default: 5432
description: Port on which CM server is listening
required: true
type: int
server_private_ip:
description: internal or private IP of the CM Server, if different from the server_ip
required: true
type: str
user:
description: admin username of CM
required: true
type: str
verify:
default: false
description: if SSL verification is required
required: true
type: bool
type: dict
cks_key_id:
description: AWS Custom Key Store Key ID
type: str
key_admins:
description: IAM users who can administer this key using the KMS API. Key admins are
mutually exclusive to policy and policy template. If no policy parameters are specified,
the default policy is used.
type: list
cks_op_type:
choices:
- create-aws-key
- connect
- link
- block
- unblock
- disconnect
- rotate-credential
description: Operation that can be performed on a Custom Key Store
type: str
hyok_key_id:
description: HYOK Key ID
type: str
hyok_op_type:
choices:
- block
- unblock
- link
description: Operation that can be performed on an HYOK Key
type: str
linked_state:
description: Indicates whether the custom key store is linked with AWS. Applicable
to a custom key store of type EXTERNAL_KEY_STORE. Default value is false. When false,
creating a custom key store in the CCKM does not trigger the AWS KMS to create a
new key store. Also, the new custom key store will not synchronize with any key
stores within the AWS KMS until the new key store is linked.
type: bool
cks_key_param:
description: AWS key parameters.
type: dict
source_key_id:
description: The unique id of the source key (Luna HSM key) for the first version
of the virtual key.
type: str
policytemplate:
description: ID of the policy template to apply. Policy template is mutually exclusive
to all other policy parameters. If no policy parameters are specified, the default
policy is used.
type: str
virtual_key_id:
description: Virtual Key ID
type: str
key_users_roles:
description: IAM roles that can use the KMS key in cryptographic operations. Key users
are mutually exclusive to policy and policy template. If no policy parameters are
specified, the default policy is used.
type: list
synchronize_all:
description: Set true to synchronize all custom key stores from all kms and regions.
synchronize_all and kms, regions are mutually exclusive. Specify either synchronize_all
or kms and regions.
type: bool
key_admins_roles:
description: IAM roles that can administer this key using the KMS API. Key admins
are mutually exclusive to policy and policy template. If no policy parameters are
specified, the default policy is used.
type: list
external_accounts:
description: AWS accounts that can use this key. External accounts are mutually exclusive
to policy and policy template. If no policy parameters are specified, the default
policy is used.
type: list
key_store_password:
description: The password of the kmsuser crypto user (CU) account configured in the
specified CloudHSM cluster. This parameter does not change the password in CloudHSM
cluster. User needs to configure the credentials on CloudHSM cluster separately.
Required field for custom key store of type AWS_CLOUDHSM. Omit for External Key
Stores.
type: str
local_hosted_params:
description: Parameters for a custom key store that is locally hosted
type: str