Try SpotterCCKM module for Azure Keys
| "added in version" 1.0.0 of thalesgroup.ciphertrust"
Authors: Anurag Jain, Developer Advocate Thales Group
Install with ansible-galaxy collection install thalesgroup.ciphertrust:==1.0.0
collections:
- name: thalesgroup.ciphertrust
version: 1.0.0This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with CCKM for Azure Keys API
- name: "Create Azure Key"
thalesgroup.ciphertrust.cckm_az_key:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
op_type: create
pfx:
description: PFX key. Specify a Base64 encoded key.
type: str
tags:
description: Application specific metadata in the form of key-value pair.
type: dict
job_id:
description: Synchronization job to be deleted
type: str
key_id:
description: Id of the key to be acted upon
type: str
kek_kid:
description: Identifier of azure key encryption key.
type: str
key_ops:
choices:
- encrypt
- decrypt
- sign
- verify
- wrapKey
- unwrapKey
description: Key operations to be updated.
type: list
op_type:
choices:
- create
- update
- key_op
- upload-key
- create-sync-job
- cancel-sync-job
description: Operation to be performed
required: true
type: str
key_name:
description: Name for the key on Azure. Key names can only contain alphanumeric characters
and dashes.
type: str
password:
description: PFX password. Specify only if the PFX certificate is provided.
type: str
key_vault:
description: Id or name of the key vault where the key will be created on Azure.
type: str
localNode:
description:
- this holds the connection parameters required to communicate with an instance of
CipherTrust Manager (CM)
- holds IP/FQDN of the server, username, password, and port
required: true
suboptions:
password:
description: admin password of CM
required: true
type: str
server_ip:
description: CM Server IP or FQDN
required: true
type: str
server_port:
default: 5432
description: Port on which CM server is listening
required: true
type: int
server_private_ip:
description: internal or private IP of the CM Server, if different from the server_ip
required: true
type: str
user:
description: admin username of CM
required: true
type: str
verify:
default: false
description: if SSL verification is required
required: true
type: bool
type: dict
attributes:
description: Key attributes to be updated.
type: dict
exportable:
description: Allow private key to be exported from Azure. Currently, it is only valid
when key source is hsm-luna and vault is a premium vault or a managed-hsm vault.
type: bool
key_vaults:
description: Name or ID of key vaults from which Azure keys will be synchronized.
synchronize_all and key_vaults are mutually exclusive. Specify either the synchronize_all
or key_vaults.
type: list
azure_param:
description: Azure key parameters.
type: dict
key_op_type:
choices:
- soft-delete
- hard-delete
- restore
- recover
- delete-backup
- enable-rotation-job
- disable-rotation-job
description: Operation to be performed on the key
type: str
job_config_id:
description: Id of the scheduler job that will perform key rotation.
type: str
release_policy:
description: Key release policy. Must be set if exportable is true.
type: dict
source_key_tier:
choices:
- local'
- pfx
- dsm
- hsm-luna
default: local
description: Source key tier. Options are local, pfx, dsm, and hsm-luna. Default is
local.
type: str
synchronize_all:
description: Set true to synchronize all keys from all vaults. synchronize_all and
key_vaults are mutually exclusive. Specify either the synchronize_all or key_vaults.
type: bool
dsm_key_identifier:
description: Identifier of the dsm key. It is a required parameter if source key tier
is dsm.
type: str
auto_rotate_ec_name:
choices:
- P-256
- P-384
- P-521
- SECP256K1
description: Name of the Elliptical curve key. Required only when key_type is EC
type: str
luna_key_identifier:
description: Identifier of the luna hsm key. It is a required parameter if source
key tier is hsm-luna.
type: str
auto_rotate_key_size:
choices:
- 2048
- 3072
- 4096
description: Size of the new rotated key. Required only when key_type is RSA.
type: str
auto_rotate_key_type:
choices:
- EC
- EC-HSM
- RSA
- RSA-HSM
description: Algorithm for the key.
type: str
local_key_identifier:
description: Identifier of the CipherTrust Manager key to upload. Key name or ID can
be specified. It is a required parameter if source key tier is local.
type: str
auto_rotate_domain_id:
description: Id of the domain in which dsm key will be created.
type: str
auto_rotate_enable_key:
description: Whether to enable the newly rotated key.
type: bool
auto_rotate_key_source:
choices:
- native
- hsm-luna
- dsm
- ciphertrust
description: Source of the key material. Options are native, hsm-luna, dsm and ciphertrust.
type: str
auto_rotate_partition_id:
description: Id of the partition in which hsm key will be created.
type: str
auto_rotate_release_policy:
description: Optional, new key release policy for exportable keys.
type: dict