Try SpotterCCKM module for Google Cloud Platform EKM
| "added in version" 1.0.0 of thalesgroup.ciphertrust"
Authors: Anurag Jain, Developer Advocate Thales Group
Install with ansible-galaxy collection install thalesgroup.ciphertrust:==1.0.0
collections:
- name: thalesgroup.ciphertrust
version: 1.0.0This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with CCKM for GCP EKM
- name: "Create GCP EKM"
thalesgroup.ciphertrust.cckm_gcp_ekm:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
op_type: create
meta:
description: Additional information associated with this Endpoint
type: dict
name:
description: Unique name for Endpoint
type: str
ekm_id:
description: ID of GCP EKM to be acted upon
type: str
policy:
description: EKM Policy attributes
type: dict
op_type:
choices:
- create
- update
- ekm_op
description: Operation to be performed
required: true
type: str
key_type:
choices:
- symmetric
- asymmetric
default: symmetric
description: EKM Key type. Default is symmetric
type: str
algorithm:
choices:
- AES256
- RSA_SIGN_PSS_2048_SHA256
- RSA_SIGN_PSS_3072_SHA256
- RSA_SIGN_PSS_4096_SHA256
- RSA_SIGN_PSS_4096_SHA512
- RSA_SIGN_PKCS1_2048_SHA256
- RSA_SIGN_PKCS1_3072_SHA256
- RSA_SIGN_PKCS1_4096_SHA256
- RSA_SIGN_PKCS1_4096_SHA512
- EC_SIGN_P256_SHA256
- EC_SIGN_P384_SHA384
description: EKM Key Algorithm. Default is AES256
type: str
localNode:
description:
- this holds the connection parameters required to communicate with an instance of
CipherTrust Manager (CM)
- holds IP/FQDN of the server, username, password, and port
required: true
suboptions:
password:
description: admin password of CM
required: true
type: str
server_ip:
description: CM Server IP or FQDN
required: true
type: str
server_port:
default: 5432
description: Port on which CM server is listening
required: true
type: int
server_private_ip:
description: internal or private IP of the CM Server, if different from the server_ip
required: true
type: str
user:
description: admin username of CM
required: true
type: str
verify:
default: false
description: if SSL verification is required
required: true
type: bool
type: dict
ekm_op_type:
choices:
- rotate
- enable
- disable
description: Operation to be performed on GCP EKM
type: str
endpoint_type:
choices:
- ekm
- ekm-ude
default: ekm
description: EKM Endpoint type. Default is ekm
type: str
keyURIHostname:
description: Base url hostname for KeyURI
type: str
existing_key_id:
description: ID of existing key to use (if applicable for migration from another CM
deployment). If not supplied, a new key will be created
type: str
raw_policy_enabled:
description: Flag to denote if the sent policy is in raw format. Default is false.
EKM Policy in basic format is required if raw_policy_enabled is false.
type: bool
cvm_required_for_decrypt:
description: Is a confidential VM (and valid attestation) required for decryption.
Default is false. Applicable for UDE Endpoint only.
type: bool
cvm_required_for_encrypt:
description: Is a confidential VM (and valid attestation) required for encryption.
Default is false. Applicable for UDE Endpoint only.
type: bool