Try SpotterCCKM module for GCP Keys
| "added in version" 1.0.0 of thalesgroup.ciphertrust"
Authors: Anurag Jain, Developer Advocate Thales Group
Install with ansible-galaxy collection install thalesgroup.ciphertrust:==1.0.0
collections:
- name: thalesgroup.ciphertrust
version: 1.0.0This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with CCKM for GCP Keys
- name: "Create GCP Key"
thalesgroup.ciphertrust.cckm_gcp_key:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
op_type: create
job_id:
description: Synchronization job ID to be cancelled
type: str
key_id:
description: GCP Key ID to be acted upon
type: str
labels:
description: Labels attached to the Google Cloud key in the form of string key,value
json pair.
type: dict
op_type:
choices:
- create
- update
- key_op
- key_version_op
- upload-key
- create-sync-job
- cancel-sync-job
- update-all-versions
description: Operation to be performed
required: true
type: str
key_ring:
description: ID or Resource URL of the Google Cloud keyRing where key will be created.
type: str
algorithm:
choices:
- RSA_SIGN_PSS_2048_SHA256
- RSA_SIGN_PSS_3072_SHA256
- RSA_SIGN_PSS_4096_SHA256
- RSA_SIGN_PSS_4096_SHA512
- RSA_SIGN_PKCS1_2048_SHA256
- RSA_SIGN_PKCS1_3072_SHA256
- RSA_SIGN_PKCS1_4096_SHA256
- RSA_SIGN_PKCS1_4096_SHA512
- RSA_DECRYPT_OAEP_2048_SHA256
- RSA_DECRYPT_OAEP_3072_SHA256
- RSA_DECRYPT_OAEP_4096_SHA256
- RSA_DECRYPT_OAEP_4096_SHA512
- EC_SIGN_P256_SHA256
- EC_SIGN_P384_SHA384
- EC_SIGN_SECP256K1_SHA256
- GOOGLE_SYMMETRIC_ENCRYPTION
description: Algorithm of the key
type: str
is_native:
description: This flag tells whether the key version will be created natively or will
be uploaded.
type: bool
key_rings:
description: Name or ID of key rings from which Google Cloud keys will be synchronized.
synchronize_all and key_rings are mutually exclusive. Specify either the synchronize_all
or key_rings.
type: str
localNode:
description:
- this holds the connection parameters required to communicate with an instance of
CipherTrust Manager (CM)
- holds IP/FQDN of the server, username, password, and port
required: true
suboptions:
password:
description: admin password of CM
required: true
type: str
server_ip:
description: CM Server IP or FQDN
required: true
type: str
server_port:
default: 5432
description: Port on which CM server is listening
required: true
type: int
server_private_ip:
description: internal or private IP of the CM Server, if different from the server_ip
required: true
type: str
user:
description: admin username of CM
required: true
type: str
verify:
default: false
description: if SSL verification is required
required: true
type: bool
type: dict
operation:
choices:
- enable
- disable
- schedule_destroy
- cancel_destroy
description: Operation to be performed on all versions of the Google Cloud key
type: str
version_id:
description: Key version ID to be acted upon
type: str
key_op_type:
choices:
- create-version
- refresh
- enable-auto-rotation
- disable-auto-rotation
description: Operation to be performed
type: str
job_config_id:
description: Id of the scheduler job that will perform key rotation.
type: str
source_key_id:
description: The key ID which will be uploaded from key source.
type: str
gcp_key_params:
description: Google Cloud Key related parameters
type: dict
rotation_period:
description: Frequency at which the Google Cloud key will to be automatically rotated
by Google Cloud KMS (symmetric key only). Must be formatted as a duration in seconds
terminated by "s". Example "360000s".
type: str
source_key_tier:
choices:
- local
- dsm
- hsm-luna
description: Key source from where the key will be uploaded. - local for keySecure
- dsm for DSM - hsm-luna for Luna HSM
type: str
synchronize_all:
description: Set true to synchronize all keys from all rings. synchronize_all and
key_rings are mutually exclusive. Specify either the synchronize_all or key_rings.
type: str
next_rotation_time:
description: Next time the Google Cloud key will be automatically rotated by Google
Cloud KMS (symmetric key only). Must be formatted as per RFC3339. Example "2022-07-31T17:18:37.085Z".
type: str
primary_version_id:
description: Version number of the new primary version.
type: str
key_version_op_type:
choices:
- refresh
- enable
- disable
- schedule-destroy
- cancel-schedule-destroy
- download-public-key
description: Operation to be performed
type: str
auto_rotate_algorithm:
choices:
- RSA_SIGN_PSS_2048_SHA256
- RSA_SIGN_PSS_3072_SHA256
- RSA_SIGN_PSS_4096_SHA256
- RSA_SIGN_PSS_4096_SHA512
- RSA_SIGN_PKCS1_2048_SHA256
- RSA_SIGN_PKCS1_3072_SHA256
- RSA_SIGN_PKCS1_4096_SHA256
- RSA_SIGN_PKCS1_4096_SHA512
- RSA_DECRYPT_OAEP_2048_SHA256
- RSA_DECRYPT_OAEP_3072_SHA256
- RSA_DECRYPT_OAEP_4096_SHA256
- RSA_DECRYPT_OAEP_4096_SHA512
- EC_SIGN_P256_SHA256
- EC_SIGN_P384_SHA384
- EC_SIGN_SECP256K1_SHA256
- GOOGLE_SYMMETRIC_ENCRYPTION
- HMAC_SHA256
description: Algorithm of the key.
type: str
auto_rotate_domain_id:
description: Id of the domain in which dsm key will be created.
type: str
auto_rotate_key_source:
description: Source of the key material. Options are native, hsm-luna, dsm and ciphertrust.
type: str
auto_rotate_partition_id:
description: Id of the partition in which hsm key will be created.
type: str
version_template_algorithm:
choices:
- RSA_SIGN_PSS_2048_SHA256
- RSA_SIGN_PSS_3072_SHA256
- RSA_SIGN_PSS_4096_SHA256
- RSA_SIGN_PSS_4096_SHA512
- RSA_SIGN_PKCS1_2048_SHA256
- RSA_SIGN_PKCS1_3072_SHA256
- RSA_SIGN_PKCS1_4096_SHA256
- RSA_SIGN_PKCS1_4096_SHA512
- RSA_DECRYPT_OAEP_2048_SHA256
- RSA_DECRYPT_OAEP_3072_SHA256
- RSA_DECRYPT_OAEP_4096_SHA256
- RSA_DECRYPT_OAEP_4096_SHA512
- EC_SIGN_P256_SHA256
- EC_SIGN_P384_SHA384
- EC_SIGN_SECP256K1_SHA256
description: Algorithm of the asymmetric key (Symmetric key algorithm is not updatable).
type: str