thalesgroup.ciphertrust.cte_policy_save module – Manage policies as collection of rules that govern data access and encryption
Note
This module is part of the thalesgroup.ciphertrust collection (version 1.0.2).
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install thalesgroup.ciphertrust.
To use it in a playbook, specify: thalesgroup.ciphertrust.cte_policy_save.
New in thalesgroup.ciphertrust 1.0.0
Synopsis
This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with CTE Policy API
Parameters
Parameter |
Comments |
|---|---|
Actions applicable to the rule. Examples of actions are read, write, all_ops, and key_op. |
|
Identifier of the key to link with the rule Supported fields are name, id, slug, alias, uri, uuid, muid, and key_id |
|
An identifier for the CTE IDT Key Rule. Can be an ID of type UUIDv4 or a URI Choices:
|
|
Properties of the current key |
|
Identifier of the key to link with the rule Supported fields are name, id, slug, alias, uri, uuid, muid, and key_id |
|
Specify the type of the key Must be one of name, id, slug, alias, uri, uuid, muid or key_id If not specified, the type of the key is inferred Choices:
|
|
Data transformation rules to link with the policy |
|
Identifier of the key to link with the rule Supported fields are name, id, slug, alias, uri, uuid, muid, and key_id For decryption, where a clear key is to be supplied, use the string “clear_key” only. Do not specify any other identifier |
|
Specify the type of the key Must be one of name, id, slug, alias, uri, uuid, muid or key_id If not specified, the type of the key is inferred Choices:
|
|
ID of the resource set to link with the rule. |
|
An identifier for the CTE Data-Transformation Rule Can be an ID of type UUIDv4 or a URI |
|
Description of the CTE policy |
|
Effects applicable to the rule. Separate multiple effects by commas. |
|
Process set to exclude. Supported for Standard and LDT policies. Choices:
|
|
Resource set to exclude. Supported for Standard and LDT policies. Choices:
|
|
User set to exclude. Supported for Standard and LDT policies. Choices:
|
|
To remove restriction of policy for modification Choices:
|
|
IDT rules to link with the policy |
|
Identifier of the key to link with the rule Supported fields are name, id, slug, alias, uri, uuid, muid, and key_id For decryption, where a clear key is to be supplied, use the string “clear_key” only. Do not specify any other identifier. |
|
Specify the type of the key Must be one of name, id, slug, alias, uri, uuid, muid or key_id If not specified, the type of the key is inferred Choices:
|
|
Identifier of the key to link with the rule Supported fields are name, id, slug, alias, uri, uuid, muid, and key_id |
|
Specify the type of the key Must be one of name, id, slug, alias, uri, uuid, muid or key_id If not specified, the type of the key is inferred Choices:
|
|
An identifier for the CTE IDT Key Rule. Can be an ID of type UUIDv4 or a URI |
|
Whether this is an exclusion rule. If enabled, no need to specify the transformation rule. Choices:
|
|
Identifier of the key to link with the rule Supported fields are name, id, slug, alias, uri, uuid, muid, and key_id |
|
Key rules to link with the policy |
|
Identifier of the key to link with the rule Supported fields are name, id, slug, alias, uri, uuid, muid, and key_id For decryption, where a clear key is to be supplied, use the string “clear_key” only. Do not specify any other identifier |
|
Specify the type of the key Must be one of name, id, slug, alias, uri, uuid, muid or key_id If not specified, the type of the key is inferred Choices:
|
|
ID of the resource set to link with the rule. |
|
Specify the type of the key Must be one of name, id, slug, alias, uri, uuid, muid or key_id If not specified, the type of the key is inferred Choices:
|
|
An identifier for the CTE Key Rule. Can be an ID of type UUIDv4 or a URI |
|
LDT rules to link with the policy. Supported for LDT policies. |
|
Properties of the current key |
|
Identifier of the key to link with the rule Supported fields are name, id, slug, alias, uri, uuid, muid, and key_id For decryption, where a clear key is to be supplied, use the string “clear_key” only. Do not specify any other identifier |
|
Specify the type of the key Must be one of name, id, slug, alias, uri, uuid, muid or key_id If not specified, the type of the key is inferred Choices:
|
|
Whether this is an exclusion rule If enabled, no need to specify the transformation rule Choices:
|
|
ID of the resource set to link with the rule. |
|
Properties of the transformation key |
|
Identifier of the key to link with the rule Supported fields are name, id, slug, alias, uri, uuid, muid, and key_id For decryption, where a clear key is to be supplied, use the string “clear_key” only. Do not specify any other identifier |
|
Specify the type of the key Must be one of name, id, slug, alias, uri, uuid, muid or key_id If not specified, the type of the key is inferred Choices:
|
|
An identifier for the CTE LDT Key Rule. Can be an ID of type UUIDv4 or a URI |
|
this holds the connection parameters required to communicate with an instance of CipherTrust Manager (CM) holds IP/FQDN of the server, username, password, and port |
|
user’s domain path |
|
admin password of CM |
|
CM Server IP or FQDN |
|
Port on which CM server is listening |
|
internal or private IP of the CM Server, if different from the server_ip |
|
admin username of CM |
|
if SSL verification is required Choices:
|
|
Restrict policy for modification |
|
To restrict the policy for modification If its value enabled means user not able to modify the guarded policy Choices:
|
|
Name of the CTE policy |
|
Whether to always allow operations in the policy By default, it is disabled, that is, operations are not allowed Supported for Standard, LDT, and Cloud_Object_Storage policies For Learn Mode activations, never_deny is set to true, by default Choices:
|
|
Operation to be performed Choices:
|
|
Precedence order of the rule in the parent policy |
|
Whether to allow partial match operations. By default, it is enabled. Supported for Standard and LDT policies. Choices:
|
|
Identifier of the CTE Policy to be patched or rules to be patched or removed |
|
Type of the policy Choices:
|
|
ID of the process set to link to the policy. |
|
ID of the resource set linked with the rule |
|
Security rules to link with the policy. |
|
Actions applicable to the rule |
|
Effects applicable to the rule. Separate multiple effects by commas. The valid values are permit deny audit applykey |
|
Process set to exclude Supported for Standard, LDT and IDT policies Choices:
|
|
Resource set to exclude Supported for Standard, LDT and IDT policies Choices:
|
|
User set to exclude Supported for Standard, LDT and IDT policies Choices:
|
|
Whether to allow partial match operations By default, it is disabled Supported for Standard, LDT and IDT policies Choices:
|
|
ID of the process set to link to the policy |
|
ID of the resource set to link to the policy Supported for Standard, LDT and IDT policies |
|
ID of the user set to link to the policy |
|
An identifier for the CTE Security Rule. Can be an ID of type UUIDv4 or a URI |
|
Identifier of the key to link with the rule Supported fields are name, id, slug, alias, uri, uuid, muid or key_id. |
|
Specify the type of the key Must be one of name, id, slug, alias, uri, uuid, muid or key_id If not specified, the type of the key is inferred. Choices:
|
|
Properties of the transformation key |
|
Identifier of the key to link with the rule Supported fields are name, id, slug, alias, uri, uuid, muid, and key_id |
|
Specify the type of the key Must be one of name, id, slug, alias, uri, uuid, muid or key_id If not specified, the type of the key is inferred Choices:
|
|
ID of the resource set to link to the policy. Supported for Standard and LDT policies |
Examples
- name: "Create CTE Policy"
thalesgroup.ciphertrust.cte_policy_save:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
auth_domain_path:
op_type: create
name: "Policy-Ans-001"
description: "Created via Ansible"
never_deny: false
metadata:
restrict_update: false
security_rules:
- action: key_op
effect: "permit,applykey"
partial_match: true
- resource_set_id: RS-Ans-001
exclude_resource_set: false
partial_match: true
action: all_ops
effect: "permit,audit,applykey"
policy_type: Standard
key_rules:
- key_id: CTE_standard_pol_key
resource_set_id: RS-Ans-001
data_transform_rules:
- key_id: CTE_standard_pol_key
resource_set_id: RS-Ans-001
register: policy
- name: "Add new data transformation rule to a CTE Policy"
thalesgroup.ciphertrust.cte_policy_save:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
auth_domain_path:
op_type: add_data_transfer_rule
policy_id: "policyID"
rule_name: "datatxrules"
key_id: CTE_standard_pol_key
resource_set_id: RS-Ans-002
register: datatxrule
- name: "Delete a data transformation rule from a CTE Policy"
thalesgroup.ciphertrust.cte_policy_save:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
auth_domain_path:
op_type: remove_data_transfer_rule
policy_id: "policyID"
rule_name: "datatxrules"
rule_id: "ruleID"