thalesgroup.ciphertrust.cckm_aws_custom_keystore module – CCKM module for AWS Custom Key Store

Note

This module is part of the thalesgroup.ciphertrust collection (version 1.0.0).

To install it, use: ansible-galaxy collection install thalesgroup.ciphertrust.

To use it in a playbook, specify: thalesgroup.ciphertrust.cckm_aws_custom_keystore.

New in thalesgroup.ciphertrust 1.0.0

Synopsis

  • This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with CCKM for AWS Custom Key Store

Parameters

Parameter

Comments

aws_param

dictionary

Parameters related to AWS interaction with a custom key store

cks_id

string

AWS Custom Key Store ID

cks_key_id

string

AWS Custom Key Store Key ID

cks_key_param

dictionary

AWS key parameters.

cks_op_type

string

Operation that can be performed on a Custom Key Store

Choices:

  • "create-aws-key"

  • "connect"

  • "link"

  • "block"

  • "unblock"

  • "disconnect"

  • "rotate-credential"

deletable

boolean

Mouse over a property in the schema to view its details.

Choices:

  • false

  • true

external_accounts

list / elements=string

AWS accounts that can use this key. External accounts are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.

hyok_key_id

string

HYOK Key ID

hyok_op_type

string

Operation that can be performed on an HYOK Key

Choices:

  • "block"

  • "unblock"

  • "link"

job_id

string

Synchronization Job ID

key_admins

list / elements=string

IAM users who can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.

key_admins_roles

list / elements=string

IAM roles that can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.

key_store_password

string

The password of the kmsuser crypto user (CU) account configured in the specified CloudHSM cluster. This parameter does not change the password in CloudHSM cluster. User needs to configure the credentials on CloudHSM cluster separately. Required field for custom key store of type AWS_CLOUDHSM. Omit for External Key Stores.

key_users

list / elements=string

IAM users who can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.

key_users_roles

list / elements=string

IAM roles that can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.

kms

string

Name or ID of the AWS Account container in which to create the key store.

kms_list

list / elements=string

Name or ID of KMS resource from which the AWS custom key stores will be synchronized. synchronize_all and kms, regions are mutually exclusive. Specify either synchronize_all or kms and regions.

linked_state

boolean

Indicates whether the custom key store is linked with AWS. Applicable to a custom key store of type EXTERNAL_KEY_STORE. Default value is false. When false, creating a custom key store in the CCKM does not trigger the AWS KMS to create a new key store. Also, the new custom key store will not synchronize with any key stores within the AWS KMS until the new key store is linked.

Choices:

  • false

  • true

local_hosted_params

string

Parameters for a custom key store that is locally hosted

localNode

dictionary / required

this holds the connection parameters required to communicate with an instance of CipherTrust Manager (CM)

holds IP/FQDN of the server, username, password, and port

password

string / required

admin password of CM

server_ip

string / required

CM Server IP or FQDN

server_port

integer / required

Port on which CM server is listening

Default: 5432

server_private_ip

string / required

internal or private IP of the CM Server, if different from the server_ip

user

string / required

admin username of CM

verify

boolean / required

if SSL verification is required

Choices:

  • false ← (default)

  • true

name

string

Unique name for the custom key store

op_type

string / required

Operation to be performed

Choices:

  • "create"

  • "update"

  • "create-synchronization-job"

  • "cancel-synchronization-job"

  • "create-virtual-key"

  • "update-virtual-key"

  • "create-hyok-key"

  • "cks_op"

  • "hyok_op"

policytemplate

string

ID of the policy template to apply. Policy template is mutually exclusive to all other policy parameters. If no policy parameters are specified, the default policy is used.

region

string

Name of the available AWS regions

regions

list / elements=string

Regions from which the AWS custom key stores will be synchronized. If not specified, custom key stores from all regions are synchronized. synchronize_all and kms, regions are mutually exclusive. Specify either synchronize_all or kms and regions.

source_key_id

string

The unique id of the source key (Luna HSM key) for the first version of the virtual key.

synchronize_all

boolean

Set true to synchronize all custom key stores from all kms and regions. synchronize_all and kms, regions are mutually exclusive. Specify either synchronize_all or kms and regions.

Choices:

  • false

  • true

virtual_key_id

string

Virtual Key ID

Examples

- name: "Create AWS CKS"
  thalesgroup.ciphertrust.cckm_aws_custom_keystore:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: create

Authors

  • Anurag Jain, Developer Advocate Thales Group