thalesgroup.ciphertrust.cckm_aws_key module – CCKM module for AWS Keys

Note

This module is part of the thalesgroup.ciphertrust collection (version 1.0.0).

To install it, use: ansible-galaxy collection install thalesgroup.ciphertrust.

To use it in a playbook, specify: thalesgroup.ciphertrust.cckm_aws_key.

New in thalesgroup.ciphertrust 1.0.0

Synopsis

  • This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with CCKM for AWS Keys

Parameters

Parameter

Comments

alias

string

Alias to be added to the AWS key.

auto_push

boolean

Pushes the verified policy template to all the associated keys. Mandatorily required to update a 'verified' policy-template.

Choices:

  • false

  • true

auto_rotate_disable_encrypt

boolean

Disable encryption on the old key.

Choices:

  • false

  • true

auto_rotate_domain_id

string

Id of the domain in which dsm key will be created.

auto_rotate_key_source

string

Key source from where the key will be uploaded.

local for CipherTrust Manager and it is default one

dsm for Data Security Manager (DSM)

hsm-luna for Luna HSM

Choices:

  • "local"

  • "dsm"

  • "hsm"

auto_rotate_partition_id

string

Id of the partition in which hsm-luna key will be created.

aws_param

string

Synchronization Job ID

days

integer

Number of days after which the key will be deleted.

description

string

Description for the new key (after key rotation).

disable_encrypt

boolean

Indicates whether to disable encryption on the new key (after key rotation).

Choices:

  • false

  • true

external_accounts

list / elements=string

AWS accounts that can use this key. External accounts are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.

job_config_id

string

ID of the scheduler configuration job that will schedule the key rotation.

job_id

string

Synchronization Job ID

key_admins

list / elements=string

IAM users who can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.

key_admins_roles

list / elements=string

IAM roles that can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.

key_expiration

boolean

Whether to disable encryption on key which is getting rotated .

Choices:

  • false

  • true

key_id

string

AWS Key to be acted upon

key_op_type

string / required

Operation to be performed

Choices:

  • "enable-rotation-job"

  • "disable-rotation-job"

  • "import-material"

  • "delete-material"

  • "rotate"

  • "schedule-deletion"

  • "policy"

  • "update-description"

  • "enable"

  • "disable"

  • "add-tags"

  • "remove-tags"

  • "add-alias"

  • "delete-alias"

  • "cancel-deletion"

  • "enable-auto-rotation"

  • "disable-auto-rotation"

  • "replicate-key"

  • "update-primary-region"

key_users

list / elements=string

IAM users who can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.

key_users_roles

list / elements=string

IAM roles that can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.

kms

string

Name or ID of the KMS to be used to create the key.

kms_list

list / elements=string

Name or ID of KMS resource from which the AWS custom key stores will be synchronized. synchronize_all and kms, regions are mutually exclusive. Specify either synchronize_all or kms and regions.

localNode

dictionary / required

this holds the connection parameters required to communicate with an instance of CipherTrust Manager (CM)

holds IP/FQDN of the server, username, password, and port

password

string / required

admin password of CM

server_ip

string / required

CM Server IP or FQDN

server_port

integer / required

Port on which CM server is listening

Default: 5432

server_private_ip

string / required

internal or private IP of the CM Server, if different from the server_ip

user

string / required

admin username of CM

verify

boolean / required

if SSL verification is required

Choices:

  • false ← (default)

  • true

name

string

Unique name of the policy template.

op_type

string / required

Operation to be performed

Choices:

  • "create"

  • "create-sync-job"

  • "cancel-sync-job"

  • "key_op"

  • "upload-key-aws"

  • "verify-key-alias"

  • "create-aws-template"

  • "patch-aws-template"

policy

dictionary

Key policy to attach to the KMS key. Policy is mutually exclusive to all other policy parameters. If no policy parameters are specified the default policy is created.

policytemplate

string

ID of the policy template to apply. Policy template is mutually exclusive to all other policy parameters. If no policy parameters are specified, the default policy is used.

PrimaryRegion

string

The AWS Region of the new primary key.Enter the region ID, such as us-east-1 ap-southeast-2. There must be an existing replica key in this region.

region

string

Name of the available regions.

regions

list / elements=string

Regions from which the AWS custom key stores will be synchronized. If not specified, custom key stores from all regions are synchronized. synchronize_all and kms, regions are mutually exclusive. Specify either synchronize_all or kms and regions.

replica_region

string

Name of the available regions.

retain_alias

boolean

Indicates whether to retain the alias with the timestamp on the archived key after key rotation.

Choices:

  • false

  • true

source_key_id

string

If source_key_tier is dsm or hsm-luna, this parameter is the key identifier of the key to be uploaded. source_key_id is a mandatory parameter in the case of dsm and hsm-luna.

If source_key_tier is local, this parameter is the key identifier of the CipherTrust Manager key to be uploaded. By default, a new CipherTrust Manager key is generated automatically.

source_key_identifier

string

If source_key_tier is local, source_key_identifier is the key identifier of the ciphertrust manager key to be uploaded. source_key_identifier is the mandatory parameter in case of dsm.

If source_key_tier is dsm, source_key_identifier is the key identifier of the dsm key to be uploaded. By default, a new CipherTrust Manager key would be generated automatically.

If key material is re-imported, AWS allows re-importing the same key material only, therefore it is mandatory to provide source key identifier of the same CipherTrust Manager key which was imported previously.

source_key_tier

string

Source key tier. Options are local, dsm and hsm-luna. Default is local.

synchronize_all

boolean

Set true to synchronize all custom key stores from all kms and regions. synchronize_all and kms, regions are mutually exclusive. Specify either synchronize_all or kms and regions.

Choices:

  • false

  • true

tags

list / elements=string

Tags to be added to the AWS key

template_id

string

AWS Key Policy to be acted upon

valid_to

string

Id of the partition in which hsm-luna key will be created.

Choices:

  • "local"

  • "dsm"

  • "hsm"

Examples

- name: "Create AWS Key"
  thalesgroup.ciphertrust.cckm_aws_key:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: create

Authors

  • Anurag Jain, Developer Advocate Thales Group