thalesgroup.ciphertrust.cckm_aws_key module – CCKM module for AWS Keys
Note
This module is part of the thalesgroup.ciphertrust collection (version 1.0.0).
To install it, use: ansible-galaxy collection install thalesgroup.ciphertrust
.
To use it in a playbook, specify: thalesgroup.ciphertrust.cckm_aws_key
.
New in thalesgroup.ciphertrust 1.0.0
Synopsis
This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with CCKM for AWS Keys
Parameters
Parameter |
Comments |
---|---|
Alias to be added to the AWS key. |
|
Pushes the verified policy template to all the associated keys. Mandatorily required to update a 'verified' policy-template. Choices:
|
|
Disable encryption on the old key. Choices:
|
|
Id of the domain in which dsm key will be created. |
|
Key source from where the key will be uploaded. local for CipherTrust Manager and it is default one dsm for Data Security Manager (DSM) hsm-luna for Luna HSM Choices:
|
|
Id of the partition in which hsm-luna key will be created. |
|
Synchronization Job ID |
|
Number of days after which the key will be deleted. |
|
Description for the new key (after key rotation). |
|
Indicates whether to disable encryption on the new key (after key rotation). Choices:
|
|
AWS accounts that can use this key. External accounts are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
|
ID of the scheduler configuration job that will schedule the key rotation. |
|
Synchronization Job ID |
|
IAM users who can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
|
IAM roles that can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
|
Whether to disable encryption on key which is getting rotated . Choices:
|
|
AWS Key to be acted upon |
|
Operation to be performed Choices:
|
|
IAM users who can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
|
IAM roles that can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
|
Name or ID of the KMS to be used to create the key. |
|
Name or ID of KMS resource from which the AWS custom key stores will be synchronized. synchronize_all and kms, regions are mutually exclusive. Specify either synchronize_all or kms and regions. |
|
this holds the connection parameters required to communicate with an instance of CipherTrust Manager (CM) holds IP/FQDN of the server, username, password, and port |
|
admin password of CM |
|
CM Server IP or FQDN |
|
Port on which CM server is listening Default: |
|
internal or private IP of the CM Server, if different from the server_ip |
|
admin username of CM |
|
if SSL verification is required Choices:
|
|
Unique name of the policy template. |
|
Operation to be performed Choices:
|
|
Key policy to attach to the KMS key. Policy is mutually exclusive to all other policy parameters. If no policy parameters are specified the default policy is created. |
|
ID of the policy template to apply. Policy template is mutually exclusive to all other policy parameters. If no policy parameters are specified, the default policy is used. |
|
The AWS Region of the new primary key.Enter the region ID, such as us-east-1 ap-southeast-2. There must be an existing replica key in this region. |
|
Name of the available regions. |
|
Regions from which the AWS custom key stores will be synchronized. If not specified, custom key stores from all regions are synchronized. synchronize_all and kms, regions are mutually exclusive. Specify either synchronize_all or kms and regions. |
|
Name of the available regions. |
|
Indicates whether to retain the alias with the timestamp on the archived key after key rotation. Choices:
|
|
If source_key_tier is dsm or hsm-luna, this parameter is the key identifier of the key to be uploaded. source_key_id is a mandatory parameter in the case of dsm and hsm-luna. If source_key_tier is local, this parameter is the key identifier of the CipherTrust Manager key to be uploaded. By default, a new CipherTrust Manager key is generated automatically. |
|
If source_key_tier is local, source_key_identifier is the key identifier of the ciphertrust manager key to be uploaded. source_key_identifier is the mandatory parameter in case of dsm. If source_key_tier is dsm, source_key_identifier is the key identifier of the dsm key to be uploaded. By default, a new CipherTrust Manager key would be generated automatically. If key material is re-imported, AWS allows re-importing the same key material only, therefore it is mandatory to provide source key identifier of the same CipherTrust Manager key which was imported previously. |
|
Source key tier. Options are local, dsm and hsm-luna. Default is local. |
|
Set true to synchronize all custom key stores from all kms and regions. synchronize_all and kms, regions are mutually exclusive. Specify either synchronize_all or kms and regions. Choices:
|
|
Tags to be added to the AWS key |
|
AWS Key Policy to be acted upon |
|
Id of the partition in which hsm-luna key will be created. Choices:
|
Examples
- name: "Create AWS Key"
thalesgroup.ciphertrust.cckm_aws_key:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
op_type: create