thalesgroup.ciphertrust.cckm_az_key module – CCKM module for Azure Keys

Note

This module is part of the thalesgroup.ciphertrust collection (version 1.0.0).

To install it, use: ansible-galaxy collection install thalesgroup.ciphertrust.

To use it in a playbook, specify: thalesgroup.ciphertrust.cckm_az_key.

New in thalesgroup.ciphertrust 1.0.0

Synopsis

  • This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with CCKM for Azure Keys API

Parameters

Parameter

Comments

attributes

dictionary

Key attributes to be updated.

auto_rotate_domain_id

string

Id of the domain in which dsm key will be created.

auto_rotate_ec_name

string

Name of the Elliptical curve key. Required only when key_type is EC

Choices:

  • "P-256"

  • "P-384"

  • "P-521"

  • "SECP256K1"

auto_rotate_enable_key

boolean

Whether to enable the newly rotated key.

Choices:

  • false

  • true

auto_rotate_key_size

string

Size of the new rotated key. Required only when key_type is RSA.

Choices:

  • "2048"

  • "3072"

  • "4096"

auto_rotate_key_source

string

Source of the key material. Options are native, hsm-luna, dsm and ciphertrust.

Choices:

  • "native"

  • "hsm-luna"

  • "dsm"

  • "ciphertrust"

auto_rotate_key_type

string

Algorithm for the key.

Choices:

  • "EC"

  • "EC-HSM"

  • "RSA"

  • "RSA-HSM"

auto_rotate_partition_id

string

Id of the partition in which hsm key will be created.

auto_rotate_release_policy

dictionary

Optional, new key release policy for exportable keys.

azure_param

dictionary

Azure key parameters.

dsm_key_identifier

string

Identifier of the dsm key. It is a required parameter if source key tier is dsm.

exportable

boolean

Allow private key to be exported from Azure. Currently, it is only valid when key source is hsm-luna and vault is a premium vault or a managed-hsm vault.

Choices:

  • false

  • true

job_config_id

string

Id of the scheduler job that will perform key rotation.

job_id

string

Synchronization job to be deleted

kek_kid

string

Identifier of azure key encryption key.

key_id

string

Id of the key to be acted upon

key_name

string

Name for the key on Azure. Key names can only contain alphanumeric characters and dashes.

key_op_type

string

Operation to be performed on the key

Choices:

  • "soft-delete"

  • "hard-delete"

  • "restore"

  • "recover"

  • "delete-backup"

  • "enable-rotation-job"

  • "disable-rotation-job"

key_ops

list / elements=string

Key operations to be updated.

Choices:

  • "encrypt"

  • "decrypt"

  • "sign"

  • "verify"

  • "wrapKey"

  • "unwrapKey"

key_vault

string

Id or name of the key vault where the key will be created on Azure.

key_vaults

list / elements=string

Name or ID of key vaults from which Azure keys will be synchronized. synchronize_all and key_vaults are mutually exclusive. Specify either the synchronize_all or key_vaults.

local_key_identifier

string

Identifier of the CipherTrust Manager key to upload. Key name or ID can be specified. It is a required parameter if source key tier is local.

localNode

dictionary / required

this holds the connection parameters required to communicate with an instance of CipherTrust Manager (CM)

holds IP/FQDN of the server, username, password, and port

password

string / required

admin password of CM

server_ip

string / required

CM Server IP or FQDN

server_port

integer / required

Port on which CM server is listening

Default: 5432

server_private_ip

string / required

internal or private IP of the CM Server, if different from the server_ip

user

string / required

admin username of CM

verify

boolean / required

if SSL verification is required

Choices:

  • false ← (default)

  • true

luna_key_identifier

string

Identifier of the luna hsm key. It is a required parameter if source key tier is hsm-luna.

op_type

string / required

Operation to be performed

Choices:

  • "create"

  • "update"

  • "key_op"

  • "upload-key"

  • "create-sync-job"

  • "cancel-sync-job"

password

string

PFX password. Specify only if the PFX certificate is provided.

pfx

string

PFX key. Specify a Base64 encoded key.

release_policy

dictionary

Key release policy. Must be set if exportable is true.

source_key_tier

string

Source key tier. Options are local, pfx, dsm, and hsm-luna. Default is local.

Choices:

  • "local'"

  • "pfx"

  • "dsm"

  • "hsm-luna"

Default: "local"

synchronize_all

boolean

Set true to synchronize all keys from all vaults. synchronize_all and key_vaults are mutually exclusive. Specify either the synchronize_all or key_vaults.

Choices:

  • false

  • true

tags

dictionary

Application specific metadata in the form of key-value pair.

Examples

- name: "Create Azure Key"
  thalesgroup.ciphertrust.cckm_az_key:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: create

Authors

  • Anurag Jain, Developer Advocate Thales Group