thalesgroup.ciphertrust.cckm_gcp_ekm module – CCKM module for Google Cloud Platform EKM

Note

This module is part of the thalesgroup.ciphertrust collection (version 1.0.0).

To install it, use: ansible-galaxy collection install thalesgroup.ciphertrust.

To use it in a playbook, specify: thalesgroup.ciphertrust.cckm_gcp_ekm.

New in thalesgroup.ciphertrust 1.0.0

Synopsis

  • This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with CCKM for GCP EKM

Parameters

Parameter

Comments

algorithm

string

EKM Key Algorithm. Default is AES256

Choices:

  • "AES256"

  • "RSA_SIGN_PSS_2048_SHA256"

  • "RSA_SIGN_PSS_3072_SHA256"

  • "RSA_SIGN_PSS_4096_SHA256"

  • "RSA_SIGN_PSS_4096_SHA512"

  • "RSA_SIGN_PKCS1_2048_SHA256"

  • "RSA_SIGN_PKCS1_3072_SHA256"

  • "RSA_SIGN_PKCS1_4096_SHA256"

  • "RSA_SIGN_PKCS1_4096_SHA512"

  • "EC_SIGN_P256_SHA256"

  • "EC_SIGN_P384_SHA384"

cvm_required_for_decrypt

boolean

Is a confidential VM (and valid attestation) required for decryption. Default is false. Applicable for UDE Endpoint only.

Choices:

  • false

  • true

cvm_required_for_encrypt

boolean

Is a confidential VM (and valid attestation) required for encryption. Default is false. Applicable for UDE Endpoint only.

Choices:

  • false

  • true

ekm_id

string

ID of GCP EKM to be acted upon

ekm_op_type

string

Operation to be performed on GCP EKM

Choices:

  • "rotate"

  • "enable"

  • "disable"

endpoint_type

string

EKM Endpoint type. Default is ekm

Choices:

  • "ekm" ← (default)

  • "ekm-ude"

existing_key_id

string

ID of existing key to use (if applicable for migration from another CM deployment). If not supplied, a new key will be created

key_type

string

EKM Key type. Default is symmetric

Choices:

  • "symmetric" ← (default)

  • "asymmetric"

keyURIHostname

string

Base url hostname for KeyURI

localNode

dictionary / required

this holds the connection parameters required to communicate with an instance of CipherTrust Manager (CM)

holds IP/FQDN of the server, username, password, and port

password

string / required

admin password of CM

server_ip

string / required

CM Server IP or FQDN

server_port

integer / required

Port on which CM server is listening

Default: 5432

server_private_ip

string / required

internal or private IP of the CM Server, if different from the server_ip

user

string / required

admin username of CM

verify

boolean / required

if SSL verification is required

Choices:

  • false ← (default)

  • true

meta

dictionary

Additional information associated with this Endpoint

name

string

Unique name for Endpoint

op_type

string / required

Operation to be performed

Choices:

  • "create"

  • "update"

  • "ekm_op"

policy

dictionary

EKM Policy attributes

raw_policy_enabled

boolean

Flag to denote if the sent policy is in raw format. Default is false. EKM Policy in basic format is required if raw_policy_enabled is false.

Choices:

  • false

  • true

Examples

- name: "Create GCP EKM"
  thalesgroup.ciphertrust.cckm_gcp_ekm:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: create

Authors

  • Anurag Jain, Developer Advocate Thales Group