thalesgroup.ciphertrust.cte_policy_save module – Manage policies as collection of rules that govern data access and encryption

Note

This module is part of the thalesgroup.ciphertrust collection (version 1.0.0).

To install it, use: ansible-galaxy collection install thalesgroup.ciphertrust.

To use it in a playbook, specify: thalesgroup.ciphertrust.cte_policy_save.

New in thalesgroup.ciphertrust 1.0.0

Synopsis

  • This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with CTE Policy API

Parameters

Parameter

Comments

action

string

Actions applicable to the rule. Examples of actions are read, write, all_ops, and key_op.

Choices:

  • "read"

  • "write"

  • "all_ops"

  • "key_op"

current_key

string

Identifier of the key to link with the rule. Supported fields are name, id, slug, alias, uri, uuid, muid, and key_id.

current_key_type

string

An identifier for the CTE IDT Key Rule. Can be an ID of type UUIDv4 or a URI

Choices:

  • "name"

  • "id"

  • "slug"

  • "alias"

  • "uri"

  • "uuid"

  • "muid"

  • "key_id"

current_keys

dictionary

Properties of the current key

data_transform_rules

list / elements=dictionary

Data transformation rules to link with the policy

dataTxRuleId

string

An identifier for the CTE Data-Transformation Rule. Can be an ID of type UUIDv4 or a URI

description

string

Description of the CTE policy

effect

string

Effects applicable to the rule. Separate multiple effects by commas.

Choices:

  • "permit"

  • "deny"

  • "audit"

  • "applykey"

exclude_process_set

boolean

Process set to exclude. Supported for Standard and LDT policies.

Choices:

  • false

  • true

exclude_resource_set

boolean

Resource set to exclude. Supported for Standard and LDT policies.

Choices:

  • false

  • true

exclude_user_set

boolean

User set to exclude. Supported for Standard and LDT policies.

Choices:

  • false

  • true

force_restrict_update

boolean

To remove restriction of policy for modification

Choices:

  • false

  • true

idt_key_rules

list / elements=dictionary

IDT rules to link with the policy

idtRuleId

string

An identifier for the CTE IDT Key Rule. Can be an ID of type UUIDv4 or a URI

is_exclusion_rule

boolean

Whether this is an exclusion rule. If enabled, no need to specify the transformation rule.

Choices:

  • false

  • true

key_id

string

Identifier of the key to link with the rule. Supported fields are name, id, slug, alias, uri, uuid, muid, and key_id.

key_rules

list / elements=dictionary

Key rules to link with the policy

key_type

string

Precedence order of the rule in the parent policy

Choices:

  • "name"

  • "id"

  • "slug"

  • "alias"

  • "uri"

  • "uuid"

  • "muid"

  • "key_id"

keyRuleId

string

An identifier for the CTE Key Rule. Can be an ID of type UUIDv4 or a URI

ldt_key_rules

list / elements=dictionary

LDT rules to link with the policy. Supported for LDT policies.

ldtRuleId

string

An identifier for the CTE LDT Key Rule. Can be an ID of type UUIDv4 or a URI

localNode

dictionary / required

this holds the connection parameters required to communicate with an instance of CipherTrust Manager (CM)

holds IP/FQDN of the server, username, password, and port

password

string / required

admin password of CM

server_ip

string / required

CM Server IP or FQDN

server_port

integer / required

Port on which CM server is listening

Default: 5432

server_private_ip

string / required

internal or private IP of the CM Server, if different from the server_ip

user

string / required

admin username of CM

verify

boolean / required

if SSL verification is required

Choices:

  • false ← (default)

  • true

metadata

dictionary

Restrict policy for modification

name

string

Name of the CTE policy

never_deny

boolean

Whether to always allow operations in the policy. By default, it is disabled, that is, operations are not allowed. Supported for Standard, LDT, and Cloud_Object_Storage policies. For Learn Mode activations, never_deny is set to true, by default.

Choices:

  • false

  • true

op_type

string / required

Operation to be performed

Choices:

  • "create"

  • "patch"

  • "add_data_transfer_rule"

  • "add_ldt_rule"

  • "add_key_rule"

  • "add_security_rule"

  • "patch_data_transfer_rule"

  • "patch_ldt_rule"

  • "patch_key_rule"

  • "patch_security_rule"

  • "patch_idt_rule"

  • "remove_data_transfer_rule"

  • "remove_ldt_rule"

  • "remove_key_rule"

  • "remove_security_rule"

order_number

integer

Precedence order of the rule in the parent policy

partial_match

boolean

Whether to allow partial match operations. By default, it is enabled. Supported for Standard and LDT policies.

Choices:

  • false

  • true

policy_id

string

Identifier of the CTE Policy to be patched or rules to be patched or removed

policy_type

string

Type of the policy

Choices:

  • "Standard"

  • "LDT"

  • "IDT"

  • "CSI"

  • "Cloud_Object_Storage"

process_set_id

string

ID of the process set to link to the policy.

resource_set_id

string

ID of the resource set linked with the rule

security_rules

list / elements=dictionary

Security rules to link with the policy.

securityRuleId

string

An identifier for the CTE Security Rule. Can be an ID of type UUIDv4 or a URI

transformation_key

string

Identifier of the key to link with the rule. Supported fields are name, id, slug, alias, uri, uuid, muid or key_id.

transformation_key_type

string

Specify the type of the key. Must be one of name, id, slug, alias, uri, uuid, muid or key_id. If not specified, the type of the key is inferred.

Choices:

  • "name"

  • "id"

  • "slug"

  • "alias"

  • "uri"

  • "uuid"

  • "muid"

  • "key_id"

transformation_keys

dictionary

Properties of the transformation key

user_set_id

string

ID of the resource set to link to the policy. Supported for Standard and LDT policies

Examples

- name: "Create CTE Policy"
  thalesgroup.ciphertrust.cte_policy_save:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: create
    name: "Policy-Ans-001"
    description: "Created via Ansible"
    never_deny: false
    metadata:
      restrict_update: false
    security_rules:
      - action: key_op
        effect: "permit,applykey"
        partial_match: true
      - resource_set_id: RS-Ans-001
        exclude_resource_set: false
        partial_match: true
        action: all_ops
        effect: "permit,audit,applykey"
    policy_type: Standard
    key_rules:
      - key_id: CTE_standard_pol_key
        resource_set_id: RS-Ans-001
    data_transform_rules:
      - key_id: CTE_standard_pol_key
        resource_set_id: RS-Ans-001
  register: policy

- name: "Add new data transformation rule to a CTE Policy"
  thalesgroup.ciphertrust.cte_policy_save:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: add_data_transfer_rule
    policy_id: "{{ policy['response']['id'] }}"
    rule_name="datatxrules"
    key_id=key_id: CTE_standard_pol_key
    resource_set_id: RS-Ans-002
  register: datatxrule

- name: "Delete a data transformation rule from a CTE Policy"
  thalesgroup.ciphertrust.cte_policy_save:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: remove_data_transfer_rule
    policy_id: "{{ policy['response']['id'] }}"
    rule_name="datatxrules"
    rule_id="{{ datatxrule['response']['id'] }}"

Authors

  • Anurag Jain, Developer Advocate Thales Group