59cb7eebd9
This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.
Tests were updated to reflect the changes.
New example playbooks are added:
playbooks/vault/vault-is-present-with-password-file.yml
playbooks/vault/vault-is-present-with-public-key-file.yml
playbooks/vault/retrive-data-asymmetric-vault.yml
playbooks/vault/retrive-data-symmetric-vault.yml
5.5 KiB
Vault module
Description
The vault module allows to ensure presence and absence of vault and members of vaults.
The vault module is as compatible as possible to the Ansible upstream ipa_vault module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
Features
- Vault management
Supported FreeIPA Versions
FreeIPA versions 4.4.0 and up are supported by the ipavault module.
Requirements
Controller
- Ansible version: 2.8+
Node
- Supported FreeIPA version (see above)
- KRA service must be enabled
Usage
Example inventory file
[ipaserver]
ipaserver.test.local
Example playbook to make sure vault is present (by default, vault type is symmetric):
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
password: SomeVAULTpassword
description: A standard private vault.
Example playbook to make sure that a vault and its members are present:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
users: user01
action controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set action to member.
Example playbook to make sure that a vault member is present in vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
users: user01
action: member
Example playbook to make sure that a vault owner is absent in vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
owner: user01
action: member
state: absent
Example playbook to make sure vault data is present in a symmetric vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
password: SomeVAULTpassword
data: >
Data archived.
More data archived.
action: member
Example playbook to retrieve vault data from a symmetric vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
password: SomeVAULTpassword
retrieve: true
action: member
Example playbook to make sure vault data is absent in a symmetric vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
password: SomeVAULTpassword
action: member
state: absent
Example playbook to make sure vault is absent:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
state: absent
Variables
ipavault
| Variable | Description | Required |
|---|---|---|
ipaadmin_principal |
The admin principal is a string and defaults to admin |
no |
ipaadmin_password |
The admin password is a string and is required if there is no admin ticket available on the node | no |
name | cn |
The list of vault name strings. | yes |
description |
The vault description string. | no |
nomembers |
Suppress processing of membership attributes. (bool) | no |
password | vault_password | ipavaultpassword |
Vault password. | no |
public_key | vault_public_key | ipavaultpublickey |
Base64 encoded vault public key. | no |
public_key_file | vault_public_key_file |
Path to file with public key. | no |
private_key | vault_private_key |
Base64 encoded vault private key. Used only to retrieve data. | no |
private_key_file | vault_private_key_file |
Path to file with private key. | no |
salt | vault_salt | ipavaultsalt |
Vault salt. | no |
vault_type | ipavaulttype |
Vault types are based on security level. It can be one of standard, symmetric or asymmetric, default: symmetric |
no |
user | username |
Any user can own one or more user vaults. | no |
service |
Any service can own one or more service vaults. | no |
shared |
Vault is shared. Default to false. (bool) | no |
users |
Users that are members of the vault. | no |
groups |
Groups that are member of the vault. | no |
services |
Services that are member of the vault. | no |
data |vault_data | ipavaultdata |
Data to be stored in the vault. | no |
in | datafile_in |
Path to file with data to be stored in the vault. | no |
out | datafile_out |
Path to file to store data retrieved from the vault. | no |
retrieve |
If set to True, retrieve data stored in the vault. (bool) | no |
action |
Work on vault or member level. It can be on of member or vault and defaults to vault. |
no |
state |
The state to ensure. It can be one of present or absent, default: present. |
no |
Notes
ipavault uses a client context to execute, and it might affect execution time.
Authors
Rafael Jeffman