af4e8432ad
There is a new vault management module placed in the plugins folder:
plugins/modules/ipavault.py
The vault module allows to ensure presence and absence of vaults, manage
members and owner of the vault, and archive data in the vault.
Here is the documentation for the module:
README-vault.md
New example playbooks have been added:
playbooks/vault/data-archive-in-asymmetric-vault.yml
playbooks/vault/data-archive-in-symmetric-vault.yml
playbooks/vault/ensure-asymetric-vault-is-absent.yml
playbooks/vault/ensure-asymetric-vault-is-present.yml
playbooks/vault/ensure-service-vault-is-absent.yml
playbooks/vault/ensure-service-vault-is-present.yml
playbooks/vault/ensure-shared-vault-is-absent.yml
playbooks/vault/ensure-shared-vault-is-present.yml
playbooks/vault/ensure-standard-vault-is-absent.yml
playbooks/vault/ensure-standard-vault-is-present.yml
playbooks/vault/ensure-symetric-vault-is-absent.yml
playbooks/vault/ensure-symetric-vault-is-present.yml
playbooks/vault/ensure-vault-is-present-with-members.yml
playbooks/vault/ensure-vault-member-group-is-absent.yml
playbooks/vault/ensure-vault-member-group-is-present.yml
playbooks/vault/ensure-vault-member-user-is-absent.yml
playbooks/vault/ensure-vault-member-user-is-present.yml
playbooks/vault/ensure-vault-owner-is-absent.yml
playbooks/vault/ensure-vault-owner-is-present.yml
New tests added for the module:
tests/vault/test_vault.yml
4.5 KiB
Vault module
Description
The vault module allows to ensure presence and absence of vault and members of vaults.
The vault module is as compatible as possible to the Ansible upstream ipa_vault module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
Features
- Vault management
Supported FreeIPA Versions
FreeIPA versions 4.4.0 and up are supported by the ipavault module.
Requirements
Controller
- Ansible version: 2.8+
Node
- Supported FreeIPA version (see above)
- KRA service must be enabled
Usage
Example inventory file
[ipaserver]
ipaserver.test.local
Example playbook to make sure vault is present:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
vault_password: MyVaultPassword123
description: A standard private vault.
Example playbook to make sure that a vault and its members are present:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
users: user01
action controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set action to member.
Example playbook to make sure that a vault member is present in vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
users: user01
action: member
Example playbook to make sure that a vault owner is absent in vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
owner: user01
action: member
state: absent
Example playbook to make sure vault data is present in a symmetric vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
vault_password: MyVaultPassword123
vault_data: >
Data archived.
More data archived.
action: member
Example playbook to make sure vault data is absent in a symmetric vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
vault_password: MyVaultPassword123
action: member
state: absent
Example playbook to make sure vault is absent:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
state: absent
Variables
ipavault
| Variable | Description | Required |
|---|---|---|
ipaadmin_principal |
The admin principal is a string and defaults to admin |
no |
ipaadmin_password |
The admin password is a string and is required if there is no admin ticket available on the node | no |
name | cn |
The list of vault name strings. | yes |
description |
The vault description string. | no |
nomembers |
Suppress processing of membership attributes. (bool) | no |
vault_public_key | ipavaultpublickey |
Vault public key. | no |
vault_salt | ipavaultsalt |
Vault salt. | no |
vault_type | ipavaulttype |
Vault types are based on security level. It can be one of standard, symmetric or asymmetric, default: symmetric |
no |
service |
Any service can own one or more service vaults. | no |
user |
Any user can own one or more user vaults. | no |
shared |
Vault is shared. Default to false. (bool) | no |
users |
Users that are members of the vault. | no |
groups |
Groups that are member of the vault. | no |
vault_data | ipavaultdata |
Data to be stored in the vault. | no |
action |
Work on vault or member level. It can be on of member or vault and defaults to vault. |
no |
state |
The state to ensure. It can be one of present or absent, default: present. |
no |
Notes
ipavault uses a client context to execute, and it might affect execution time.
Authors
Rafael Jeffman