1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

[cloud] Allow IAM certificate secrets, body, chains to be strings (e.g. sourced from ansible-vault) (#24206)

* Allow cert and private pem information to be passed in via string, eg when obtaining sensitive key details from anisble-vault at runtime

* Allow cert chain body to be passed as a string

* Ensure the new options are set in parameters

* Dont publish the private key in logs

* Set the version_added documentation

* Update documentation inline with review

* Removes file based certificates in favour of string only as suggested in feature review

* Documentation changes as suggested by review
This commit is contained in:
Chris Atkinson 2017-06-09 16:32:22 +01:00 committed by Ryan Brown
parent b376bde4d7
commit 62fa2019c6

View file

@ -30,63 +30,46 @@ options:
description: description:
- Name of certificate to add, update or remove. - Name of certificate to add, update or remove.
required: true required: true
aliases: []
new_name: new_name:
description: description:
- When present, this will update the name of the cert with the value passed here. - When present, this will update the name of the cert with the value passed here.
required: false required: false
aliases: []
new_path: new_path:
description: description:
- When present, this will update the path of the cert with the value passed here. - When present, this will update the path of the cert with the value passed here.
required: false required: false
aliases: []
state: state:
description: description:
- Whether to create, delete certificate. When present is specified it will attempt to make an update if new_path or new_name is specified. - Whether to create, delete certificate. When present is specified it will attempt to make an update if new_path or new_name is specified.
required: true required: true
default: null default: null
choices: [ "present", "absent" ] choices: [ "present", "absent" ]
aliases: []
path: path:
description: description:
- When creating or updating, specify the desired path of the certificate - When creating or updating, specify the desired path of the certificate
required: false required: false
default: "/" default: "/"
aliases: []
cert_chain: cert_chain:
description: description:
- The path to the CA certificate chain in PEM encoded format. - The CA certificate chain in PEM encoded format.
- Note that prior to 2.4, this parameter expected a path to a file. Since 2.4 this is now accomplished using a lookup plugin. See examples for detail
required: false required: false
default: null default: null
aliases: []
cert: cert:
description: description:
- The path to the certificate body in PEM encoded format. - The certificate body in PEM encoded format.
- Note that prior to 2.4, this parameter expected a path to a file. Since 2.4 this is now accomplished using a lookup plugin. See examples for detail
required: false required: false
aliases: []
key: key:
description: description:
- The path to the private key of the certificate in PEM encoded format. - The key of the certificate in PEM encoded format.
- Note that prior to 2.4, this parameter expected a path to a file. Since 2.4 this is now accomplished using a lookup plugin. See examples for detail
dup_ok: dup_ok:
description: description:
- By default the module will not upload a certificate that is already uploaded into AWS. If set to True, it will upload the certificate as - By default the module will not upload a certificate that is already uploaded into AWS. If set to True, it will upload the certificate as
long as the name is unique. long as the name is unique.
required: false required: false
default: False default: False
aliases: []
aws_secret_key:
description:
- AWS secret key. If not set then the value of the AWS_SECRET_KEY environment variable is used.
required: false
default: null
aliases: [ 'ec2_secret_key', 'secret_key' ]
aws_access_key:
description:
- AWS access key. If not set then the value of the AWS_ACCESS_KEY environment variable is used.
required: false
default: null
aliases: [ 'ec2_access_key', 'access_key' ]
requirements: [ "boto" ] requirements: [ "boto" ]
@ -97,16 +80,22 @@ extends_documentation_fragment:
''' '''
EXAMPLES = ''' EXAMPLES = '''
# Basic server certificate upload # Basic server certificate upload from local file
tasks: - iam_cert:
- name: Upload Certificate
iam_cert:
name: very_ssl name: very_ssl
state: present state: present
cert: somecert.pem cert: "{{ lookup('file', 'path/to/cert') }}"
key: privcertkey key: "{{ lookup('file', 'path/to/key') }}"
cert_chain: myverytrustedchain cert_chain: "{{ lookup('file', 'path/to/certchain') }}"
# Server certificate upload using key string
- iam_cert:
name: very_ssl
state: present
path: "/a/cert/path/"
cert: body_of_somecert
key: vault_body_of_privcertkey
cert_chain: body_of_myverytrustedchain
''' '''
import json import json
import sys import sys
@ -235,9 +224,9 @@ def main():
state=dict( state=dict(
default=None, required=True, choices=['present', 'absent']), default=None, required=True, choices=['present', 'absent']),
name=dict(default=None, required=False), name=dict(default=None, required=False),
cert=dict(default=None, required=False, type='path'), cert=dict(default=None, required=False),
key=dict(default=None, required=False, type='path'), key=dict(default=None, required=False, no_log=True),
cert_chain=dict(default=None, required=False, type='path'), cert_chain=dict(default=None, required=False),
new_name=dict(default=None, required=False), new_name=dict(default=None, required=False),
path=dict(default='/', required=False), path=dict(default='/', required=False),
new_path=dict(default=None, required=False), new_path=dict(default=None, required=False),
@ -271,10 +260,12 @@ def main():
cert_chain = module.params.get('cert_chain') cert_chain = module.params.get('cert_chain')
dup_ok = module.params.get('dup_ok') dup_ok = module.params.get('dup_ok')
if state == 'present': if state == 'present':
cert = open(module.params.get('cert'), 'r').read().rstrip() if module.params.get('cert') is not None:
key = open(module.params.get('key'), 'r').read().rstrip() cert = module.params.get('cert')
if cert_chain is not None: if module.params.get('key') is not None:
cert_chain = open(module.params.get('cert_chain'), 'r').read() key = module.params.get('key')
if module.params.get('cert_chain') is not None:
cert_chain = module.params.get('cert_chain')
else: else:
key=cert=chain=None key=cert=chain=None