--- #################################################################### # WARNING: These are designed specifically for Ansible tests # # and should not be used as examples of how to write Ansible roles # #################################################################### - when: has_java_keytool block: - name: Create private keys community.crypto.openssl_privatekey: path: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}" size: 2048 # this should work everywhere # The following is more efficient, but might not work everywhere: # type: ECC # curve: secp384r1 cipher: "{{ 'auto' if item.passphrase is defined else omit }}" passphrase: "{{ item.passphrase | default(omit) }}" loop: - name: cert - name: cert-pw passphrase: hunter2 - name: Create CSRs community.crypto.openssl_csr: path: "{{ remote_tmp_dir ~ '/' ~ item.name ~ '.csr' }}" privatekey_path: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}" privatekey_passphrase: "{{ item.passphrase | default(omit) }}" commonName: "{{ item.commonName }}" loop: - name: cert commonName: example.com - name: cert-pw passphrase: hunter2 commonName: example.com - name: cert2 keyname: cert commonName: example.org - name: cert2-pw keyname: cert-pw passphrase: hunter2 commonName: example.org - name: Create certificates community.crypto.x509_certificate: path: "{{ remote_tmp_dir ~ '/' ~ item.name ~ '.pem' }}" csr_path: "{{ remote_tmp_dir ~ '/' ~ item.name ~ '.csr' }}" privatekey_path: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}" privatekey_passphrase: "{{ item.passphrase | default(omit) }}" provider: selfsigned loop: - name: cert commonName: example.com - name: cert-pw passphrase: hunter2 commonName: example.com - name: cert2 keyname: cert commonName: example.org - name: cert2-pw keyname: cert-pw passphrase: hunter2 commonName: example.org - name: Read certificates slurp: src: "{{ remote_tmp_dir ~ '/' ~ item.name ~ '.pem' }}" loop: &create_key_store_loop - name: cert - name: cert-pw passphrase: hunter2 register: certificates - name: Read certificate keys slurp: src: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.key' }}" loop: *create_key_store_loop register: certificate_keys - name: Create a Java key store for the given certificates (check mode) community.general.java_keystore: &create_key_store_data name: example certificate: "{{ certificates.results[loop_index].content | b64decode }}" private_key: "{{ certificate_keys.results[loop_index].content | b64decode }}" private_key_passphrase: "{{ item.passphrase | default(omit) }}" password: changeit dest: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.jks' }}" loop: *create_key_store_loop loop_control: index_var: loop_index check_mode: yes register: result_check - name: Create a Java key store for the given certificates community.general.java_keystore: *create_key_store_data loop: *create_key_store_loop loop_control: index_var: loop_index register: result - name: Create a Java key store for the given certificates (idempotency, check mode) community.general.java_keystore: *create_key_store_data loop: *create_key_store_loop loop_control: index_var: loop_index check_mode: yes register: result_idem_check - name: Create a Java key store for the given certificates (idempotency) community.general.java_keystore: *create_key_store_data loop: *create_key_store_loop loop_control: index_var: loop_index register: result_idem - name: Read certificates (new) slurp: src: "{{ remote_tmp_dir ~ '/' ~ item.name ~ '.pem' }}" loop: &create_key_store_loop_new_certs - name: cert2 keyname: cert - name: cert2-pw keyname: cert-pw passphrase: hunter2 register: certificates_new - name: Read certificate keys (new) slurp: src: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.key' }}" loop: *create_key_store_loop_new_certs register: certificate_keys_new - name: Create a Java key store for the given certificates (certificate changed, check mode) community.general.java_keystore: &create_key_store_data_new_certs name: example certificate: "{{ certificates_new.results[loop_index].content | b64decode }}" private_key: "{{ certificate_keys_new.results[loop_index].content | b64decode }}" private_key_passphrase: "{{ item.passphrase | default(omit) }}" password: changeit dest: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.jks' }}" loop: *create_key_store_loop_new_certs loop_control: index_var: loop_index check_mode: yes register: result_change_check - name: Create a Java key store for the given certificates (certificate changed) community.general.java_keystore: *create_key_store_data_new_certs loop: *create_key_store_loop_new_certs loop_control: index_var: loop_index register: result_change - name: Create a Java key store for the given certificates (password changed, check mode) community.general.java_keystore: <<: *create_key_store_data_new_certs password: hunter2 loop: *create_key_store_loop_new_certs loop_control: index_var: loop_index check_mode: yes register: result_pw_change_check when: false # FIXME: module currently crashes - name: Create a Java key store for the given certificates (password changed) community.general.java_keystore: <<: *create_key_store_data_new_certs password: hunter2 loop: *create_key_store_loop_new_certs loop_control: index_var: loop_index register: result_pw_change when: false # FIXME: module currently crashes - name: Validate results assert: that: - result is changed - result_check is changed - result_idem is not changed - result_idem_check is not changed - result_change is changed - result_change_check is changed # - result_pw_change is changed # FIXME: module currently crashes # - result_pw_change_check is changed # FIXME: module currently crashes