[cloud] Allow IAM certificate secrets, body, chains to be strings (e.g. sourced from ansible-vault) (#24206)

* Allow cert and private pem information to be passed in via string, eg when obtaining sensitive key details from anisble-vault at runtime

* Allow cert chain body to be passed as a string

* Ensure the new options are set in parameters

* Dont publish the private key in logs

* Set the version_added documentation

* Update documentation inline with review

* Removes file based certificates in favour of string only as suggested in feature review

* Documentation changes as suggested by review
This commit is contained in:
Chris Atkinson 2017-06-09 16:32:22 +01:00 committed by Ryan Brown
parent b376bde4d7
commit 62fa2019c6

View file

@ -30,63 +30,46 @@ options:
description:
- Name of certificate to add, update or remove.
required: true
aliases: []
new_name:
description:
- When present, this will update the name of the cert with the value passed here.
required: false
aliases: []
new_path:
description:
- When present, this will update the path of the cert with the value passed here.
required: false
aliases: []
state:
description:
- Whether to create, delete certificate. When present is specified it will attempt to make an update if new_path or new_name is specified.
required: true
default: null
choices: [ "present", "absent" ]
aliases: []
path:
description:
- When creating or updating, specify the desired path of the certificate
required: false
default: "/"
aliases: []
cert_chain:
description:
- The path to the CA certificate chain in PEM encoded format.
- The CA certificate chain in PEM encoded format.
- Note that prior to 2.4, this parameter expected a path to a file. Since 2.4 this is now accomplished using a lookup plugin. See examples for detail
required: false
default: null
aliases: []
cert:
description:
- The path to the certificate body in PEM encoded format.
- The certificate body in PEM encoded format.
- Note that prior to 2.4, this parameter expected a path to a file. Since 2.4 this is now accomplished using a lookup plugin. See examples for detail
required: false
aliases: []
key:
description:
- The path to the private key of the certificate in PEM encoded format.
- The key of the certificate in PEM encoded format.
- Note that prior to 2.4, this parameter expected a path to a file. Since 2.4 this is now accomplished using a lookup plugin. See examples for detail
dup_ok:
description:
- By default the module will not upload a certificate that is already uploaded into AWS. If set to True, it will upload the certificate as
long as the name is unique.
required: false
default: False
aliases: []
aws_secret_key:
description:
- AWS secret key. If not set then the value of the AWS_SECRET_KEY environment variable is used.
required: false
default: null
aliases: [ 'ec2_secret_key', 'secret_key' ]
aws_access_key:
description:
- AWS access key. If not set then the value of the AWS_ACCESS_KEY environment variable is used.
required: false
default: null
aliases: [ 'ec2_access_key', 'access_key' ]
requirements: [ "boto" ]
@ -97,16 +80,22 @@ extends_documentation_fragment:
'''
EXAMPLES = '''
# Basic server certificate upload
tasks:
- name: Upload Certificate
iam_cert:
# Basic server certificate upload from local file
- iam_cert:
name: very_ssl
state: present
cert: somecert.pem
key: privcertkey
cert_chain: myverytrustedchain
cert: "{{ lookup('file', 'path/to/cert') }}"
key: "{{ lookup('file', 'path/to/key') }}"
cert_chain: "{{ lookup('file', 'path/to/certchain') }}"
# Server certificate upload using key string
- iam_cert:
name: very_ssl
state: present
path: "/a/cert/path/"
cert: body_of_somecert
key: vault_body_of_privcertkey
cert_chain: body_of_myverytrustedchain
'''
import json
import sys
@ -235,9 +224,9 @@ def main():
state=dict(
default=None, required=True, choices=['present', 'absent']),
name=dict(default=None, required=False),
cert=dict(default=None, required=False, type='path'),
key=dict(default=None, required=False, type='path'),
cert_chain=dict(default=None, required=False, type='path'),
cert=dict(default=None, required=False),
key=dict(default=None, required=False, no_log=True),
cert_chain=dict(default=None, required=False),
new_name=dict(default=None, required=False),
path=dict(default='/', required=False),
new_path=dict(default=None, required=False),
@ -271,10 +260,12 @@ def main():
cert_chain = module.params.get('cert_chain')
dup_ok = module.params.get('dup_ok')
if state == 'present':
cert = open(module.params.get('cert'), 'r').read().rstrip()
key = open(module.params.get('key'), 'r').read().rstrip()
if cert_chain is not None:
cert_chain = open(module.params.get('cert_chain'), 'r').read()
if module.params.get('cert') is not None:
cert = module.params.get('cert')
if module.params.get('key') is not None:
key = module.params.get('key')
if module.params.get('cert_chain') is not None:
cert_chain = module.params.get('cert_chain')
else:
key=cert=chain=None