Skip to content
Snippets Groups Projects
Commit af4e8432 authored by Rafael Guterres Jeffman's avatar Rafael Guterres Jeffman
Browse files

New vault management module. 

There is a new vault management module placed in the plugins folder:

  plugins/modules/ipavault.py

The vault module allows to ensure presence and absence of vaults, manage
members and owner of the vault, and archive data in the vault.

Here is the documentation for the module:

    README-vault.md

New example playbooks have been added:

    playbooks/vault/data-archive-in-asymmetric-vault.yml
    playbooks/vault/data-archive-in-symmetric-vault.yml
    playbooks/vault/ensure-asymetric-vault-is-absent.yml
    playbooks/vault/ensure-asymetric-vault-is-present.yml
    playbooks/vault/ensure-service-vault-is-absent.yml
    playbooks/vault/ensure-service-vault-is-present.yml
    playbooks/vault/ensure-shared-vault-is-absent.yml
    playbooks/vault/ensure-shared-vault-is-present.yml
    playbooks/vault/ensure-standard-vault-is-absent.yml
    playbooks/vault/ensure-standard-vault-is-present.yml
    playbooks/vault/ensure-symetric-vault-is-absent.yml
    playbooks/vault/ensure-symetric-vault-is-present.yml
    playbooks/vault/ensure-vault-is-present-with-members.yml
    playbooks/vault/ensure-vault-member-group-is-absent.yml
    playbooks/vault/ensure-vault-member-group-is-present.yml
    playbooks/vault/ensure-vault-member-user-is-absent.yml
    playbooks/vault/ensure-vault-member-user-is-present.yml
    playbooks/vault/ensure-vault-owner-is-absent.yml
    playbooks/vault/ensure-vault-owner-is-present.yml

New tests added for the module:

    tests/vault/test_vault.yml
parent 1dd2b54e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 447 additions and 0 deletions
README-vault.md 0 → 100644
+ 203
0
View file @ af4e8432
Vault module
===================
Description
-----------
The vault module allows to ensure presence and absence of vault and members of vaults.
The vault module is as compatible as possible to the Ansible upstream `ipa_vault` module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
Features
--------
* Vault management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipavault module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
* KRA service must be enabled
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure vault is present:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
vault_password: MyVaultPassword123
description: A standard private vault.
```
Example playbook to make sure that a vault and its members are present:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
users: user01
```
`action` controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set `action` to `member`.
Example playbook to make sure that a vault member is present in vault:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
users: user01
action: member
```
Example playbook to make sure that a vault owner is absent in vault:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
owner: user01
action: member
state: absent
```
Example playbook to make sure vault data is present in a symmetric vault:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
vault_password: MyVaultPassword123
vault_data: >
Data archived.
More data archived.
action: member
```
Example playbook to make sure vault data is absent in a symmetric vault:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
vault_password: MyVaultPassword123
action: member
state: absent
```
Example playbook to make sure vault is absent:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
state: absent
```
Variables
=========
ipavault
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | The list of vault name strings. | yes
`description` | The vault description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`vault_public_key` \| `ipavaultpublickey` | Vault public key. | no
`vault_salt` \| `ipavaultsalt` | Vault salt. | no
`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
`service` | Any service can own one or more service vaults. | no
`user` | Any user can own one or more user vaults. | no
`shared` | Vault is shared. Default to false. (bool) | no
`users` | Users that are members of the vault. | no
`groups` | Groups that are member of the vault. | no
`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
Notes
=====
ipavault uses a client context to execute, and it might affect execution time.
Authors
=======
Rafael Jeffman
README.md
+ 2
0
View file @ af4e8432
......@@ -23,6 +23,7 @@ Features
* Modules for sudorule management
* Modules for topology management
* Modules for user management
* Modules for vault management
Supported FreeIPA Versions
--------------------------
......@@ -416,3 +417,4 @@ Modules in plugin/modules
* [ipatopologysegment](README-topology.md)
* [ipatopologysuffix](README-topology.md)
* [ipauser](README-user.md)
* [ipavault](README-vault.md)
playbooks/vault/data-archive-in-asymmetric-vault.yml 0 → 100644
+ 13
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: asymvault
username: user01
vault_data: The world of π is half rounded.
action: member
playbooks/vault/data-archive-in-symmetric-vault.yml 0 → 100644
+ 14
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
vault_password: MyVaultPassword123
vault_data: The world of π is half rounded.
action: member
playbooks/vault/ensure-asymetric-vault-is-absent.yml 0 → 100644
+ 12
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: asymvault
username: admin
state: absent
playbooks/vault/ensure-asymetric-vault-is-present.yml 0 → 100644
+ 13
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: asymvault
username: admin
vault_public_key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlVbFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=
vault_type: asymmetric
playbooks/vault/ensure-service-vault-is-absent.yml 0 → 100644
+ 12
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: svcvault
service: "HTTP/{{ groups.ipaserver[0] }}"
state: absent
playbooks/vault/ensure-service-vault-is-present.yml 0 → 100644
+ 13
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: svcvault
service: "HTTP/{{ groups.ipaserver[0] }}"
ipavaultpassword: MyVaultPassword123
state: present
playbooks/vault/ensure-shared-vault-is-absent.yml 0 → 100644
+ 12
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: sharedvault
shared: True
state: absent
playbooks/vault/ensure-shared-vault-is-present.yml 0 → 100644
+ 13
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: sharedvault
shared: True
ipavaultpassword: MyVaultPassword123
state: present
playbooks/vault/ensure-standard-vault-is-absent.yml 0 → 100644
+ 12
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: stdvault
username: admin
state: absent
playbooks/vault/ensure-standard-vault-is-present.yml 0 → 100644
+ 13
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: stdvault
vault_type: standard
username: admin
description: A standard private vault.
playbooks/vault/ensure-symetric-vault-is-absent.yml 0 → 100644
+ 12
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
state: absent
playbooks/vault/ensure-symetric-vault-is-present.yml 0 → 100644
+ 13
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
vault_password: MyVaultPassword123
vault_type: symmetric
playbooks/vault/ensure-vault-is-present-with-members.yml 0 → 100644
+ 17
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: stdvault
vault_type: standard
username: admin
users:
- user01
- user02
groups:
- ipausers
playbooks/vault/ensure-vault-member-group-is-absent.yml 0 → 100644
+ 14
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: keychain
username: admin
state: absent
action: member
groups: ipausers
playbooks/vault/ensure-vault-member-group-is-present.yml 0 → 100644
+ 14
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: keychain
username: admin
state: present
action: member
groups: ipausers
playbooks/vault/ensure-vault-member-user-is-absent.yml 0 → 100644
+ 16
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: keychain
username: admin
state: absent
action: member
users:
- user01
- user02
playbooks/vault/ensure-vault-member-user-is-present.yml 0 → 100644
+ 14
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: keychain
username: admin
state: present
action: member
users: user1
playbooks/vault/ensure-vault-owner-is-absent.yml 0 → 100644
+ 15
0
View file @ af4e8432
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
- ipavault:
ipaadmin_password: MyPassword123
name: symvault
username: admin
owners: user01
ownergroups: ipausers
action: member
state: absent
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment