hashivault_pki_tidy – Hashicorp Vault PKI Tidy

New in version 4.5.0.

Synopsis

  • This endpoint retrieves one of a selection of certificates.

Requirements

The below requirements are needed on the host that executes this module.

  • hvac>=0.10.1

  • ansible>=2.0.0

  • requests

Parameters

Parameter Choices/Defaults Comments
authtype
-
    Choices:
  • token
  • userpass
  • github
  • ldap
  • approle
Default:
"token or environment variable `VAULT_AUTHTYPE`"
authentication type
aws_header
-
Default:
"to environment variable `VAULT_AWS_HEADER`"
X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
ca_cert
-
Default:
"to environment variable `VAULT_CACERT`"
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
ca_path
-
Default:
"to environment variable `VAULT_CAPATH`"
Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
client_cert
-
Default:
"to environment variable `VAULT_CLIENT_CERT`"
Path to a PEM-encoded client certificate for TLS authentication to the Vault server
client_key
-
Default:
"to environment variable `VAULT_CLIENT_KEY`"
Path to an unencrypted PEM-encoded private key matching the client certificate
config
dictionary
Collection of properties for pki tidy endpoint. Ref. https://www.vaultproject.io/api-docs/secret/pki#tidy
safety_buffer
string
Default:
"72h"
Specifies A duration used as a safety buffer to ensure certificates are not expunged prematurely;
as an example, this can keep certificates from being removed from the CRL that, due to clock skew, might still be considered valid on other hosts.
For a certificate to be expunged, the time must be after the expiration time of the certificate (according to the local clock) plus the duration of safety_buffer.
tidy_cert_store
boolean
    Choices:
  • no ←
  • yes
Specifies whether to tidy up the certificate store.
tidy_revoked_certs
boolean
    Choices:
  • no ←
  • yes
Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage.
The CRL will be rotated if this causes any values to be removed.
login_mount_point
-
Default:
"value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"
authentication mount point
mount_point
-
Default:
"pki"
location where secrets engine is mounted. also known as path
namespace
-
Default:
"to environment variable VAULT_NAMESPACE"
namespace for vault
password
-
Default:
"to environment variable `VAULT_PASSWORD`"
password to login to vault.
token
-
Default:
"to environment variable `VAULT_TOKEN`"
token for vault
url
-
Default:
"to environment variable `VAULT_ADDR`"
url for vault
username
-
Default:
"to environment variable `VAULT_USER`"
username to login to vault.
verify
-
Default:
"to environment variable `VAULT_SKIP_VERIFY`"
If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing

Examples

---
- hosts: localhost
  tasks:
    - hashivault_pki_tidy:
        safety_buffer: 96h
        tidy_revoked_certs: true

Status

Authors

  • UNKNOWN

Hint

If you notice any issues in this documentation, you can edit this document to improve it.