hashivault_pki_tidy – Hashicorp Vault PKI Tidy¶
New in version 4.5.0.
Requirements¶
The below requirements are needed on the host that executes this module.
hvac>=0.10.1
ansible>=2.0.0
requests
Parameters¶
| Parameter | Choices/Defaults | Comments | |
|---|---|---|---|
|
authtype
-
|
"token or environment variable `VAULT_AUTHTYPE`"
|
authentication type
|
|
|
aws_header
-
|
Default: "to environment variable `VAULT_AWS_HEADER`"
|
X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
|
|
|
ca_cert
-
|
Default: "to environment variable `VAULT_CACERT`"
|
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
|
|
|
ca_path
-
|
Default: "to environment variable `VAULT_CAPATH`"
|
Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
|
|
|
client_cert
-
|
Default: "to environment variable `VAULT_CLIENT_CERT`"
|
Path to a PEM-encoded client certificate for TLS authentication to the Vault server
|
|
|
client_key
-
|
Default: "to environment variable `VAULT_CLIENT_KEY`"
|
Path to an unencrypted PEM-encoded private key matching the client certificate
|
|
|
config
dictionary
|
Collection of properties for pki tidy endpoint. Ref. https://www.vaultproject.io/api-docs/secret/pki#tidy
|
||
|
safety_buffer
string
|
Default: "72h"
|
Specifies A duration used as a safety buffer to ensure certificates are not expunged prematurely;
as an example, this can keep certificates from being removed from the CRL that, due to clock skew, might still be considered valid on other hosts.
For a certificate to be expunged, the time must be after the expiration time of the certificate (according to the local clock) plus the duration of safety_buffer.
|
|
|
tidy_cert_store
boolean
|
|
Specifies whether to tidy up the certificate store.
|
|
|
tidy_revoked_certs
boolean
|
|
Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage.
The CRL will be rotated if this causes any values to be removed.
|
|
|
login_mount_point
-
|
Default: "value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"
|
authentication mount point
|
|
|
mount_point
-
|
Default: "pki"
|
location where secrets engine is mounted. also known as path
|
|
|
namespace
-
|
Default: "to environment variable VAULT_NAMESPACE"
|
namespace for vault
|
|
|
password
-
|
Default: "to environment variable `VAULT_PASSWORD`"
|
password to login to vault.
|
|
|
token
-
|
Default: "to environment variable `VAULT_TOKEN`"
|
token for vault
|
|
|
url
-
|
Default: "to environment variable `VAULT_ADDR`"
|
url for vault
|
|
|
username
-
|
Default: "to environment variable `VAULT_USER`"
|
username to login to vault.
|
|
|
verify
-
|
Default: "to environment variable `VAULT_SKIP_VERIFY`"
|
If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing
|
|
Examples¶
---
- hosts: localhost
tasks:
- hashivault_pki_tidy:
safety_buffer: 96h
tidy_revoked_certs: true
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]
Authors¶
UNKNOWN
Hint
If you notice any issues in this documentation, you can edit this document to improve it.