Skip to content

Commit

Permalink
Add missing hashivault_pki_role options
Browse files Browse the repository at this point in the history
  • Loading branch information
@dezeroku
dezeroku committed Jun 27, 2024
1 parent a4c9ab6 commit 114dfc1
Showing 1 changed file with 55 additions and 1 deletion.
56 changes: 55 additions & 1 deletion ansible/modules/hashivault/hashivault_pki_role.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,12 @@
description:
- Allows names specified in `allowed_domains` to contain glob patterns (e.g. `ftp*.example.com`)
- Clients will be allowed to request certificates with names matching the glob patterns.
allow_wildcard_certificates:
type: bool
default: true
description:
- Allows the issuance of certificates with RFC 6125 wildcards in the CN field.
- When set to false, this prevents wildcards from being issued even if they would've been allowed by an option above.
allow_any_name:
type: bool
default: false
Expand Down Expand Up @@ -126,6 +132,12 @@
- Values can contain glob patterns (e.g. `spiffe://hostname/*`).
- Although this parameter could take a string with comma-delimited items, it's highly advised to
not do so as it would break idempotency.
allowed_uri_sans_template:
type: bool
default: false
description:
- When set, allowed_uri_sans may contain templates, as with ACL Path Templating.
- Non-templated domains are also still permitted.
allowed_other_sans:
type: list
description:
Expand All @@ -137,6 +149,14 @@
`(bool)` Specifies if certificates are flagged for server use.
- Although this parameter could take a string with comma-delimited items, it's highly advised to
not do so as it would break idempotency.
allowed_serial_numbers:
type: list
default: ""
description:
- If set, an array of allowed serial numbers to be requested during certificate issuance.
- These values support shell-style globbing.
- When empty, custom-specified serial numbers will be forbidden.
- It is strongly recommended to allow Vault to generate random serial numbers instead.
server_flag:
type: bool
default: true
Expand Down Expand Up @@ -167,10 +187,25 @@
keys of either type and with any bit size (subject to > 1024 bits for RSA keys).
key_bits:
type: int
default: 2048
default: 0
description:
- Specifies the number of bits to use for the generated keys.
- Allowed values are 0 (universal default);
- with key_type=rsa, allowed values are: 2048 (default), 3072, 4096 or 8192;
- with key_type=ec, allowed values are: 224, 256 (default), 384, or 521;
- ignored with key_type=ed25519 or in signing operations when key_type=any.
signature_bits:
type: int
default: 0
description:
- Specifies the number of bits to use for the generated keys
- This will need to be changed for `ec` keys, e.g., 224 or 521.
use_pss:
type: bool
default: false
description:
- Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used.
- Ignored for ECDSA/Ed25519 issuers.
key_usage:
type: list
default: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]
Expand Down Expand Up @@ -296,6 +331,25 @@
default: "30s"
description:
- Specifies the duration by which to backdate the NotBefore property.
not_after:
type: string
description:
- Set the Not After field of the certificate with specified date value.
- The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ.
- Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
cn_validations:
type: list
default: ["email", "hostname"]
description:
- Validations to run on the Common Name field of the certificate.
allowed_user_ids:
type: string
default: ""
description:
- Comma separated, globbing list of User ID Subject components to allow on requests.
- By default, no user IDs are allowed.
- Use the bare wildcard * value to allow any value.
- See also the user_ids request parameter.
extends_documentation_fragment:
- hashivault
'''
Expand Down

0 comments on commit 114dfc1

Please sign in to comment.