diff --git a/ansible/modules/hashivault/hashivault_pki_role.py b/ansible/modules/hashivault/hashivault_pki_role.py index cfbb1881..eb369aee 100755 --- a/ansible/modules/hashivault/hashivault_pki_role.py +++ b/ansible/modules/hashivault/hashivault_pki_role.py @@ -98,6 +98,12 @@ description: - Allows names specified in `allowed_domains` to contain glob patterns (e.g. `ftp*.example.com`) - Clients will be allowed to request certificates with names matching the glob patterns. + allow_wildcard_certificates: + type: bool + default: true + description: + - Allows the issuance of certificates with RFC 6125 wildcards in the CN field. + - When set to false, this prevents wildcards from being issued even if they would've been allowed by an option above. allow_any_name: type: bool default: false @@ -126,6 +132,12 @@ - Values can contain glob patterns (e.g. `spiffe://hostname/*`). - Although this parameter could take a string with comma-delimited items, it's highly advised to not do so as it would break idempotency. + allowed_uri_sans_template: + type: bool + default: false + description: + - When set, allowed_uri_sans may contain templates, as with ACL Path Templating. + - Non-templated domains are also still permitted. allowed_other_sans: type: list description: @@ -137,6 +149,14 @@ `(bool)` Specifies if certificates are flagged for server use. - Although this parameter could take a string with comma-delimited items, it's highly advised to not do so as it would break idempotency. + allowed_serial_numbers: + type: list + default: "" + description: + - If set, an array of allowed serial numbers to be requested during certificate issuance. + - These values support shell-style globbing. + - When empty, custom-specified serial numbers will be forbidden. + - It is strongly recommended to allow Vault to generate random serial numbers instead. server_flag: type: bool default: true @@ -167,10 +187,25 @@ keys of either type and with any bit size (subject to > 1024 bits for RSA keys). key_bits: type: int - default: 2048 + default: 0 + description: + - Specifies the number of bits to use for the generated keys. + - Allowed values are 0 (universal default); + - with key_type=rsa, allowed values are: 2048 (default), 3072, 4096 or 8192; + - with key_type=ec, allowed values are: 224, 256 (default), 384, or 521; + - ignored with key_type=ed25519 or in signing operations when key_type=any. + signature_bits: + type: int + default: 0 description: - Specifies the number of bits to use for the generated keys - This will need to be changed for `ec` keys, e.g., 224 or 521. + use_pss: + type: bool + default: false + description: + - Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. + - Ignored for ECDSA/Ed25519 issuers. key_usage: type: list default: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"] @@ -296,6 +331,25 @@ default: "30s" description: - Specifies the duration by which to backdate the NotBefore property. + not_after: + type: string + description: + - Set the Not After field of the certificate with specified date value. + - The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. + - Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z. + cn_validations: + type: list + default: ["email", "hostname"] + description: + - Validations to run on the Common Name field of the certificate. + allowed_user_ids: + type: string + default: "" + description: + - Comma separated, globbing list of User ID Subject components to allow on requests. + - By default, no user IDs are allowed. + - Use the bare wildcard * value to allow any value. + - See also the user_ids request parameter. extends_documentation_fragment: - hashivault '''