-
Notifications
You must be signed in to change notification settings - Fork 157
/
hashivault_pki_tidy.py
executable file
·95 lines (83 loc) · 3.14 KB
/
hashivault_pki_tidy.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#!/usr/bin/python
# -*- coding: utf-8 -*-
from ansible.module_utils.hashivault import hashivault_auth_client
from ansible.module_utils.hashivault import hashivault_argspec
from ansible.module_utils.hashivault import hashivault_init
from ansible.module_utils.hashivault import hashiwrapper
ANSIBLE_METADATA = {'status': ['preview'], 'supported_by': 'community', 'version': '1.1'}
DOCUMENTATION = r'''
---
module: hashivault_pki_tidy
version_added: "4.5.0"
short_description: Hashicorp Vault PKI Tidy
description:
- This endpoint retrieves one of a selection of certificates.
options:
mount_point:
default: pki
description:
- location where secrets engine is mounted. also known as path
config:
type: dict
description:
- Collection of properties for pki tidy endpoint. Ref.
U(https://www.vaultproject.io/api-docs/secret/pki#tidy)
suboptions:
tidy_cert_store:
type: bool
default: false
description:
- Specifies whether to tidy up the certificate store.
tidy_revoked_certs:
type: bool
default: false
description:
- Set to true to expire all revoked and expired certificates, removing them both from the CRL and
from storage.
- The CRL will be rotated if this causes any values to be removed.
safety_buffer:
type: str
default: 72h
description:
- Specifies A duration used as a safety buffer to ensure certificates are not expunged prematurely;
- as an example, this can keep certificates from being removed from the CRL that, due to clock skew,
might still be considered valid on other hosts.
- For a certificate to be expunged, the time must be after the expiration time of the certificate
(according to the local clock) plus the duration of safety_buffer.
extends_documentation_fragment:
- hashivault
'''
EXAMPLES = r'''
---
- hosts: localhost
tasks:
- hashivault_pki_tidy:
safety_buffer: 96h
tidy_revoked_certs: true
'''
def main():
argspec = hashivault_argspec()
argspec['config'] = dict(required=False, type='dict', default={})
argspec['mount_point'] = dict(required=False, type='str', default='pki')
module = hashivault_init(argspec)
result = hashivault_pki_tidy(module)
if result.get('failed'):
module.fail_json(**result)
else:
module.exit_json(**result)
@hashiwrapper
def hashivault_pki_tidy(module):
params = module.params
client = hashivault_auth_client(params)
config = params.get('config')
mount_point = params.get('mount_point').strip('/')
result = {"changed": False, "rc": 0}
try:
client.secrets.pki.tidy(extra_params=config, mount_point=mount_point)
except Exception as e:
result['rc'] = 1
result['failed'] = True
result['msg'] = u"Exception: " + str(e)
return result
if __name__ == '__main__':
main()