diff --git a/plugins/modules/azure_rm_keyvaultkey.py b/plugins/modules/azure_rm_keyvaultkey.py index 8fcc0bbd7..1e5754db6 100644 --- a/plugins/modules/azure_rm_keyvaultkey.py +++ b/plugins/modules/azure_rm_keyvaultkey.py @@ -24,6 +24,28 @@ description: - Name of the keyvault key. required: true + key_type: + description: + - The type of key to create. For valid values, see JsonWebKeyType. Possible values include EC, EC-HSM, RSA, RSA-HSM, oct + default: 'RSA' + key_size: + description: + - The key size in bits. For example 2048, 3072, or 4096 for RSA. + key_attributes: + description: + - The attributes of a key managed by the key vault service. + suboptions: + enabled: + description: bool + not_before: + description: + - not valid before date in UTC ISO format without the Z at the end + expires: + description: + - not valid after date in UTC ISO format without the Z at the end + curve: + description: + - Elliptic curve name. For valid values, see JsonWebKeyCurveName. Possible values include P-256, P-384, P-521, P-256K. byok_file: description: - BYOK file. @@ -86,12 +108,19 @@ from azure.keyvault.models import KeyAttributes, JsonWebKey from azure.common.credentials import ServicePrincipalCredentials, get_cli_profile from azure.keyvault.models.key_vault_error import KeyVaultErrorException + from datetime import datetime from msrestazure.azure_active_directory import MSIAuthentication from OpenSSL import crypto except ImportError: # This is handled in azure_rm_common pass +key_addribute_spec = dict( + enabled=dict(type='bool', required=False), + not_before=dict(type='str', no_log=True, required=False), + expires=dict(type='str', no_log=True, required=False) +) + class AzureRMKeyVaultKey(AzureRMModuleBase): ''' Module that creates or deletes keys in Azure KeyVault ''' @@ -101,6 +130,10 @@ def __init__(self): self.module_arg_spec = dict( key_name=dict(type='str', required=True), keyvault_uri=dict(type='str', no_log=True, required=True), + key_type=dict(type='str', default='RSA'), + key_size=dict(type='int'), + key_attributes=dict(type='dict', no_log=True, options=key_addribute_spec), + curve=dict(type='str'), pem_file=dict(type='str'), pem_password=dict(type='str', no_log=True), byok_file=dict(type='str'), @@ -114,6 +147,10 @@ def __init__(self): self.key_name = None self.keyvault_uri = None + self.key_type = None + self.key_size = None + self.key_attributes = None + self.curve = None self.pem_file = None self.pem_password = None self.state = None @@ -159,7 +196,8 @@ def exec_module(self, **kwargs): # Create key if self.state == 'present' and changed: - results['key_id'] = self.create_key(self.key_name, self.tags) + results['key_id'] = self.create_key(self.key_name, self.key_type, self.key_size, self.key_attributes, + self.curve, self.tags) self.results['state'] = results self.results['state']['status'] = 'Created' # Delete key @@ -223,9 +261,22 @@ def get_key(self, name, version=''): key_id = KeyVaultId.parse_key_id(key_bundle.key.kid) return key_id.id - def create_key(self, name, tags, kty='RSA'): + def create_key(self, name, key_type, key_size, key_attributes, curve, tags): ''' Creates a key ''' - key_bundle = self.client.create_key(vault_base_url=self.keyvault_uri, key_name=name, kty=kty, tags=tags) + + if key_attributes is not None: + k_enabled = key_attributes.get('enabled', True) + k_not_before = key_attributes.get('not_before', None) + k_expires = key_attributes.get('expires', None) + if k_not_before: + k_not_before = datetime.fromisoformat(k_not_before.replace('Z', '+00:00')) + if k_expires: + k_expires = datetime.fromisoformat(k_expires.replace('Z', '+00:00')) + + key_attributes = KeyAttributes(k_enabled, k_not_before, k_expires) + + key_bundle = self.client.create_key(vault_base_url=self.keyvault_uri, key_name=name, kty=key_type, key_size=key_size, + key_attributes=key_attributes, curve=curve, tags=tags) key_id = KeyVaultId.parse_key_id(key_bundle.key.kid) return key_id.id diff --git a/tests/integration/targets/azure_rm_keyvaultkey/tasks/main.yml b/tests/integration/targets/azure_rm_keyvaultkey/tasks/main.yml index 4db30c58f..1d09f9e6d 100644 --- a/tests/integration/targets/azure_rm_keyvaultkey/tasks/main.yml +++ b/tests/integration/targets/azure_rm_keyvaultkey/tasks/main.yml @@ -74,6 +74,108 @@ key_name: testkey register: output +- name: create a kevyault key of type EC + block: + - azure_rm_keyvaultkey: + keyvault_uri: https://vault{{ rpfx }}.vault.azure.net + key_name: testkeyEC + key_type: EC + tags: + testing: test + delete: on-exit + register: output + - assert: + that: output.changed + rescue: + - azure_rm_keyvaultkey: + keyvault_uri: https://vault{{ rpfx }}.vault.azure.net + state: absent + key_name: testkeyEC + +- name: delete a kevyault key of type EC + azure_rm_keyvaultkey: + keyvault_uri: https://vault{{ rpfx }}.vault.azure.net + state: absent + key_name: testkeyEC + register: output + +- name: create a kevyault key of size 4096 + block: + - azure_rm_keyvaultkey: + keyvault_uri: https://vault{{ rpfx }}.vault.azure.net + key_name: testkey4096 + key_size: 4096 + tags: + testing: test + delete: on-exit + register: output + - assert: + that: output.changed + rescue: + - azure_rm_keyvaultkey: + keyvault_uri: https://vault{{ rpfx }}.vault.azure.net + state: absent + key_name: testkey4096 + +- name: delete a kevyault key of size 4096 + azure_rm_keyvaultkey: + keyvault_uri: https://vault{{ rpfx }}.vault.azure.net + state: absent + key_name: testkey4096 + register: output + +- name: create a kevyault key with P-521 curve + block: + - azure_rm_keyvaultkey: + keyvault_uri: https://vault{{ rpfx }}.vault.azure.net + key_name: testkeycurve + curve: P-521 + tags: + testing: test + delete: on-exit + register: output + - assert: + that: output.changed + rescue: + - azure_rm_keyvaultkey: + keyvault_uri: https://vault{{ rpfx }}.vault.azure.net + state: absent + key_name: testkeycurve + +- name: delete a kevyault key with P-521 curve + azure_rm_keyvaultkey: + keyvault_uri: https://vault{{ rpfx }}.vault.azure.net + state: absent + key_name: testkeycurve + register: output + +- name: create a kevyault key with attributes + block: + - azure_rm_keyvaultkey: + keyvault_uri: https://vault{{ rpfx }}.vault.azure.net + key_name: testkeyattribute + key_attributes: + enabled: true + not_before: '2032-12-01T00:00:00Z' + tags: + testing: test + delete: on-exit + register: output + - assert: + that: output.changed + rescue: + - azure_rm_keyvaultkey: + keyvault_uri: https://vault{{ rpfx }}.vault.azure.net + state: absent + key_name: testkeyattributes + +- name: delete a kevyault key with attributes + azure_rm_keyvaultkey: + keyvault_uri: https://vault{{ rpfx }}.vault.azure.net + state: absent + key_name: testkeyattribute + register: output + - assert: that: output.changed