dellemc.enterprise_sonic.sonic_pki module – Manages PKI attributes of Enterprise Sonic

Note

This module is part of the dellemc.enterprise_sonic collection (version 2.5.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install dellemc.enterprise_sonic.

To use it in a playbook, specify: dellemc.enterprise_sonic.sonic_pki.

New in dellemc.enterprise_sonic 2.3.0

Synopsis
Parameters
Notes
Examples
Return Values

Synopsis

Manages PKI attributes of Enterprise Sonic

Note

This module has a corresponding action plugin.

Parameters

Parameter	Comments
config dictionary	The provided configuration
security_profiles list / elements=dictionary	Application Security Profiles
cdp_list list / elements=string	Global list of CDP’s
certificate_name string	Host Certificate Name
key_usage_check boolean	Require key usage is enforced Choices: `false` `true`
ocsp_responder_list list / elements=string	Global list of OCSP responders
peer_name_check boolean	Require peer name is verified Choices: `false` `true`
profile_name string / required	Profile Name
revocation_check boolean	Require certificate revocation check succeeds Choices: `false` `true`
trust_store string	Name of associated trust_store
trust_stores list / elements=dictionary	Store of CA Certificates
ca_name list / elements=string	List of CA certificates in the trust store.
name string / required	The name of the Trust Store
state string	The state of the configuration after module completion. Choices: `"merged"` ← (default) `"deleted"` `"replaced"` `"overridden"`

Notes

Note

Tested against Dell Enterprise SONiC 4.1.0

Examples

# Using "merged" state for initial config
#
# Before state:
# -------------
#
# sonic# show running-configuration | grep crypto
# sonic#
#
- name: PKI Config Test
  hosts: datacenter
  gather_facts: false
  connection: httpapi
  collections:
    - dellemc.enterprise_sonic
  tasks:
    - name: "Initial Config"
      sonic_pki:
        config:
          security_profiles:
            - profile_name: rest
              ocsp_responder_list:
                - http://example.com/ocspa
                - http://example.com/ocspb
              certificate_name: host
              trust_store: default-ts
          trust_stores:
            - name: default-ts
              ca_name:
                - CA2
        state: merged

# After state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb

# Using "deleted" state to remove configuration
#
# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocsp
#
- name: PKI Delete Test
  hosts: datacenter
  gather_facts: true
  connection: httpapi
  collections:
    - dellemc.enterprise_sonic
  tasks:
    - name: Remove trust_store from security-profile
      sonic_pki:
        config:
          security_profiles:
            - profile_name: rest
              trust_store: default-ts
        state: deleted
# After state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocsp

# Using "overridden" state

# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb
#
- name: PKI Overridden Test
  hosts: datacenter
  gather_facts: false
  connection: httpapi
  collections:
    - dellemc.enterprise_sonic
  tasks:
    - name: "Overridden Config"
      sonic_pki:
        config:
          security_profiles:
            - profile_name: telemetry
              ocsp_responder_list:
                - http://example.com/ocspb
              revocation_check: true
              trust_store: telemetry-ts
              certificate_name: host
          trust_stores:
            - name: telemetry-ts
              ca_name: CA
        state: overridden
# After state:
# -----------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store telemetry-ts ca-cert CA
# crypto security-profile telemetry revocation_check true
# crypto security-profile trust_store telemetry telemetry-ts
# crypto security-profile certificate telemetry host
# crypto security-profile ocsp-list telemetry http://example.com/ocspb

# Using "replaced" state to update config

# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb
#
- name: PKI Replace Test
  hosts: datacenter
  gather_facts: false
  connection: httpapi
  collections:
    - dellemc.enterprise_sonic
  tasks:
    - name: "Replace Config"
      sonic_pki:
        config:
          security_profiles:
            - profile_name: rest
              ocsp_responder_list:
                - http://example.com/ocsp
              revocation_check: false
              trust_store: default-ts
              certificate_name: host
        state: replaced
# After state:
# -----------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocsp

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
after dictionary	The resulting configuration module invocation. Returned: when changed Sample: `"The configuration returned will always be in the same format as the parameters above.\n"`
before dictionary	The configuration prior to the module invocation. Returned: always Sample: `"The configuration returned will always be in the same format as the parameters above.\n"`
commands list / elements=string	The set of commands pushed to the remote device. Returned: always Sample: `["command 1", "command 2", "command 3"]`

Authors

Eric Seifert (@seiferteric)

Collection links

© 2012–2018 Michael DeHaan
© 2018–2024 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/dellemc/enterprise_sonic/sonic_pki_module.html