dellemc.enterprise_sonic.sonic_pki module – Manages PKI attributes of Enterprise Sonic
Note
This module is part of the dellemc.enterprise_sonic collection (version 2.5.1).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install dellemc.enterprise_sonic.
To use it in a playbook, specify: dellemc.enterprise_sonic.sonic_pki.
New in dellemc.enterprise_sonic 2.3.0
Synopsis
Manages PKI attributes of Enterprise Sonic
Note
This module has a corresponding action plugin.
Parameters
Parameter |
Comments |
|---|---|
The provided configuration |
|
Application Security Profiles |
|
Global list of CDP’s |
|
Host Certificate Name |
|
Require key usage is enforced Choices:
|
|
Global list of OCSP responders |
|
Require peer name is verified Choices:
|
|
Profile Name |
|
Require certificate revocation check succeeds Choices:
|
|
Name of associated trust_store |
|
Store of CA Certificates |
|
List of CA certificates in the trust store. |
|
The name of the Trust Store |
|
The state of the configuration after module completion. Choices:
|
Notes
Note
Tested against Dell Enterprise SONiC 4.1.0
Examples
# Using "merged" state for initial config
#
# Before state:
# -------------
#
# sonic# show running-configuration | grep crypto
# sonic#
#
- name: PKI Config Test
hosts: datacenter
gather_facts: false
connection: httpapi
collections:
- dellemc.enterprise_sonic
tasks:
- name: "Initial Config"
sonic_pki:
config:
security_profiles:
- profile_name: rest
ocsp_responder_list:
- http://example.com/ocspa
- http://example.com/ocspb
certificate_name: host
trust_store: default-ts
trust_stores:
- name: default-ts
ca_name:
- CA2
state: merged
# After state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb
# Using "deleted" state to remove configuration
#
# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocsp
#
- name: PKI Delete Test
hosts: datacenter
gather_facts: true
connection: httpapi
collections:
- dellemc.enterprise_sonic
tasks:
- name: Remove trust_store from security-profile
sonic_pki:
config:
security_profiles:
- profile_name: rest
trust_store: default-ts
state: deleted
# After state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocsp
# Using "overridden" state
# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb
#
- name: PKI Overridden Test
hosts: datacenter
gather_facts: false
connection: httpapi
collections:
- dellemc.enterprise_sonic
tasks:
- name: "Overridden Config"
sonic_pki:
config:
security_profiles:
- profile_name: telemetry
ocsp_responder_list:
- http://example.com/ocspb
revocation_check: true
trust_store: telemetry-ts
certificate_name: host
trust_stores:
- name: telemetry-ts
ca_name: CA
state: overridden
# After state:
# -----------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store telemetry-ts ca-cert CA
# crypto security-profile telemetry revocation_check true
# crypto security-profile trust_store telemetry telemetry-ts
# crypto security-profile certificate telemetry host
# crypto security-profile ocsp-list telemetry http://example.com/ocspb
# Using "replaced" state to update config
# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb
#
- name: PKI Replace Test
hosts: datacenter
gather_facts: false
connection: httpapi
collections:
- dellemc.enterprise_sonic
tasks:
- name: "Replace Config"
sonic_pki:
config:
security_profiles:
- profile_name: rest
ocsp_responder_list:
- http://example.com/ocsp
revocation_check: false
trust_store: default-ts
certificate_name: host
state: replaced
# After state:
# -----------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocsp
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The resulting configuration module invocation. Returned: when changed Sample: |
|
The configuration prior to the module invocation. Returned: always Sample: |
|
The set of commands pushed to the remote device. Returned: always Sample: |