dellemc.enterprise_sonic.sonic_pki module – Manages PKI attributes of Enterprise Sonic

Note

This module is part of the dellemc.enterprise_sonic collection (version 2.5.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install dellemc.enterprise_sonic.

To use it in a playbook, specify: dellemc.enterprise_sonic.sonic_pki.

New in dellemc.enterprise_sonic 2.3.0

Synopsis

  • Manages PKI attributes of Enterprise Sonic

Note

This module has a corresponding action plugin.

Parameters

Parameter

Comments

config

dictionary

The provided configuration

security_profiles

list / elements=dictionary

Application Security Profiles

cdp_list

list / elements=string

Global list of CDP’s

certificate_name

string

Host Certificate Name

key_usage_check

boolean

Require key usage is enforced

Choices:

  • false

  • true

ocsp_responder_list

list / elements=string

Global list of OCSP responders

peer_name_check

boolean

Require peer name is verified

Choices:

  • false

  • true

profile_name

string / required

Profile Name

revocation_check

boolean

Require certificate revocation check succeeds

Choices:

  • false

  • true

trust_store

string

Name of associated trust_store

trust_stores

list / elements=dictionary

Store of CA Certificates

ca_name

list / elements=string

List of CA certificates in the trust store.

name

string / required

The name of the Trust Store

state

string

The state of the configuration after module completion.

Choices:

  • "merged" ← (default)

  • "deleted"

  • "replaced"

  • "overridden"

Notes

Note

  • Tested against Dell Enterprise SONiC 4.1.0

Examples

# Using "merged" state for initial config
#
# Before state:
# -------------
#
# sonic# show running-configuration | grep crypto
# sonic#
#
- name: PKI Config Test
  hosts: datacenter
  gather_facts: false
  connection: httpapi
  collections:
    - dellemc.enterprise_sonic
  tasks:
    - name: "Initial Config"
      sonic_pki:
        config:
          security_profiles:
            - profile_name: rest
              ocsp_responder_list:
                - http://example.com/ocspa
                - http://example.com/ocspb
              certificate_name: host
              trust_store: default-ts
          trust_stores:
            - name: default-ts
              ca_name:
                - CA2
        state: merged

# After state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb

# Using "deleted" state to remove configuration
#
# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocsp
#
- name: PKI Delete Test
  hosts: datacenter
  gather_facts: true
  connection: httpapi
  collections:
    - dellemc.enterprise_sonic
  tasks:
    - name: Remove trust_store from security-profile
      sonic_pki:
        config:
          security_profiles:
            - profile_name: rest
              trust_store: default-ts
        state: deleted
# After state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocsp

# Using "overridden" state

# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb
#
- name: PKI Overridden Test
  hosts: datacenter
  gather_facts: false
  connection: httpapi
  collections:
    - dellemc.enterprise_sonic
  tasks:
    - name: "Overridden Config"
      sonic_pki:
        config:
          security_profiles:
            - profile_name: telemetry
              ocsp_responder_list:
                - http://example.com/ocspb
              revocation_check: true
              trust_store: telemetry-ts
              certificate_name: host
          trust_stores:
            - name: telemetry-ts
              ca_name: CA
        state: overridden
# After state:
# -----------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store telemetry-ts ca-cert CA
# crypto security-profile telemetry revocation_check true
# crypto security-profile trust_store telemetry telemetry-ts
# crypto security-profile certificate telemetry host
# crypto security-profile ocsp-list telemetry http://example.com/ocspb

# Using "replaced" state to update config

# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb
#
- name: PKI Replace Test
  hosts: datacenter
  gather_facts: false
  connection: httpapi
  collections:
    - dellemc.enterprise_sonic
  tasks:
    - name: "Replace Config"
      sonic_pki:
        config:
          security_profiles:
            - profile_name: rest
              ocsp_responder_list:
                - http://example.com/ocsp
              revocation_check: false
              trust_store: default-ts
              certificate_name: host
        state: replaced
# After state:
# -----------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocsp

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

after

dictionary

The resulting configuration module invocation.

Returned: when changed

Sample: "The configuration returned will always be in the same format as the parameters above.\n"

before

dictionary

The configuration prior to the module invocation.

Returned: always

Sample: "The configuration returned will always be in the same format as the parameters above.\n"

commands

list / elements=string

The set of commands pushed to the remote device.

Returned: always

Sample: ["command 1", "command 2", "command 3"]

Authors

  • Eric Seifert (@seiferteric)