Variablise parameters for pki generation

k-s-dean · k-s-dean · commit 9937ae5a0290 · 2022-11-29T17:04:04.000Z
diff --git a/roles/vault_pki/README.md b/roles/vault_pki/README.md
@@ -13,27 +13,34 @@ Role variables
 --------------
 
 * Vault Create Root
-    * `vault_pki_root_create`: Wether to create a RootCA certificate or not (default: `true`)
+    * `vault_pki_root_create`: whether to create a RootCA certificate or not (default: `true`)
     * Mandatory if `vault_pki_root_create` equals `true`
         * `vault_pki_root_ca_name`: The name of the RootCA to create (string)
         * `vault_pki_root_ca_common_name`: The common name of the RootCA (default: vault_pki_root_ca_name)
-    * `vault_pki_write_root_ca_to_file`: Wether to write the root CA certificate to a file for importing into a systems trust store (default: `false`)
-
+    * `vault_pki_write_root_ca_to_file`: whether to write the root CA certificate to a file for importing into a systems trust store (default: `false`)
+    * `vault_pki_root_default_lease_ttl`: The default time in hours before expiry of the root CA certificate (default: "43830h")
+    * `vault_pki_root_max_lease_ttl`: The max time in hours that is allowed before expiry of the root CA certificate (default: "43830h")
+    * `vault_pki_root_ttl`: The time in hours before the root CA certificate expires (default: "43830h")
+    * `vault_pki_root_key_bits`: The key bits for the root RSA private key (default: "4096")
+---
 * Vault Create Intermediate
-    * `vault_pki_intermediate_create`: Wether to create an intermediate CA or not (default: `true`)
-    * `vault_pki_intermediate_import`: Wether to import a pre-existing intermediate pem bundle (default: `false`)
-    * `vault_pki_intermediate_export`: Wether to export the generated intermediate pem bundle (default: `false`)
-
+    * `vault_pki_intermediate_create`: whether to create an intermediate CA or not (default: `true`)
+    * `vault_pki_intermediate_import`: whether to import a pre-existing intermediate pem bundle (default: `false`)
+    * `vault_pki_intermediate_export`: whether to export the generated intermediate pem bundle (default: `false`)
         * Mandatory if `vault_pki_intermediate_create` equals `true`
             * `vault_pki_intermediate_ca_name`: The name of the Intermediate CA to create
             * `vault_pki_intermediate_ca_common_name`:  The common name of the RootCA (default: `vault_pki_intermediate_ca_name`)
         * Mandatory if `vault_pki_intermediate_import`: equals `true`
             * `vault_pki_intermediate_ca_bundle`: Concatenated certificate, intermediate and private key
+    * `vault_pki_intermediate_default_lease_ttl`: The default time in hours before expiry of the intermediate CA certificate (default: "43830h")
+    * `vault_pki_intermediate_max_lease_ttl`: The max time in hours that is allowed before expiry of the intermediate CA certificate (default: "43830h")
+    * `vault_pki_intermediate_ttl`: The time in hours before the intermediate CA certificate expires (default: "43830h")
+    * `vault_pki_intermediate_key_bits`: The key bits for the intermediate RSA private key (default: "4096")
     * `vault_pki_intermediate_roles`: Certificate Roles to create for the intermediate CA. List of Dicts containing `{name: <role_name>, config: { <pki_option>: <value> ...}`
-
+---
 * Certificate Output
     * `vault_pki_generate_certificates`: whether to generate leaf certificates or not (default: `false`)
     * `vault_pki_write_certificates_host:` The host on which certificates will be written to. (default: "localhost")
     * `vault_pki_certificates_directory`: directory to output certificate files to.
-    * `vault_pki_write_certificates`: wether to write generated certificates to a file or not (default: `false`)
+    * `vault_pki_write_certificates`: whether to write generated certificates to a file or not (default: `false`)
     * `vault_pki_certificate_subject`: The certificate subject parameters e.g. `ttl` `ip_sans`. List of Dicts containing `{role: <name of Certificate role>, common_name: <common name of certificate>, extra_params: {ttl: <value>, alt_sans: <value>, ip_sans: <value> }}`
diff --git a/roles/vault_pki/defaults/main.yml b/roles/vault_pki/defaults/main.yml
@@ -3,13 +3,22 @@ vault_pki_root_create: true
 vault_pki_root_ca_name: ""
 vault_pki_root_ca_common_name: "{{ vault_pki_root_ca_name }}"
 vault_pki_write_root_ca_to_file: false
+vault_pki_root_default_lease_ttl: "43830h"
+vault_pki_root_max_lease_ttl: "43830h"
+vault_pki_root_ttl: "43830h"
+vault_pki_root_key_bits: 4096
+
 
 vault_pki_intermediate_create: true
 vault_pki_intermediate_import: false
 vault_pki_intermediate_export: false
 vault_pki_intermediate_ca_name: ""
 vault_pki_intermediate_ca_common_name: "{{ vault_pki_intermediate_ca_name }}"
 vault_pki_intermediate_ca_bundle: ""
+vault_pki_intermediate_default_lease_ttl: "43830h"
+vault_pki_intermediate_max_lease_ttl: "43830h"
+vault_pki_intermediate_ttl: "43830h"
+vault_pki_intermediate_key_bits: 4096
 
 vault_pki_intermediate_roles: {}
 
diff --git a/roles/vault_pki/tasks/intermediate.yml b/roles/vault_pki/tasks/intermediate.yml
@@ -6,6 +6,9 @@
     name: "{{ vault_pki_intermediate_ca_name }}"
     description: "{{ vault_pki_intermediate_ca_name }} CA"
     backend: "pki"
+    config:
+      default_lease_ttl: "{{ vault_pki_intermediate_default_lease_ttl }}"
+      max_lease_ttl: "{{ vault_pki_intermediate_max_lease_ttl }}"
 
 - name: "Generate Intermediate CA cert, key and sign CSR"
   block:
@@ -18,9 +21,8 @@
         common_name: "{{ vault_pki_intermediate_ca_common_name }}"
         kind: "intermediate"
         config:
-          key_bits: 4096
-          max_lease_ttl: "43830h"
-          default_lease_ttl: "43830h"
+          ttl: "{{ vault_pki_intermediate_ttl }}"
+          key_bits: "{{ vault_pki_intermediate_key_bits }}"
       register: intermediate_ca_csr
 
     - name: "Sign Intermediate CSR"
diff --git a/roles/vault_pki/tasks/root.yml b/roles/vault_pki/tasks/root.yml
@@ -7,8 +7,8 @@
     description: "{{ vault_pki_root_ca_name }} CA"
     backend: "pki"
     config:
-      default_lease_ttl: "43830h"
-      max_lease_ttl: "43830h"
+      default_lease_ttl: "{{ vault_pki_root_default_lease_ttl }}"
+      max_lease_ttl: "{{ vault_pki_root_max_lease_ttl }}"
 
 - name: "Generate Vault Root CA cert and key"
   hashivault_pki_ca:
@@ -19,8 +19,8 @@
     common_name: "{{ vault_pki_root_ca_common_name }}"
     kind: "root"
     config:
-      key_bits: 4096
-      ttl: "43830h"
+      key_bits: "{{ vault_pki_root_key_bits }}"
+      ttl: "{{ vault_pki_root_ttl }}"
   register: root_ca_data
 
 - name: "Write out Root CA to file"
