We uploaded an IAM cert to AWS, and now need to update the certificate
(the contents). On the theory that a lost of this stuff is idempotent, I
thought this task, which we used to upload it in the first place, would
work to update it as well:
- name: configure IAM certificates
iam_cert:
name: "{{ item }}"
state: present
cert: "{{ iam_cert[item]['certfile'] }}"
key: "{{ iam_cert[item]['keyfile'] }}"
cert_chain: "{{ iam_cert[item]['chainfile'] }}"
with_items: "{{ iam_cert_names }}"
We've got a dict iam_cert in inventory, like this:
iam_cert:
myserver1:
certfile: "/path/to/myserver1.crt"
chainfile: "/path/to/myca.crt"
keyfile: "/path/to/myserver1.key"
(and so on for myserver2 etc)
So this works fine for adding a new cert, but if we put a new cert in
/path/to/myserver.crt, it fails, saying:
failed: [localhost] (item=myserver1) => {"changed": false, "failed": true,
"item": "myserver1", "msg": "A cert with the name myserver1 already exists and
has a different certificate body associated with it. Certificates cannot have
the same name"}
https://docs.ansible.com/ansible/iam_cert_module.html has 'new_path',
which says "When present, this will update the path of the cert with the
value passed here.", but it doesn't say what this is supposed to be -- a
Boolean? a path to the new cert file on disk? Perhaps the same sort of
thing as the 'path' option, which says "When creating or updating, specify
the desired path of the certificate", but we're not using that, we're
using 'cert', which says "The path to the certificate body in PEM encoded
format." What's "the path of the certificate", and is it different from
"the path to the certificate body"? There's only one example, and it
doesn't use either 'path' or 'new_path'.
Anyone know how this is supposed to work?
-Josh ([email protected])
(apologies for the automatic corporate disclaimer that follows)
This email is intended for the person(s) to whom it is addressed and may
contain information that is PRIVILEGED or CONFIDENTIAL. Any unauthorized use,
distribution, copying, or disclosure by any person other than the addressee(s)
is strictly prohibited. If you have received this email in error, please notify
the sender immediately by return email and delete the message and any
attachments from your system.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/22815.9930.657303.909353%40gargle.gargle.HOWL.
For more options, visit https://groups.google.com/d/optout.
