search

Venafi / ansible-collection-venafi

Ansible collection for managing machine identities (certificates and keys) using Venafi
Apache License 2.0
13 stars 7 forks source link

Support for Contacts #24

Open klewan opened 2 years ago

klewan commented 2 years ago

BUSINESS PROBLEM Our internal rules for TPP require us to use Contacts property while requesting a certificate. Would it be possible to add Contacts parameter to the venafi_certificate Ansible module and use it in /vedsdk/Certificates/Request endpoint?

CURRENT ALTERNATIVES None

rvelaVenafi commented 2 years ago

Hello @klewan,

Could you help us better understand your use case? Which version of TPP are you using?

Also, when you say Contacts do you mean the Contact structure, like the following?

          {
            "Prefix": "string",
            "PrefixedName": "string",
            "PrefixedUniversal": "string",
            "Name": "string",
            "FullName": "string",
            "Universal": "string",
            "IsGroup": true,
            "Type": 0,
            "Disabled": true
          }

The best practice on TPP for contacts is to assign them by policy instead of by object (Certificate, etc.), this way the objects created under that policy all inherit the contact.

Would this option address your issue?

klewan commented 2 years ago

Hi,

Thanks for your support. I'm referring to Contacts property we may set through /vedsdk/Certificates/Request POST call. Unfortunately, in our case we cannot use the one assigned to the policy, since we have one policy and certificates are requested by different teams. Each team is responsible for their own certificates life cycle and, therefore, we need contact persons be assigned to the certificates directly.

tr1ck3r commented 2 years ago

Thank you for explaining more about your use case @klewan. One of the objectives we have for our open source integrations is to help make it easy for customers follow the best practices for our products. As @rvelaVenafi said, the best practice for TPP is to assign contacts (and permissions) for certificates by policy such that any certificate under the folder has the same "owners". So the way we intended to support your use case is by extending our Certificate Policy Management feature to allow owners to be specified as part of the policy specification and we'll do so in such a way that owners are specified by user/group name instead of by unfriendly UUIDs.

When we designed our Certificate Policy Management feature we also understood the challenge you described with creating folders for each team in order to follow our best practices. The good news is that you can still have your user's certificates in a single parent folder because our Certificate Policy Management feature will automatically create any missing folder structure in the zone you specify. Each team will get their own folder containing the certificates that they own and once we've implemented the enhancement to assign owners by policy those will be set on their folder.