Split tasks

defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 # defaults file for generate-tls-certs
-
+generate_tls_certs: true
 # Do not put trailing slash "/"
 cert_dir: ./certs
 generate_ca_cert: false

tasks/generate-ca-cert.yaml

@@ -0,0 +1,15 @@
+---
+  - name: Generate CA private key
+    local_action:
+      module: openssl_privatekey
+      path: "{{cert_dir}}/{{tls_ca_key}}"
+      size: "{{tls_ca_key_size}}"
+    run_once: true
+
+  - name: Generate self-signed cert for CA
+    local_action:
+      module: >
+        shell openssl req -x509 -new -days {{tls_ca_valid_days}} -sha256 -nodes -key {{cert_dir}}/{{tls_ca_key}} -out {{cert_dir}}/{{tls_ca_cert}}
+        -subj "{% if tls_ca_country is defined%}/C={{tls_ca_country}}{% endif %}{% if tls_ca_state is defined%}/ST={{tls_ca_state}}{% endif %}{% if tls_ca_locality is defined %}/L={{tls_ca_locality}}{% endif %}{% if tls_ca_organization is defined %}/O={{tls_ca_organization}}{% endif %}{% if tls_ca_organizationalunit is defined %}/OU={{tls_ca_organizationalunit}}{% endif %}/CN={{tls_ca_commonname}}{% if tls_ca_email is defined %}/emailAddress={{tls_ca_email}}{% endif %}"
+    ignore_errors: true
+    run_once: true

tasks/generate-client-cert.yaml

@@ -0,0 +1,36 @@
+---
+
+  - name: Generate client private key
+    local_action:
+      module: openssl_privatekey
+      path: "{{cert_dir}}/{{tls_client_key}}"
+      size: "{{tls_client_key_size}}"
+    run_once: true
+    when: generate_client_cert
+
+  - name: Generate CSR and key for client cert
+    local_action:
+      module: >
+        shell openssl req -newkey rsa:{{tls_client_key_size}} -nodes -subj "/CN={{tls_client_commonname}}"
+        -keyout "{{cert_dir}}/{{tls_client_key}}" -out "{{cert_dir}}/{{tls_client_csr}}"
+    ignore_errors: true
+    run_once: true
+    when: generate_client_cert
+
+  - name: Add required extension for client authentication
+    local_action:
+      module: >
+        shell echo extendedKeyUsage = clientAuth >> {{cert_dir}}/{{tls_client_extfile}}
+    ignore_errors: true
+    run_once: true
+    when: generate_client_cert
+
+  # @AB TODO: using OpenSSL CA serial file does not always generate unique serial when running playbook against multiple hosts
+  - name: Sign client cert request with CA
+    local_action:
+      module: >
+        shell openssl x509 -req -sha256 -days {{tls_client_valid_days}} -CA {{cert_dir}}/{{tls_ca_cert}} -CAkey {{cert_dir}}/{{tls_ca_key}}
+        -set_serial {{ 999999999 | random }} -in {{cert_dir}}/{{tls_client_csr}} -out {{cert_dir}}/{{tls_client_cert}} -extfile {{cert_dir}}/{{tls_client_extfile}}
+    ignore_errors: true
+    run_once: true
+    when: generate_client_cert

tasks/generate-server-cert.yaml

@@ -0,0 +1,28 @@
+---
+  # Generate server cert
+  - name: Create CSR for server cert
+    local_action:
+      module: >
+        shell openssl req -newkey rsa:{{tls_server_key_size}} -nodes -subj "/CN={{inventory_hostname}}"
+        -keyout "{{cert_dir}}/{{inventory_hostname_short}}.key" -out "{{cert_dir}}/{{inventory_hostname_short}}.csr"
+    ignore_errors: true
+    when: generate_server_cert
+
+  - name: Generate certificate extensions file
+    local_action:
+      module: template
+      src: templates/server-cert-extfile.cnf.j2
+      dest: "{{cert_dir}}/{{inventory_hostname_short}}-extfile.cnf"
+    when:
+      - generate_server_cert
+      - tls_server_enable_san
+
+  - name: Sign server cert request by CA
+    local_action:
+      module: >
+        shell openssl x509 -req -sha256 -days {{tls_server_valid_days}}
+        -CA "{{cert_dir}}/{{tls_ca_cert}}" -CAkey "{{cert_dir}}/{{tls_ca_key}}" -set_serial {{ 999999999 | random }}
+        -in "{{cert_dir}}/{{inventory_hostname_short}}.csr" -out "{{cert_dir}}/{{inventory_hostname_short}}.pem"
+        {% if tls_server_enable_san %}-extfile "{{cert_dir}}/{{inventory_hostname_short}}-extfile.cnf"{% endif %}
+    ignore_errors: true
+    when: generate_server_cert

tasks/main.yml

@@ -1,82 +1,20 @@
 ---
 # tasks file for generate-tls-certs
 
-  - name: Generate CA private key
-    local_action:
-      module: openssl_privatekey
-      path: "{{cert_dir}}/{{tls_ca_key}}"
-      size: "{{tls_ca_key_size}}"
-    run_once: true
-    when: generate_ca_cert
+  - name: Generate CA cert
+    import_tasks: generate-ca-cert.yaml
+    when: 
+      - generate_tls_certs
+      - generate_ca_cert|bool
 
-  - name: Generate self-signed cert for CA
-    local_action:
-      module: >
-        shell openssl req -x509 -new -days {{tls_ca_valid_days}} -sha256 -nodes -key {{cert_dir}}/{{tls_ca_key}} -out {{cert_dir}}/{{tls_ca_cert}}
-        -subj "{% if tls_ca_country is defined%}/C={{tls_ca_country}}{% endif %}{% if tls_ca_state is defined%}/ST={{tls_ca_state}}{% endif %}{% if tls_ca_locality is defined %}/L={{tls_ca_locality}}{% endif %}{% if tls_ca_organization is defined %}/O={{tls_ca_organization}}{% endif %}{% if tls_ca_organizationalunit is defined %}/OU={{tls_ca_organizationalunit}}{% endif %}/CN={{tls_ca_commonname}}{% if tls_ca_email is defined %}/emailAddress={{tls_ca_email}}{% endif %}"
-    ignore_errors: true
-    run_once: true
-    when: generate_ca_cert
+  - name: Generate client cert
+    import_tasks: generate-client-cert.yaml
+    when: 
+      - generate_tls_certs
+      - generate_client_cert|bool
 
-  - name: Generate client private key
-    local_action:
-      module: openssl_privatekey
-      path: "{{cert_dir}}/{{tls_client_key}}"
-      size: "{{tls_client_key_size}}"
-    run_once: true
-    when: generate_client_cert
-
-  - name: Generate CSR and key for client cert
-    local_action:
-      module: >
-        shell openssl req -newkey rsa:{{tls_client_key_size}} -nodes -subj "/CN={{tls_client_commonname}}"
-        -keyout "{{cert_dir}}/{{tls_client_key}}" -out "{{cert_dir}}/{{tls_client_csr}}"
-    ignore_errors: true
-    run_once: true
-    when: generate_client_cert
-
-  - name: Add required extension for client authentication
-    local_action:
-      module: >
-        shell echo extendedKeyUsage = clientAuth >> {{cert_dir}}/{{tls_client_extfile}}
-    ignore_errors: true
-    run_once: true
-    when: generate_client_cert
-
-  # @AB TODO: using OpenSSL CA serial file does not always generate unique serial when running playbook against multiple hosts
-  - name: Sign client cert request with CA
-    local_action:
-      module: >
-        shell openssl x509 -req -sha256 -days {{tls_client_valid_days}} -CA {{cert_dir}}/{{tls_ca_cert}} -CAkey {{cert_dir}}/{{tls_ca_key}}
-        -set_serial {{ 999999999 | random }} -in {{cert_dir}}/{{tls_client_csr}} -out {{cert_dir}}/{{tls_client_cert}} -extfile {{cert_dir}}/{{tls_client_extfile}}
-    ignore_errors: true
-    run_once: true
-    when: generate_client_cert
-
-  # Generate server cert
-  - name: Create CSR for server cert
-    local_action:
-      module: >
-        shell openssl req -newkey rsa:{{tls_server_key_size}} -nodes -subj "/CN={{inventory_hostname}}"
-        -keyout "{{cert_dir}}/{{inventory_hostname_short}}.key" -out "{{cert_dir}}/{{inventory_hostname_short}}.csr"
-    ignore_errors: true
-    when: generate_server_cert
-
-  - name: Generate certificate extensions file
-    local_action:
-      module: template
-      src: templates/server-cert-extfile.cnf.j2
-      dest: "{{cert_dir}}/{{inventory_hostname_short}}-extfile.cnf"
-    when:
-      - generate_server_cert
-      - tls_server_enable_san
-
-  - name: Sign server cert request by CA
-    local_action:
-      module: >
-        shell openssl x509 -req -sha256 -days {{tls_server_valid_days}}
-        -CA "{{cert_dir}}/{{tls_ca_cert}}" -CAkey "{{cert_dir}}/{{tls_ca_key}}" -set_serial {{ 999999999 | random }}
-        -in "{{cert_dir}}/{{inventory_hostname_short}}.csr" -out "{{cert_dir}}/{{inventory_hostname_short}}.pem"
-        {% if tls_server_enable_san %}-extfile "{{cert_dir}}/{{inventory_hostname_short}}-extfile.cnf"{% endif %}
-    ignore_errors: true
-    when: generate_server_cert
+  - name: Generate server cert
+    import_tasks: generate-server-cert.yaml
+    when: 
+      - generate_tls_certs
+      - generate_server_cert|bool