Added 'ignore_timestamps' parameter

changelogs/fragments/381_openssh_cert_add_ignore_timestamps.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - openssh_cert - added 'ignore_timestamps' parameter so it can be used semi-idempotent with relative timestamps in valid_to/valid_from (https://github.com/ansible-collections/community.crypto/issues/379).

plugins/modules/openssh_cert.py

@@ -111,15 +111,17 @@
             - "The point in time the certificate is valid from. Time can be specified either as relative time or as absolute timestamp.
                Time will always be interpreted as UTC. Valid formats are: C([+-]timespec | YYYY-MM-DD | YYYY-MM-DDTHH:MM:SS | YYYY-MM-DD HH:MM:SS | always)
                where timespec can be an integer + C([w | d | h | m | s]) (for example C(+32w1d2h)).
-               Note that if using relative time this module is NOT idempotent."
+               Note that if using relative time this module is NOT idempotent. To ignore this value during comparison with an existing certificate set 
+               I(ignore_timestamps=true)."
             - Required if I(state) is C(present).
         type: str
     valid_to:
         description:
             - "The point in time the certificate is valid to. Time can be specified either as relative time or as absolute timestamp.
                Time will always be interpreted as UTC. Valid formats are: C([+-]timespec | YYYY-MM-DD | YYYY-MM-DDTHH:MM:SS | YYYY-MM-DD HH:MM:SS | forever)
                where timespec can be an integer + C([w | d | h | m | s]) (for example C(+32w1d2h)).
-               Note that if using relative time this module is NOT idempotent."
+               Note that if using relative time this module is NOT idempotent. To ignore this value during comparison with an existing certificate set 
+               I(ignore_timestamps=true)."
             - Required if I(state) is C(present).
         type: str
     valid_at:
@@ -128,6 +130,13 @@
                Time will always be interpreted as UTC. Mainly to be used with relative timespec for I(valid_from) and / or I(valid_to).
                Note that if using relative time this module is NOT idempotent."
         type: str
+    ignore_timestamps:
+        description:
+            - "Whether the I(valid_from) and I(valid_to) timestamps should be ignored for idempotency checks."
+            - "However, the values will still be applied to a new certificate if it meets any other necessary conditions for generation/regeneration."
+        type: bool
+        default: false
+        version_added: 2.2.0
     principals:
         description:
             - "Certificates may be limited to be valid for a set of principal (user/host) names.
@@ -192,6 +201,7 @@
     valid_from: +0s
     valid_to: +32w
     valid_at: +2w
+    ignore_timestamps: true
 
 - name: Generate an OpenSSH host certificate that is valid forever and only for example.com and examplehost
   community.crypto.openssh_cert:
@@ -296,6 +306,7 @@ def __init__(self, module):
         self.type = self.module.params['type']
         self.use_agent = self.module.params['use_agent']
         self.valid_at = self.module.params['valid_at']
+        self.ignore_timestamps = self.module.params['ignore_timestamps']
 
         self._check_if_base_dir(self.path)
 
@@ -403,6 +414,9 @@ def _compare_time_parameters(self):
         except ValueError as e:
             return self.module.fail_json(msg=to_native(e))
 
+        if self.ignore_timestamps:
+            return original_time_parameters.within_range(self.valid_at)
+
         return all([
             original_time_parameters == self.time_parameters,
             original_time_parameters.within_range(self.valid_at)
@@ -537,6 +551,7 @@ def main():
             valid_at=dict(type='str'),
             valid_from=dict(type='str'),
             valid_to=dict(type='str'),
+            ignore_timestamps=dict(type='bool', default=False),
         ),
         supports_check_mode=True,
         add_file_common_args=True,

tests/integration/targets/openssh_cert/tests/options_idempotency.yml

@@ -86,6 +86,57 @@
     regenerate: full_idempotence
   register: default_options
 
+- name: Generate cert with relative timestamp
+  openssh_cert:
+    type: user
+    path: "{{ certificate_path }}"
+    public_key: "{{ public_key }}"
+    signing_key: "{{ signing_key }}"
+    valid_from: +0s
+    valid_to: +32w
+    valid_at: +2w
+    regenerate: full_idempotence
+  register: relative_timestamp
+
+- name: Generate cert with ignore_timestamp true
+  openssh_cert:
+    type: user
+    path: "{{ certificate_path }}"
+    public_key: "{{ public_key }}"
+    signing_key: "{{ signing_key }}"
+    valid_from: +0s
+    valid_to: +32w
+    valid_at: +2w
+    ignore_timestamps: true
+    regenerate: full_idempotence
+  register: relative_timestamp_true
+
+- name: Generate cert with ignore_timestamp false
+  openssh_cert:
+    type: user
+    path: "{{ certificate_path }}"
+    public_key: "{{ public_key }}"
+    signing_key: "{{ signing_key }}"
+    valid_from: +0s
+    valid_to: +32w
+    valid_at: +2w
+    ignore_timestamps: false
+    regenerate: full_idempotence
+  register: relative_timestamp_false
+
+- name: Generate cert with ignore_timestamp true
+  openssh_cert:
+    type: user
+    path: "{{ certificate_path }}"
+    public_key: "{{ public_key }}"
+    signing_key: "{{ signing_key }}"
+    valid_from: +0s
+    valid_to: +32w
+    valid_at: +50w
+    ignore_timestamps: true
+    regenerate: full_idempotence
+  register: relative_timestamp_invalid_at
+
 - name: Assert options results
   assert:
     that:
@@ -95,6 +146,10 @@
       - explicit_extension_after is not changed
       - explicit_extension_and_directive is changed
       - default_options is not changed
+      - relative_timestamp is changed
+      - relative_timestamp_true is not changed
+      - relative_timestamp_false is changed
+      - relative_timestamp_invalid_at is changed
 
 - name: Remove certificate
   openssh_cert: