heat_template_version: wallaby

description: >
  Barbican API PKCS#11 crypto backend configured with Puppet

parameters:
  # Required default parameters
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  BarbicanPkcs11CryptoLibraryPath:
    description: Path to vendor PKCS11 library
    type: string
    default: ''
  BarbicanPkcs11CryptoLogin:
    description: Password (PIN) to login to PKCS#11 session
    type: string
    hidden: true
    default: ''
  BarbicanPkcs11CryptoMKEKLabel:
    description: Label for Master KEK
    type: string
    default: ''
  BarbicanPkcs11CryptoMKEKLength:
    description: Length of Master KEK in bytes
    type: string
    default: '256'
  BarbicanPkcs11CryptoHMACLabel:
    description: Label for the HMAC key
    type: string
    default: ''
  BarbicanPkcs11CryptoSlotId:
    description: Slot Id for the PKCS#11 token to be used
    type: string
    default: '0'
  BarbicanPkcs11CryptoTokenSerialNumber:
    description: Serial number for PKCS#11 token to be used
    type: string
    default: ''
  BarbicanPkcs11CryptoTokenLabel:
    description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
    type: string
    default: ''
  BarbicanPkcs11CryptoTokenLabels:
    description: List of comma separated labels for the tokens to be used.
                 This is typically a single label, but some devices may require
                 more than one label for Load Balancing and High Availability
                 configurations.
    type: string
    default: ''
  BarbicanPkcs11CryptoEncryptionMechanism:
    description: Cryptoki Mechanism used for encryption
    type: string
    default: 'CKM_AES_CBC'
  BarbicanPkcs11CryptoHMACKeyType:
    description: Cryptoki Key Type for Master HMAC key
    type: string
    default: 'CKK_AES'
  BarbicanPkcs11CryptoHMACKeygenMechanism:
    description: Cryptoki Mechanism used to generate Master HMAC Key
    type: string
    default: 'CKM_AES_KEY_GEN'
  BarbicanPkcs11CryptoAESGCMGenerateIV:
    description: Generate IVs for CKM_AES_GCM encryption mechanism
    type: boolean
    default: true
  BarbicanPkcs11AlwaysSetCkaSensitive:
    description: Always set CKA_SENSITIVE=CK_TRUE
    type: boolean
    default: true
  BarbicanPkcs11CryptoOsLockingOk:
    description: Set CKF_OS_LOCKING_OK flag when initializing the client
                 library.
    type: boolean
    default: false
  BarbicanPkcs11CryptoGlobalDefault:
    description: Whether this plugin is the global default plugin
    type: boolean
    default: false

outputs:
  role_data:
    description: Role data for the Barbican PKCS#11 backend.
    value:
      service_name: barbican_backend_pkcs11_crypto
      config_settings:
        barbican::plugins::p11_crypto::p11_crypto_plugin_library_path: {get_param: BarbicanPkcs11CryptoLibraryPath}
        barbican::plugins::p11_crypto::p11_crypto_plugin_login: {get_param: BarbicanPkcs11CryptoLogin}
        barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel}
        barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
        barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
        barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
        barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber}
        barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
        barbican::plugins::p11_crypto::p11_crypto_plugin_token_labels: {get_param: BarbicanPkcs11CryptoTokenLabels}
        barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
        barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
        barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
        barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
        barbican::plugins::p11_crypto::p11_crypto_plugin_always_set_cka_sensitive: {get_param: BarbicanPkcs11AlwaysSetCkaSensitive}
        barbican::plugins::p11_crypto::p11_crypto_plugin_os_locking_ok: {get_param: BarbicanPkcs11CryptoOsLockingOk}
        barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}