diff --git a/.travis.yml b/.travis.yml
@@ -12,7 +12,7 @@ before_install:
   - gem update bundler
   - gem --version
   - bundle -v
-  - 'if [ -n "$encrypted_f942601034d6_key" -a -n "$encrypted_f942601034d6_iv" ]; then openssl aes-256-cbc -K $encrypted_f942601034d6_key -iv $encrypted_f942601034d6_iv -in tests/secrets.tar.enc -out tests/secrets.tar -d; cd tests && tar xvf secrets.tar ; fi'
+  - 'if [ -n "$encrypted_f942601034d6_key" -a -n "$encrypted_f942601034d6_iv" ]; then openssl aes-256-cbc -K $encrypted_f942601034d6_key -iv $encrypted_f942601034d6_iv -in tests/secrets.tar.enc -out tests/secrets.tar -d; cd tests && tar xvf secrets.tar ; cd - ; fi'
 sudo: false
 
 stages:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,19 @@
 # Changelog
 
+## [v3.12.0](https://github.com/sensu/sensu-puppet/tree/v3.12.0) (2019-11-24)
+
+[Full Changelog](https://github.com/sensu/sensu-puppet/compare/v3.11.0...v3.12.0)
+
+### Added
+
+- Improve name validations to match Sensu Go [\#1173](https://github.com/sensu/sensu-puppet/pull/1173) ([treydock](https://github.com/treydock))
+- Add bolt task to manage API keys [\#1171](https://github.com/sensu/sensu-puppet/pull/1171) ([treydock](https://github.com/treydock))
+
+### Fixed
+
+- Add lint plugin [\#1177](https://github.com/sensu/sensu-puppet/pull/1177) ([ghoneycutt](https://github.com/ghoneycutt))
+- Update steps to release software [\#1172](https://github.com/sensu/sensu-puppet/pull/1172) ([ghoneycutt](https://github.com/ghoneycutt))
+
 ## [v3.11.0](https://github.com/sensu/sensu-puppet/tree/v3.11.0) (2019-11-12)
 
 [Full Changelog](https://github.com/sensu/sensu-puppet/compare/v3.10.0...v3.11.0)
@@ -11,7 +25,7 @@
 - \(ci\) Use correct Ruby version 2.5.7 for latest Puppet 6 tests [\#1165](https://github.com/sensu/sensu-puppet/pull/1165) ([ghoneycutt](https://github.com/ghoneycutt))
 - Additional bolt tasks [\#1162](https://github.com/sensu/sensu-puppet/pull/1162) ([treydock](https://github.com/treydock))
 
-### UNCATEGORIZED PRS; GO LABEL THEM
+### Fixed
 
 - Document sensu\_asset deprecations [\#1170](https://github.com/sensu/sensu-puppet/pull/1170) ([treydock](https://github.com/treydock))
 
@@ -106,6 +120,7 @@
 ### Added
 
 - Add headers property to sensu\_assets [\#1119](https://github.com/sensu/sensu-puppet/pull/1119) ([treydock](https://github.com/treydock))
+- Add ability to run acceptance tests against Sensu-Go CI builds [\#1115](https://github.com/sensu/sensu-puppet/pull/1115) ([treydock](https://github.com/treydock))
 - Support listing sensuctl resources using chunk-size [\#1114](https://github.com/sensu/sensu-puppet/pull/1114) ([treydock](https://github.com/treydock))
 
 ### Fixed
@@ -133,7 +148,6 @@
 
 ### Added
 
-- Add ability to run acceptance tests against Sensu-Go CI builds [\#1115](https://github.com/sensu/sensu-puppet/pull/1115) ([treydock](https://github.com/treydock))
 - Support Sensu Go 5.6 [\#1105](https://github.com/sensu/sensu-puppet/pull/1105) ([treydock](https://github.com/treydock))
 
 ## [v3.1.0](https://github.com/sensu/sensu-puppet/tree/v3.1.0) (2019-04-19)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -37,11 +37,10 @@ versions supported Sensu Classic which can be found at
 
 The `master` branch is for development against Sensu Go v5.
 
-To generate the CHANGELOG.md run the following.
-
-
 # Release process
 
 1. Update version in `metadata.json`
 1. Run Rake task to release module: `bundle exec rake release`
-1. Push to master with tags: `git push --tags`
+1. Tag the release, such as `git tag -a 'v3.11.0' -m 'v3.11.0'`
+1. Push release to upstream master: `git push upstream master`
+1. Push tags upstream master: `git push upstream --tags`
diff --git a/Gemfile b/Gemfile
@@ -26,6 +26,7 @@ group :development, :unit_tests do
   gem 'puppet-lint-resource_reference_syntax',            :require => false
   gem 'puppet-lint-spaceship_operator_without_tag-check', :require => false
   gem 'puppet-lint-trailing_comma-check',                 :require => false
+  gem 'puppet-lint-trailing_newline-check',               :require => false
   gem 'puppet-lint-undef_in_function-check',              :require => false
   gem 'puppet-lint-unquoted_string-check',                :require => false
   gem 'puppet-lint-variable_contains_upcase',             :require => false

diff --git a/README.md b/README.md
@@ -649,6 +649,12 @@ The following Bolt tasks are provided by this Module:
 
 Example: `bolt task run sensu::agent_event name=bolttest status=1 output=test --nodes sensu_agent`
 
+**sensu::apikey**: Manage Sensu Go API keys
+
+Example: `bolt task run sensu::apikey action=create username=foobar --nodes sensu_backend`
+Example: `bolt task run sensu::apikey action=list --nodes sensu_backend`
+Example: `bolt task run sensu::apikey action=delete key=replace-with-uuid-key --nodes sensu_backend`
+
 **sensu::assets\_outdated**: Retreive outdated Sensu Go assets
 
 Example: `bolt task run sensu::assets_outdated --nodes sensu_backend`

diff --git a/REFERENCE.md b/REFERENCE.md
@@ -58,6 +58,7 @@ _Private Classes_
 **Tasks**
 
 * [`agent_event`](#agent_event): Create a Sensu Go agent event via the agent API
+* [`apikey`](#apikey): Manage Sensu Go API keys
 * [`assets_outdated`](#assets_outdated): Retreive outdated Sensu Go assets
 * [`check_execute`](#check_execute): Execute a Sensu Go check
 * [`event`](#event): Manage Sensu Go events
@@ -3086,6 +3087,32 @@ Data type: `Optional[Integer]`
 
 The agent API port, defaults to 3031
 
+### apikey
+
+Manage Sensu Go API keys
+
+**Supports noop?** false
+
+#### Parameters
+
+##### `action`
+
+Data type: `Enum[create,list,delete]`
+
+The action to perform
+
+##### `username`
+
+Data type: `Optional[String[1]]`
+
+The username for the API key. Required for action=create
+
+##### `key`
+
+Data type: `Optional[String[1]]`
+
+The API key. Required for action=delete
+
 ### assets_outdated
 
 Retreive outdated Sensu Go assets

diff --git a/lib/puppet/type/sensu_ad_auth.rb b/lib/puppet/type/sensu_ad_auth.rb
@@ -50,7 +50,7 @@
   newparam(:name, :namevar => true) do
     desc "The name of the AD auth."
     validate do |value|
-      unless value =~ /^[\w\.\-]+$/
+      unless value =~ PuppetX::Sensu::Type.name_regex
         raise ArgumentError, "sensu_ad_auth name invalid"
       end
     end

diff --git a/lib/puppet/type/sensu_asset.rb b/lib/puppet/type/sensu_asset.rb
@@ -76,7 +76,8 @@
   newparam(:resource_name, :namevar => true) do
     desc "The name of the asset."
     validate do |value|
-      unless value =~ /^[\w\.\-\/]+$/
+      # Must only contain lower case letters, numbers, underscores, periods, hyphens and colons
+      unless value =~ %r{^[a-z0-9\/\_\.\-\:]+$}
         raise ArgumentError, "sensu_asset name invalid"
       end
     end

diff --git a/lib/puppet/type/sensu_check.rb b/lib/puppet/type/sensu_check.rb
@@ -64,7 +64,7 @@
   newparam(:resource_name, :namevar => true) do
     desc "The name of the check."
     validate do |value|
-      unless value =~ /^[\w\.\-]+$/
+      unless value =~ PuppetX::Sensu::Type.name_regex
         raise ArgumentError, "sensu_check name invalid"
       end
     end

diff --git a/lib/puppet/type/sensu_cluster_role.rb b/lib/puppet/type/sensu_cluster_role.rb
@@ -27,6 +27,11 @@
 
   newparam(:name, :namevar => true) do
     desc "The name of the role."
+    validate do |value|
+      unless value =~ PuppetX::Sensu::Type.name_regex
+        raise ArgumentError, "sensu_cluster_role name invalid"
+      end
+    end
   end
 
   newproperty(:rules, :array_matching => :all, :parent => PuppetX::Sensu::ArrayOfHashesProperty) do

diff --git a/lib/puppet/type/sensu_cluster_role_binding.rb b/lib/puppet/type/sensu_cluster_role_binding.rb
@@ -41,6 +41,11 @@
 
   newparam(:name, :namevar => true) do
     desc "The name of the role binding."
+    validate do |value|
+      unless value =~ PuppetX::Sensu::Type.name_regex
+        raise ArgumentError, "sensu_cluster_role_binding name invalid"
+      end
+    end
   end
 
   newproperty(:role_ref, :parent => PuppetX::Sensu::HashProperty) do

diff --git a/lib/puppet/type/sensu_config.rb b/lib/puppet/type/sensu_config.rb
@@ -34,7 +34,7 @@
   newparam(:name, :namevar => true) do
     desc "The name of the config."
     validate do |value|
-      unless value =~ /^[\w\.\-\_]+$/
+      unless value =~ PuppetX::Sensu::Type.name_regex
         raise ArgumentError, "sensu_config name invalid"
       end
     end

diff --git a/lib/puppet/type/sensu_entity.rb b/lib/puppet/type/sensu_entity.rb
@@ -43,7 +43,7 @@
   newparam(:resource_name, :namevar => true) do
     desc "The name of the entity."
     validate do |value|
-      unless value =~ /^[\w\.\-]+$/
+      unless value =~ PuppetX::Sensu::Type.name_regex
         raise ArgumentError, "sensu_entity name invalid"
       end
     end

diff --git a/lib/puppet/type/sensu_filter.rb b/lib/puppet/type/sensu_filter.rb
@@ -45,7 +45,7 @@
   newparam(:resource_name, :namevar => true) do
     desc "The name of the filter."
     validate do |value|
-      unless value =~ /^[\w\.\-]+$/
+      unless value =~ PuppetX::Sensu::Type.name_regex
         raise ArgumentError, "sensu_filter name invalid"
       end
     end

diff --git a/lib/puppet/type/sensu_handler.rb b/lib/puppet/type/sensu_handler.rb
@@ -48,7 +48,7 @@
   newparam(:resource_name, :namevar => true) do
     desc "The name of the handler."
     validate do |value|
-      unless value =~ /^[\w\.\-]+$/
+      unless value =~ PuppetX::Sensu::Type.name_regex
         raise ArgumentError, "sensu_handler name invalid"
       end
     end

diff --git a/lib/puppet/type/sensu_hook.rb b/lib/puppet/type/sensu_hook.rb
@@ -43,7 +43,7 @@
   newparam(:resource_name, :namevar => true) do
     desc "The name of the hook."
     validate do |value|
-      unless value =~ /^[\w\.\-]+$/
+      unless value =~ PuppetX::Sensu::Type.name_regex
         raise ArgumentError, "sensu_hook name invalid"
       end
     end

diff --git a/lib/puppet/type/sensu_ldap_auth.rb b/lib/puppet/type/sensu_ldap_auth.rb
@@ -50,7 +50,7 @@
   newparam(:name, :namevar => true) do
     desc "The name of the LDAP auth."
     validate do |value|
-      unless value =~ /^[\w\.\-]+$/
+      unless value =~ PuppetX::Sensu::Type.name_regex
         raise ArgumentError, "sensu_ldap_auth name invalid"
       end
     end

diff --git a/lib/puppet/type/sensu_mutator.rb b/lib/puppet/type/sensu_mutator.rb
@@ -43,7 +43,7 @@
   newparam(:resource_name, :namevar => true) do
     desc "The name of the mutator."
     validate do |value|
-      unless value =~ /^[\w\.\-]+$/
+      unless value =~ PuppetX::Sensu::Type.name_regex
         raise ArgumentError, "sensu_mutator name invalid"
       end
     end

diff --git a/lib/puppet/type/sensu_namespace.rb b/lib/puppet/type/sensu_namespace.rb
@@ -26,7 +26,7 @@
   newparam(:name, :namevar => true) do
     desc "The name of the namespace."
     validate do |value|
-      unless value =~ /^[\w\.\-]+$/
+      unless value =~ PuppetX::Sensu::Type.name_regex
         raise ArgumentError, "sensu_namespace name invalid"
       end
     end

diff --git a/lib/puppet/type/sensu_oidc_auth.rb b/lib/puppet/type/sensu_oidc_auth.rb
@@ -37,7 +37,7 @@
   newparam(:name, :namevar => true) do
     desc "The name of the AD auth."
     validate do |value|
-      unless value =~ /^[\w\.\-]+$/
+      unless value =~ PuppetX::Sensu::Type.name_regex
         raise ArgumentError, "sensu_ad_auth name invalid"
       end
     end

diff --git a/lib/puppet/type/sensu_role.rb b/lib/puppet/type/sensu_role.rb
@@ -43,7 +43,7 @@
   newparam(:resource_name, :namevar => true) do
     desc "The name of the role."
     validate do |value|
-      unless value =~ /^[\w\.\-]+$/
+      unless value =~ PuppetX::Sensu::Type.name_regex
         raise ArgumentError, "sensu_role name invalid"
       end
     end

diff --git a/lib/puppet/type/sensu_role_binding.rb b/lib/puppet/type/sensu_role_binding.rb
@@ -59,7 +59,7 @@
   newparam(:resource_name, :namevar => true) do
     desc "The name of the role binding."
     validate do |value|
-      unless value =~ /^[\w\.\-]+$/
+      unless value =~ PuppetX::Sensu::Type.name_regex
         raise ArgumentError, "sensu_role_binding name invalid"
       end
     end

diff --git a/lib/puppet/type/sensu_user.rb b/lib/puppet/type/sensu_user.rb
@@ -44,7 +44,8 @@
   newparam(:name, :namevar => true) do
     desc "The name of the user."
     validate do |value|
-      unless value =~ /^[\w\.\-]+$/
+      # Match only upper case letters, lowercase letters, numbers, underscores, periods and hyphens
+      unless value =~ %r{^[\w.\-]+$}
         raise ArgumentError, "sensu_user name invalid"
       end
     end

diff --git a/lib/puppet_x/sensu/type.rb b/lib/puppet_x/sensu/type.rb
@@ -1,6 +1,10 @@
 module PuppetX
   module Sensu
     module Type
+      def self.name_regex
+        # Match only upper case letters, lowercase letters, numbers, underscores, periods, hyphens, and colons
+        %r{^[\w.\-:]+$}
+      end
 
       def add_autorequires(namespace=true, require_configure=true)
         autorequire(:package) do

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "sensu-sensu",
-  "version": "3.11.0",
+  "version": "3.12.0",
   "author": "sensu",
   "summary": "A module to install the Sensu monitoring framework",
   "license": "MIT",

diff --git a/spec/acceptance/sensu_bolt_tasks_spec.rb b/spec/acceptance/sensu_bolt_tasks_spec.rb
@@ -213,6 +213,48 @@ class { '::sensu::agent':
   end
 end
 
+describe 'sensu apikey task', if: RSpec.configuration.sensu_full do
+  backend = hosts_as('sensu_backend')[0]
+  context 'setup' do
+    it 'should work without errors' do
+      apply_manifest_on(backend, 'include ::sensu::backend', :catch_failures => true)
+    end
+  end
+
+  context 'create' do
+    it 'should work without errors' do
+      on backend, 'bolt task run sensu::apikey action=create username=admin --nodes sensu_backend'
+    end
+
+    it 'should have created api key' do
+      on backend, 'sensuctl api-key list --format json' do
+        data = JSON.parse(stdout)
+        key = data.select { |k| k["username"] == "admin" }[0]
+        expect(key).not_to be_nil
+      end
+    end
+  end
+
+  context 'list' do
+    describe command('bolt task run sensu::apikey action=list --nodes sensu_backend'), :node => backend do
+      its(:exit_status) { should eq 0 }
+    end
+  end
+
+  context 'delete' do
+    it 'should remove without errors' do
+      key = nil
+      # Get key
+      on backend, 'sensuctl api-key list --format json' do
+        data = JSON.parse(stdout)
+        apikey = data.select { |k| k["username"] == "admin" }[0]
+        key = apikey["metadata"]["name"]
+      end
+      on backend, "bolt task run sensu::apikey action=delete key=#{key} --nodes sensu_backend"
+    end
+  end
+end
+
 describe 'sensu agent_event task', if: RSpec.configuration.sensu_full do
   backend = hosts_as('sensu_backend')[0]
   agent = hosts_as('sensu_agent')[0]

diff --git a/spec/shared_examples/types.rb b/spec/shared_examples/types.rb
@@ -1,5 +1,34 @@
 require 'spec_helper'
 
+RSpec.shared_examples 'name_regex' do
+  let(:params) { default_params }
+  let(:resource) { described_class.new(params) }
+
+  invalid_names = [
+    'foo!'
+  ]
+  valid_names = [
+    'foo',
+    'foo:',
+    'foo-',
+    'foo_',
+    'foo.example.com',
+  ]
+
+  invalid_names.each do |name|
+    it "does not allow invalid name #{name}" do
+      params[:name] = name
+      expect { resource }.to raise_error(/name/)
+    end
+  end
+  valid_names.each do |name|
+    it "does allow valid name #{name}" do
+      params[:name] = name
+      expect { resource }.not_to raise_error
+    end
+  end
+end
+
 RSpec.shared_examples 'autorequires' do |namespace, configure|
   namespace = true if namespace.nil?
   configure = true if configure.nil?