diff --git a/manifests/config.pp b/manifests/config.pp index 0f8cf5da1..b23ed7a77 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -197,10 +197,14 @@ # Add secrets to keystore if $elasticsearch::secrets != undef { + # unwrap Secrets of Datatype Sensitive + $secrets = $elasticsearch::secrets.reduce( {}) |Hash $memo, Array $value| { + $memo + { $value[0] => if $value[1] =~ Sensitive { $value[1].unwrap } else { $value[1] } } + } elasticsearch_keystore { 'elasticsearch_secrets': configdir => $elasticsearch::configdir, purge => $elasticsearch::purge_secrets, - settings => $elasticsearch::secrets, + settings => $secrets, notify => $elasticsearch::_notify_service, } } diff --git a/manifests/index.pp b/manifests/index.pp index 1d8b07e66..8eb1d3069 100644 --- a/manifests/index.pp +++ b/manifests/index.pp @@ -43,18 +43,24 @@ # @author Tyler Langlois # define elasticsearch::index ( - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Hash $settings = {}, - Boolean $validate_tls = $elasticsearch::validate_tls, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Hash $settings = {}, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + es_instance_conn_validator { "${name}-index-conn-validator": server => $api_host, port => $api_port, @@ -68,7 +74,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls, diff --git a/manifests/init.pp b/manifests/init.pp index 55fc4e0f1..2a8234765 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -325,7 +325,7 @@ # class elasticsearch ( Enum['absent', 'present'] $ensure, - Optional[String] $api_basic_auth_password, + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password, Optional[String] $api_basic_auth_username, Optional[String] $api_ca_file, Optional[String] $api_ca_path, diff --git a/manifests/license.pp b/manifests/license.pp index 866b85775..1a032447f 100644 --- a/manifests/license.pp +++ b/manifests/license.pp @@ -42,18 +42,24 @@ # @author Tyler Langlois # class elasticsearch::license ( - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Variant[String, Hash] $content = $elasticsearch::license, - Boolean $validate_tls = $elasticsearch::validate_tls, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Variant[String, Hash] $content = $elasticsearch::license, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + if $content =~ String { $_content = parsejson($content) } else { @@ -80,7 +86,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls, diff --git a/manifests/pipeline.pp b/manifests/pipeline.pp index 64a3c72c7..655e003ea 100644 --- a/manifests/pipeline.pp +++ b/manifests/pipeline.pp @@ -45,18 +45,24 @@ # @author Tyler Langlois # define elasticsearch::pipeline ( - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Hash $content = {}, - Boolean $validate_tls = $elasticsearch::validate_tls, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Hash $content = {}, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + es_instance_conn_validator { "${name}-ingest-pipeline": server => $api_host, port => $api_port, @@ -70,7 +76,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls, diff --git a/manifests/snapshot_repository.pp b/manifests/snapshot_repository.pp index cf0e2e0a8..a246a7cc9 100644 --- a/manifests/snapshot_repository.pp +++ b/manifests/snapshot_repository.pp @@ -60,23 +60,29 @@ # @author Tyler Langlois # define elasticsearch::snapshot_repository ( - String $location, - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Boolean $compress = true, - Optional[String] $chunk_size = undef, - Optional[String] $max_restore_rate = undef, - Optional[String] $max_snapshot_rate = undef, - Optional[String] $repository_type = undef, - Boolean $validate_tls = $elasticsearch::validate_tls, + String $location, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Boolean $compress = true, + Optional[String] $chunk_size = undef, + Optional[String] $max_restore_rate = undef, + Optional[String] $max_snapshot_rate = undef, + Optional[String] $repository_type = undef, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + es_instance_conn_validator { "${name}-snapshot": server => $api_host, port => $api_port, @@ -95,7 +101,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls, diff --git a/manifests/template.pp b/manifests/template.pp index 3f1e07232..ef615c685 100644 --- a/manifests/template.pp +++ b/manifests/template.pp @@ -53,19 +53,25 @@ # @author Tyler Langlois # define elasticsearch::template ( - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Optional[Variant[String, Hash]] $content = undef, - Optional[String] $source = undef, - Boolean $validate_tls = $elasticsearch::validate_tls, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Optional[Variant[String, Hash]] $content = undef, + Optional[String] $source = undef, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + if $content =~ String { $_content = parsejson($content) } else { @@ -92,7 +98,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls,