diff --git a/REFERENCE.md b/REFERENCE.md
index 3ec71e53..0c486baa 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -199,7 +199,7 @@ This is a destructive parameter and should be used with care.
##### `api_basic_auth_password`
-Data type: `Optional[String]`
+Data type: `Optional[Variant[String, Sensitive[String]]]`
Defines the default REST basic auth password for API authentication.
@@ -854,7 +854,7 @@ Default value: `'present'`
##### `api_basic_auth_password`
-Data type: `Optional[String]`
+Data type: `Optional[Variant[String, Sensitive[String]]]`
HTTP basic auth password to use when communicating over the Elasticsearch
API.
@@ -1255,7 +1255,7 @@ Default value: `'present'`
##### `api_basic_auth_password`
-Data type: `Optional[String]`
+Data type: `Optional[Variant[String, Sensitive[String]]]`
HTTP basic auth password to use when communicating over the Elasticsearch
API.
@@ -1510,7 +1510,7 @@ Default value: `{}`
##### `api_basic_auth_password`
-Data type: `Optional[String]`
+Data type: `Optional[Variant[String, Sensitive[String]]]`
HTTP basic auth password to use when communicating over the Elasticsearch
API.
@@ -1976,7 +1976,7 @@ Default value: `'present'`
##### `api_basic_auth_password`
-Data type: `Optional[String]`
+Data type: `Optional[Variant[String, Sensitive[String]]]`
HTTP basic auth password to use when communicating over the Elasticsearch
API.
@@ -2134,7 +2134,7 @@ Default value: `'present'`
##### `api_basic_auth_password`
-Data type: `Optional[String]`
+Data type: `Optional[Variant[String, Sensitive[String]]]`
HTTP basic auth password to use when communicating over the Elasticsearch
API.
diff --git a/manifests/config.pp b/manifests/config.pp
index 9aeb2cb1..070a6312 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -226,10 +226,14 @@
# Add secrets to keystore
if $elasticsearch::secrets != undef {
+ # unwrap Secrets of Datatype Sensitive
+ $secrets = $elasticsearch::secrets.reduce({}) |Hash $memo, Array $value| {
+ $memo + { $value[0] => if $value[1] =~ Sensitive { $value[1].unwrap } else { $value[1] } }
+ }
elasticsearch_keystore { 'elasticsearch_secrets':
configdir => $elasticsearch::configdir,
purge => $elasticsearch::purge_secrets,
- settings => $elasticsearch::secrets,
+ settings => $secrets,
notify => $elasticsearch::_notify_service,
}
}
diff --git a/manifests/index.pp b/manifests/index.pp
index 1d8b07e6..8eb1d306 100644
--- a/manifests/index.pp
+++ b/manifests/index.pp
@@ -43,18 +43,24 @@
# @author Tyler Langlois
#
define elasticsearch::index (
- Enum['absent', 'present'] $ensure = 'present',
- Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
- Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
- Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file,
- Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path,
- String $api_host = $elasticsearch::api_host,
- Integer[0, 65535] $api_port = $elasticsearch::api_port,
- Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol,
- Integer $api_timeout = $elasticsearch::api_timeout,
- Hash $settings = {},
- Boolean $validate_tls = $elasticsearch::validate_tls,
+ Enum['absent', 'present'] $ensure = 'present',
+ Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
+ Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
+ Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file,
+ Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path,
+ String $api_host = $elasticsearch::api_host,
+ Integer[0, 65535] $api_port = $elasticsearch::api_port,
+ Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol,
+ Integer $api_timeout = $elasticsearch::api_timeout,
+ Hash $settings = {},
+ Boolean $validate_tls = $elasticsearch::validate_tls,
) {
+ $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive {
+ $api_basic_auth_password.unwrap
+ } else {
+ $api_basic_auth_password
+ }
+
es_instance_conn_validator { "${name}-index-conn-validator":
server => $api_host,
port => $api_port,
@@ -68,7 +74,7 @@
port => $api_port,
timeout => $api_timeout,
username => $api_basic_auth_username,
- password => $api_basic_auth_password,
+ password => $api_basic_auth_password_unsensitive,
ca_file => $api_ca_file,
ca_path => $api_ca_path,
validate_tls => $validate_tls,
diff --git a/manifests/init.pp b/manifests/init.pp
index e97ad121..cde73ce7 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -349,7 +349,7 @@
#
class elasticsearch (
Enum['absent', 'present'] $ensure,
- Optional[String] $api_basic_auth_password,
+ Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password,
Optional[String] $api_basic_auth_username,
Optional[String] $api_ca_file,
Optional[String] $api_ca_path,
diff --git a/manifests/license.pp b/manifests/license.pp
index 866b8577..1a032447 100644
--- a/manifests/license.pp
+++ b/manifests/license.pp
@@ -42,18 +42,24 @@
# @author Tyler Langlois
#
class elasticsearch::license (
- Enum['absent', 'present'] $ensure = 'present',
- Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
- Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
- Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file,
- Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path,
- String $api_host = $elasticsearch::api_host,
- Integer[0, 65535] $api_port = $elasticsearch::api_port,
- Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol,
- Integer $api_timeout = $elasticsearch::api_timeout,
- Variant[String, Hash] $content = $elasticsearch::license,
- Boolean $validate_tls = $elasticsearch::validate_tls,
+ Enum['absent', 'present'] $ensure = 'present',
+ Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
+ Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
+ Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file,
+ Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path,
+ String $api_host = $elasticsearch::api_host,
+ Integer[0, 65535] $api_port = $elasticsearch::api_port,
+ Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol,
+ Integer $api_timeout = $elasticsearch::api_timeout,
+ Variant[String, Hash] $content = $elasticsearch::license,
+ Boolean $validate_tls = $elasticsearch::validate_tls,
) {
+ $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive {
+ $api_basic_auth_password.unwrap
+ } else {
+ $api_basic_auth_password
+ }
+
if $content =~ String {
$_content = parsejson($content)
} else {
@@ -80,7 +86,7 @@
port => $api_port,
timeout => $api_timeout,
username => $api_basic_auth_username,
- password => $api_basic_auth_password,
+ password => $api_basic_auth_password_unsensitive,
ca_file => $api_ca_file,
ca_path => $api_ca_path,
validate_tls => $validate_tls,
diff --git a/manifests/pipeline.pp b/manifests/pipeline.pp
index 64a3c72c..655e003e 100644
--- a/manifests/pipeline.pp
+++ b/manifests/pipeline.pp
@@ -45,18 +45,24 @@
# @author Tyler Langlois
#
define elasticsearch::pipeline (
- Enum['absent', 'present'] $ensure = 'present',
- Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
- Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
- Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file,
- Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path,
- String $api_host = $elasticsearch::api_host,
- Integer[0, 65535] $api_port = $elasticsearch::api_port,
- Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol,
- Integer $api_timeout = $elasticsearch::api_timeout,
- Hash $content = {},
- Boolean $validate_tls = $elasticsearch::validate_tls,
+ Enum['absent', 'present'] $ensure = 'present',
+ Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
+ Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
+ Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file,
+ Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path,
+ String $api_host = $elasticsearch::api_host,
+ Integer[0, 65535] $api_port = $elasticsearch::api_port,
+ Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol,
+ Integer $api_timeout = $elasticsearch::api_timeout,
+ Hash $content = {},
+ Boolean $validate_tls = $elasticsearch::validate_tls,
) {
+ $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive {
+ $api_basic_auth_password.unwrap
+ } else {
+ $api_basic_auth_password
+ }
+
es_instance_conn_validator { "${name}-ingest-pipeline":
server => $api_host,
port => $api_port,
@@ -70,7 +76,7 @@
port => $api_port,
timeout => $api_timeout,
username => $api_basic_auth_username,
- password => $api_basic_auth_password,
+ password => $api_basic_auth_password_unsensitive,
ca_file => $api_ca_file,
ca_path => $api_ca_path,
validate_tls => $validate_tls,
diff --git a/manifests/snapshot_repository.pp b/manifests/snapshot_repository.pp
index cf0e2e0a..a246a7cc 100644
--- a/manifests/snapshot_repository.pp
+++ b/manifests/snapshot_repository.pp
@@ -60,23 +60,29 @@
# @author Tyler Langlois
#
define elasticsearch::snapshot_repository (
- String $location,
- Enum['absent', 'present'] $ensure = 'present',
- Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
- Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
- Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file,
- Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path,
- String $api_host = $elasticsearch::api_host,
- Integer[0, 65535] $api_port = $elasticsearch::api_port,
- Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol,
- Integer $api_timeout = $elasticsearch::api_timeout,
- Boolean $compress = true,
- Optional[String] $chunk_size = undef,
- Optional[String] $max_restore_rate = undef,
- Optional[String] $max_snapshot_rate = undef,
- Optional[String] $repository_type = undef,
- Boolean $validate_tls = $elasticsearch::validate_tls,
+ String $location,
+ Enum['absent', 'present'] $ensure = 'present',
+ Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
+ Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
+ Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file,
+ Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path,
+ String $api_host = $elasticsearch::api_host,
+ Integer[0, 65535] $api_port = $elasticsearch::api_port,
+ Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol,
+ Integer $api_timeout = $elasticsearch::api_timeout,
+ Boolean $compress = true,
+ Optional[String] $chunk_size = undef,
+ Optional[String] $max_restore_rate = undef,
+ Optional[String] $max_snapshot_rate = undef,
+ Optional[String] $repository_type = undef,
+ Boolean $validate_tls = $elasticsearch::validate_tls,
) {
+ $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive {
+ $api_basic_auth_password.unwrap
+ } else {
+ $api_basic_auth_password
+ }
+
es_instance_conn_validator { "${name}-snapshot":
server => $api_host,
port => $api_port,
@@ -95,7 +101,7 @@
port => $api_port,
timeout => $api_timeout,
username => $api_basic_auth_username,
- password => $api_basic_auth_password,
+ password => $api_basic_auth_password_unsensitive,
ca_file => $api_ca_file,
ca_path => $api_ca_path,
validate_tls => $validate_tls,
diff --git a/manifests/template.pp b/manifests/template.pp
index 3f1e0723..ef615c68 100644
--- a/manifests/template.pp
+++ b/manifests/template.pp
@@ -53,19 +53,25 @@
# @author Tyler Langlois
#
define elasticsearch::template (
- Enum['absent', 'present'] $ensure = 'present',
- Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
- Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
- Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file,
- Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path,
- String $api_host = $elasticsearch::api_host,
- Integer[0, 65535] $api_port = $elasticsearch::api_port,
- Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol,
- Integer $api_timeout = $elasticsearch::api_timeout,
- Optional[Variant[String, Hash]] $content = undef,
- Optional[String] $source = undef,
- Boolean $validate_tls = $elasticsearch::validate_tls,
+ Enum['absent', 'present'] $ensure = 'present',
+ Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
+ Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
+ Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file,
+ Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path,
+ String $api_host = $elasticsearch::api_host,
+ Integer[0, 65535] $api_port = $elasticsearch::api_port,
+ Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol,
+ Integer $api_timeout = $elasticsearch::api_timeout,
+ Optional[Variant[String, Hash]] $content = undef,
+ Optional[String] $source = undef,
+ Boolean $validate_tls = $elasticsearch::validate_tls,
) {
+ $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive {
+ $api_basic_auth_password.unwrap
+ } else {
+ $api_basic_auth_password
+ }
+
if $content =~ String {
$_content = parsejson($content)
} else {
@@ -92,7 +98,7 @@
port => $api_port,
timeout => $api_timeout,
username => $api_basic_auth_username,
- password => $api_basic_auth_password,
+ password => $api_basic_auth_password_unsensitive,
ca_file => $api_ca_file,
ca_path => $api_ca_path,
validate_tls => $validate_tls,