Accept Puppet-Datatype Sensitive

cocker-cc · cocker-cc · commit c4628ea8a7ce · 2023-06-19T14:09:30.000+02:00
- let the Hash containing the Secrets for the Keystore accept Secrets of Datatype Sensitive
- fix a 15-Months-old Typo-Bug
- let api_basic_auth_password also be of Type Sensitive
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -221,10 +221,14 @@
 
     # Add secrets to keystore
     if $elasticsearch::secrets != undef {
+      # unwrap Secrets of Datatype Sensitive
+      $secrets = $elasticsearch::secrets.reduce( {}) |Hash $memo, Array $value| {
+        $memo + { $value[0] => if $value[1] =~ Sensitive { $value[1].unwrap } else { $value[1] } }
+      }
       elasticsearch_keystore { 'elasticsearch_secrets':
         configdir => $elasticsearch::configdir,
         purge     => $elasticsearch::purge_secrets,
-        settings  => $elasticsearch::secrets,
+        settings  => $secrets,
         notify    => $elasticsearch::_notify_service,
       }
     }
diff --git a/manifests/index.pp b/manifests/index.pp
@@ -43,18 +43,24 @@
 # @author Tyler Langlois <tyler.langlois@elastic.co>
 #
 define elasticsearch::index (
-  Enum['absent', 'present']      $ensure                  = 'present',
-  Optional[String]               $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
-  Optional[String]               $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
-  Optional[Stdlib::Absolutepath] $api_ca_file             = $elasticsearch::api_ca_file,
-  Optional[Stdlib::Absolutepath] $api_ca_path             = $elasticsearch::api_ca_path,
-  String                         $api_host                = $elasticsearch::api_host,
-  Integer[0, 65535]              $api_port                = $elasticsearch::api_port,
-  Enum['http', 'https']          $api_protocol            = $elasticsearch::api_protocol,
-  Integer                        $api_timeout             = $elasticsearch::api_timeout,
-  Hash                           $settings                = {},
-  Boolean                        $validate_tls            = $elasticsearch::validate_tls,
+  Enum['absent', 'present']                    $ensure                  = 'present',
+  Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
+  Optional[String]                             $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
+  Optional[Stdlib::Absolutepath]               $api_ca_file             = $elasticsearch::api_ca_file,
+  Optional[Stdlib::Absolutepath]               $api_ca_path             = $elasticsearch::api_ca_path,
+  String                                       $api_host                = $elasticsearch::api_host,
+  Integer[0, 65535]                            $api_port                = $elasticsearch::api_port,
+  Enum['http', 'https']                        $api_protocol            = $elasticsearch::api_protocol,
+  Integer                                      $api_timeout             = $elasticsearch::api_timeout,
+  Hash                                         $settings                = {},
+  Boolean                                      $validate_tls            = $elasticsearch::validate_tls,
 ) {
+  $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive {
+    $api_basic_auth_password.unwrap
+  } else {
+    $api_basic_auth_password
+  }
+
   es_instance_conn_validator { "${name}-index-conn-validator":
     server  => $api_host,
     port    => $api_port,
@@ -68,7 +74,7 @@
     port         => $api_port,
     timeout      => $api_timeout,
     username     => $api_basic_auth_username,
-    password     => $api_basic_auth_password,
+    password     => $api_basic_auth_password_unsensitive,
     ca_file      => $api_ca_file,
     ca_path      => $api_ca_path,
     validate_tls => $validate_tls,
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -349,7 +349,7 @@
 #
 class elasticsearch (
   Enum['absent', 'present']                       $ensure,
-  Optional[String]                                $api_basic_auth_password,
+  Optional[Variant[String, Sensitive[String]]]    $api_basic_auth_password,
   Optional[String]                                $api_basic_auth_username,
   Optional[String]                                $api_ca_file,
   Optional[String]                                $api_ca_path,
diff --git a/manifests/license.pp b/manifests/license.pp
@@ -42,18 +42,24 @@
 # @author Tyler Langlois <tyler.langlois@elastic.co>
 #
 class elasticsearch::license (
-  Enum['absent', 'present']      $ensure                  = 'present',
-  Optional[String]               $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
-  Optional[String]               $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
-  Optional[Stdlib::Absolutepath] $api_ca_file             = $elasticsearch::api_ca_file,
-  Optional[Stdlib::Absolutepath] $api_ca_path             = $elasticsearch::api_ca_path,
-  String                         $api_host                = $elasticsearch::api_host,
-  Integer[0, 65535]              $api_port                = $elasticsearch::api_port,
-  Enum['http', 'https']          $api_protocol            = $elasticsearch::api_protocol,
-  Integer                        $api_timeout             = $elasticsearch::api_timeout,
-  Variant[String, Hash]          $content                 = $elasticsearch::license,
-  Boolean                        $validate_tls            = $elasticsearch::validate_tls,
+  Enum['absent', 'present']                    $ensure                  = 'present',
+  Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
+  Optional[String]                             $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
+  Optional[Stdlib::Absolutepath]               $api_ca_file             = $elasticsearch::api_ca_file,
+  Optional[Stdlib::Absolutepath]               $api_ca_path             = $elasticsearch::api_ca_path,
+  String                                       $api_host                = $elasticsearch::api_host,
+  Integer[0, 65535]                            $api_port                = $elasticsearch::api_port,
+  Enum['http', 'https']                        $api_protocol            = $elasticsearch::api_protocol,
+  Integer                                      $api_timeout             = $elasticsearch::api_timeout,
+  Variant[String, Hash]                        $content                 = $elasticsearch::license,
+  Boolean                                      $validate_tls            = $elasticsearch::validate_tls,
 ) {
+  $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive {
+    $api_basic_auth_password.unwrap
+  } else {
+    $api_basic_auth_password
+  }
+
   if $content =~ String {
     $_content = parsejson($content)
   } else {
@@ -80,7 +86,7 @@
     port         => $api_port,
     timeout      => $api_timeout,
     username     => $api_basic_auth_username,
-    password     => $api_basic_auth_password,
+    password     => $api_basic_auth_password_unsensitive,
     ca_file      => $api_ca_file,
     ca_path      => $api_ca_path,
     validate_tls => $validate_tls,
diff --git a/manifests/pipeline.pp b/manifests/pipeline.pp
@@ -45,18 +45,24 @@
 # @author Tyler Langlois <tyler.langlois@elastic.co>
 #
 define elasticsearch::pipeline (
-  Enum['absent', 'present']      $ensure                  = 'present',
-  Optional[String]               $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
-  Optional[String]               $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
-  Optional[Stdlib::Absolutepath] $api_ca_file             = $elasticsearch::api_ca_file,
-  Optional[Stdlib::Absolutepath] $api_ca_path             = $elasticsearch::api_ca_path,
-  String                         $api_host                = $elasticsearch::api_host,
-  Integer[0, 65535]              $api_port                = $elasticsearch::api_port,
-  Enum['http', 'https']          $api_protocol            = $elasticsearch::api_protocol,
-  Integer                        $api_timeout             = $elasticsearch::api_timeout,
-  Hash                           $content                 = {},
-  Boolean                        $validate_tls            = $elasticsearch::validate_tls,
+  Enum['absent', 'present']                    $ensure                  = 'present',
+  Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
+  Optional[String]                             $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
+  Optional[Stdlib::Absolutepath]               $api_ca_file             = $elasticsearch::api_ca_file,
+  Optional[Stdlib::Absolutepath]               $api_ca_path             = $elasticsearch::api_ca_path,
+  String                                       $api_host                = $elasticsearch::api_host,
+  Integer[0, 65535]                            $api_port                = $elasticsearch::api_port,
+  Enum['http', 'https']                        $api_protocol            = $elasticsearch::api_protocol,
+  Integer                                      $api_timeout             = $elasticsearch::api_timeout,
+  Hash                                         $content                 = {},
+  Boolean                                      $validate_tls            = $elasticsearch::validate_tls,
 ) {
+  $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive {
+    $api_basic_auth_password.unwrap
+  } else {
+    $api_basic_auth_password
+  }
+
   es_instance_conn_validator { "${name}-ingest-pipeline":
     server  => $api_host,
     port    => $api_port,
@@ -70,7 +76,7 @@
     port         => $api_port,
     timeout      => $api_timeout,
     username     => $api_basic_auth_username,
-    password     => $api_basic_auth_password,
+    password     => $api_basic_auth_password_unsensitive,
     ca_file      => $api_ca_file,
     ca_path      => $api_ca_path,
     validate_tls => $validate_tls,
diff --git a/manifests/snapshot_repository.pp b/manifests/snapshot_repository.pp
@@ -60,23 +60,29 @@
 # @author Tyler Langlois <tyler.langlois@elastic.co>
 #
 define elasticsearch::snapshot_repository (
-  String                          $location,
-  Enum['absent', 'present']       $ensure                  = 'present',
-  Optional[String]                $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
-  Optional[String]                $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
-  Optional[Stdlib::Absolutepath]  $api_ca_file             = $elasticsearch::api_ca_file,
-  Optional[Stdlib::Absolutepath]  $api_ca_path             = $elasticsearch::api_ca_path,
-  String                          $api_host                = $elasticsearch::api_host,
-  Integer[0, 65535]               $api_port                = $elasticsearch::api_port,
-  Enum['http', 'https']           $api_protocol            = $elasticsearch::api_protocol,
-  Integer                         $api_timeout             = $elasticsearch::api_timeout,
-  Boolean                         $compress                = true,
-  Optional[String]                $chunk_size              = undef,
-  Optional[String]                $max_restore_rate        = undef,
-  Optional[String]                $max_snapshot_rate       = undef,
-  Optional[String]                $repository_type         = undef,
-  Boolean                         $validate_tls            = $elasticsearch::validate_tls,
+  String                                       $location,
+  Enum['absent', 'present']                    $ensure                  = 'present',
+  Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
+  Optional[String]                             $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
+  Optional[Stdlib::Absolutepath]               $api_ca_file             = $elasticsearch::api_ca_file,
+  Optional[Stdlib::Absolutepath]               $api_ca_path             = $elasticsearch::api_ca_path,
+  String                                       $api_host                = $elasticsearch::api_host,
+  Integer[0, 65535]                            $api_port                = $elasticsearch::api_port,
+  Enum['http', 'https']                        $api_protocol            = $elasticsearch::api_protocol,
+  Integer                                      $api_timeout             = $elasticsearch::api_timeout,
+  Boolean                                      $compress                = true,
+  Optional[String]                             $chunk_size              = undef,
+  Optional[String]                             $max_restore_rate        = undef,
+  Optional[String]                             $max_snapshot_rate       = undef,
+  Optional[String]                             $repository_type         = undef,
+  Boolean                                      $validate_tls            = $elasticsearch::validate_tls,
 ) {
+  $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive {
+    $api_basic_auth_password.unwrap
+  } else {
+    $api_basic_auth_password
+  }
+
   es_instance_conn_validator { "${name}-snapshot":
     server  => $api_host,
     port    => $api_port,
@@ -95,7 +101,7 @@
     port              => $api_port,
     timeout           => $api_timeout,
     username          => $api_basic_auth_username,
-    password          => $api_basic_auth_password,
+    password          => $api_basic_auth_password_unsensitive,
     ca_file           => $api_ca_file,
     ca_path           => $api_ca_path,
     validate_tls      => $validate_tls,
diff --git a/manifests/template.pp b/manifests/template.pp
@@ -53,19 +53,25 @@
 # @author Tyler Langlois <tyler.langlois@elastic.co>
 #
 define elasticsearch::template (
-  Enum['absent', 'present']       $ensure                  = 'present',
-  Optional[String]                $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
-  Optional[String]                $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
-  Optional[Stdlib::Absolutepath]  $api_ca_file             = $elasticsearch::api_ca_file,
-  Optional[Stdlib::Absolutepath]  $api_ca_path             = $elasticsearch::api_ca_path,
-  String                          $api_host                = $elasticsearch::api_host,
-  Integer[0, 65535]               $api_port                = $elasticsearch::api_port,
-  Enum['http', 'https']           $api_protocol            = $elasticsearch::api_protocol,
-  Integer                         $api_timeout             = $elasticsearch::api_timeout,
-  Optional[Variant[String, Hash]] $content                 = undef,
-  Optional[String]                $source                  = undef,
-  Boolean                         $validate_tls            = $elasticsearch::validate_tls,
+  Enum['absent', 'present']                    $ensure                  = 'present',
+  Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password,
+  Optional[String]                             $api_basic_auth_username = $elasticsearch::api_basic_auth_username,
+  Optional[Stdlib::Absolutepath]               $api_ca_file             = $elasticsearch::api_ca_file,
+  Optional[Stdlib::Absolutepath]               $api_ca_path             = $elasticsearch::api_ca_path,
+  String                                       $api_host                = $elasticsearch::api_host,
+  Integer[0, 65535]                            $api_port                = $elasticsearch::api_port,
+  Enum['http', 'https']                        $api_protocol            = $elasticsearch::api_protocol,
+  Integer                                      $api_timeout             = $elasticsearch::api_timeout,
+  Optional[Variant[String, Hash]]              $content                 = undef,
+  Optional[String]                             $source                  = undef,
+  Boolean                                      $validate_tls            = $elasticsearch::validate_tls,
 ) {
+  $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive {
+    $api_basic_auth_password.unwrap
+  } else {
+    $api_basic_auth_password
+  }
+
   if $content =~ String {
     $_content = parsejson($content)
   } else {
@@ -92,7 +98,7 @@
     port         => $api_port,
     timeout      => $api_timeout,
     username     => $api_basic_auth_username,
-    password     => $api_basic_auth_password,
+    password     => $api_basic_auth_password_unsensitive,
     ca_file      => $api_ca_file,
     ca_path      => $api_ca_path,
     validate_tls => $validate_tls,

Original file line number	Diff line number	Diff line change
`@@ -349,7 +349,7 @@`
`349`	`349`	`#`
`350`	`350`	`class elasticsearch (`
`351`	`351`	`Enum['absent', 'present'] $ensure,`
`352`		`- Optional[String] $api_basic_auth_password,`
	`352`	`+ Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password,`
`353`	`353`	`Optional[String] $api_basic_auth_username,`
`354`	`354`	`Optional[String] $api_ca_file,`
`355`	`355`	`Optional[String] $api_ca_path,`