Puppet Function: vault_hiera_hash

Defined in:
lib/puppet/functions/vault_hiera_hash.rb
Function type:
Ruby 4.x API

Overview

vault_hiera_hash(Hash $options, Puppet::LookupContext $context)Hash

Custom hiera back-end for Hashicorp Vault key/value secrets engines v1 and v2

Parameters:

  • options (Hash)

    uri, ca_trust, token_file, auth_path, version, timeout, fail_hard

  • context (Puppet::LookupContext)

Options Hash (options):

  • :uri (String)

    Required. The complete URL to the API endpoint for Hashicorp Vault key/value secrets.

  • :ca_trust (String)

    Optional path to a trusted CA certificate chain file. Will try system defaults for RedHat/Debian if not set.

  • :token_file (String)

    The path to a file that contains a Vault token. When not defined it will try PKI auth with Puppet cert.

  • :auth_path (String)

    Optional. The Vault path for the “cert” authentication type used with Puppet certificates.

  • :version (String)

    The Vault key/value secrets engine will always use ‘v1’ unless set to ‘v2’ here.

  • :timeout (Integer)

    Optional value for tuning HTTP timeouts. Default is 5 seconds.

  • :fail_hard (Boolean)

    Optional Raise an exception on errors when true, or return an empty hash when false. (false)

Returns:

  • (Hash)

    All key/value pairs from the given Vault path will be returned to hiera



4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
# File 'lib/puppet/functions/vault_hiera_hash.rb', line 4

Puppet::Functions.create_function(:vault_hiera_hash) do
  # @param options uri, ca_trust, token_file, auth_path, version, timeout, fail_hard
  # @option options [String] :uri        Required. The complete URL to the API endpoint for Hashicorp Vault key/value secrets.
  # @option options [String] :ca_trust   Optional path to a trusted CA certificate chain file.  Will try system defaults for RedHat/Debian if not set.
  # @option options [String] :token_file The path to a file that contains a Vault token. When not defined it will try PKI auth with Puppet cert.
  # @option options [String] :auth_path  Optional. The Vault path for the "cert" authentication type used with Puppet certificates.
  # @option options [String] :version    The Vault key/value secrets engine will always use 'v1' unless set to 'v2' here.
  # @option options [Integer] :timeout   Optional value for tuning HTTP timeouts. Default is 5 seconds.
  # @option options [Boolean] :fail_hard Optional Raise an exception on errors when true, or return an empty hash when false. (false)
  # @return [Hash] All key/value pairs from the given Vault path will be returned to hiera
  dispatch :vault_hiera_hash do
    param 'Hash', :options
    param 'Puppet::LookupContext', :context
  end

  require "#{File.dirname(__FILE__)}/../../puppet_x/vault_secrets/vaultsession.rb"

  def vault_hiera_hash(options, context)
    err_message = "The vault_hiera_hash function requires one of 'uri' or 'uris'"
    raise Puppet::DataBinding::LookupError, err_message unless options.key?('uri')

    Puppet.debug "Using Vault URL: #{options['uri']}"

    connection = {}

    # Hiera lookups, by default, should not fail hard when data is not found
    connection['fail_hard'] = false

    options.each do |key, value|
      connection[key] = value
    end

    if options.key?('token_file')
      token = File.read(options['token_file']).strip
      connection['token'] = token
    end

    # Use the Vault class for the lookup
    data = VaultSession.new(connection).get

    context.not_found if data.empty? || !data.is_a?(Hash)
    context.cache_all(data)
    data
  end
end