Puppet Plan: vault_secrets::approle_agent

Defined in:
plans/approle_agent.pp

Overview

Plan configures a Vault agent for use with an existing AppRole

Parameters:

  • action (Enum['install', 'remove']) (defaults to: 'install')

    Install or remove the specified Vault agent service

  • application (String)

    Used as a component resource names. The Vault agent sink is: “/run/vault-$owner/$application.token”

  • vault_addr (String)

    The URL of the Vault service.

  • role_id (Sensitive)

    String - The RoleID of the Vault AppRole.

  • secret_id (Sensitive)

    String - The SecretID of the Vault AppRole.

  • owner (String)

    The user name that will own the Vault agent sink file.

  • install_vault (Boolean) (defaults to: true)

    Install Vault using the “hashi_stack::repo” class. Set parameters for “hashi_stack::repo” in hiera to customize the installation.

  • targets (TargetSpec) 


11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
 
# File 'plans/approle_agent.pp', line 11

plan vault_secrets::approle_agent (
  TargetSpec $targets,
  String $application,
  String $vault_addr,
  Sensitive $role_id,
  Sensitive $secret_id,
  String $owner,
  Enum['install', 'remove'] $action = 'install',
  Boolean $install_vault            = true,
) {
  # Collect facts on targets
  run_plan('facts', 'targets' => $targets)

  $results = apply($targets, '_catch_errors' => true) {
    # Would rather have an 'ensure' parameter for the plan, but it does not work
    $ensure = $action ? {
      'remove' => 'absent',
      default  => 'present',
    }
    Vault_secrets::Approle_agent { $application:
      ensure        => $ensure,
      vault_addr    => $vault_addr,
      role_id       => $role_id.unwrap,
      secret_id     => $secret_id.unwrap,
      owner         => $owner,
      install_vault => $install_vault,
    }
  }

  $results.each |$result| {
    if $result.ok {
      $result.report['logs'].each |$log| {
        out::message("${log['source']}: ${log['message']}")
      }
      out::message("Target summary: ${result.target}, ${result.message}")
    } else {
      out::message("${result.error} - ${result.message}")
    }
  }
}