Skip to content

Commit 8ea844a

Browse files
cocker-cccocker-cc
committed
Use Sensitive for Secrets
To not reveal Secrets, accept Datatype Sensitive. Render Templates as sensitive Content, if Secrets were given as Sensitive.
1 parent 5db0077 commit 8ea844a

File tree

13 files changed

+56
-34
lines changed

13 files changed

+56
-34
lines changed

REFERENCE.md

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -539,7 +539,7 @@ Default value: `$zabbix::params::server_api_user`
539539

540540
##### <a name="-zabbix--zabbix_api_pass"></a>`zabbix_api_pass`
541541

542-
Data type: `Any`
542+
Data type: `Variant[Sensitive[String], String]`
543543

544544
Password of the user which connects to the api. Default: zabbix
545545

@@ -653,7 +653,7 @@ Default value: `$zabbix::params::server_database_user`
653653

654654
##### <a name="-zabbix--database_password"></a>`database_password`
655655

656-
Data type: `Any`
656+
Data type: `Variant[Sensitive[String], String]`
657657

658658
Database password. ignored for sqlite.
659659

@@ -2290,7 +2290,7 @@ Default value: `$zabbix::params::server_database_user`
22902290

22912291
##### <a name="-zabbix--database--database_password"></a>`database_password`
22922292

2293-
Data type: `Any`
2293+
Data type: `Variant[Sensitive[String], String]`
22942294

22952295
The password of the database_user.
22962296

@@ -2898,7 +2898,7 @@ Default value: `$zabbix::params::proxy_database_user`
28982898

28992899
##### <a name="-zabbix--proxy--database_password"></a>`database_password`
29002900

2901-
Data type: `Any`
2901+
Data type: `Variant[Sensitive[String], String]`
29022902

29032903
Database password. ignored for sqlite.
29042904

@@ -3860,7 +3860,7 @@ API username.
38603860

38613861
##### <a name="-zabbix--resources--web--zabbix_pass"></a>`zabbix_pass`
38623862

3863-
Data type: `String[1]`
3863+
Data type: `Variant[Sensitive[String[1]], String[1]]`
38643864

38653865
API password.
38663866

@@ -4269,7 +4269,7 @@ Default value: `$zabbix::params::server_database_user`
42694269

42704270
##### <a name="-zabbix--server--database_password"></a>`database_password`
42714271

4272-
Data type: `Any`
4272+
Data type: `Variant[Sensitive[String], String]`
42734273

42744274
Database password. ignored for sqlite.
42754275

@@ -5254,7 +5254,7 @@ Default value: `$zabbix::params::server_api_user`
52545254

52555255
##### <a name="-zabbix--web--zabbix_api_pass"></a>`zabbix_api_pass`
52565256

5257-
Data type: `Any`
5257+
Data type: `Variant[Sensitive[String], String]`
52585258

52595259
Password of the user which connects to the api. Default: zabbix
52605260

@@ -5312,7 +5312,7 @@ Default value: `$zabbix::params::server_database_user`
53125312

53135313
##### <a name="-zabbix--web--database_password"></a>`database_password`
53145314

5315-
Data type: `Any`
5315+
Data type: `Variant[Sensitive[String], String]`
53165316

53175317
Database password. ignored for sqlite.
53185318

manifests/database.pp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@
7676
$database_schema_path = $zabbix::params::database_schema_path,
7777
$database_name = $zabbix::params::server_database_name,
7878
$database_user = $zabbix::params::server_database_user,
79-
$database_password = $zabbix::params::server_database_password,
79+
Variant[Sensitive[String], String] $database_password = $zabbix::params::server_database_password,
8080
$database_host = $zabbix::params::server_database_host,
8181
$database_host_ip = $zabbix::params::server_database_host_ip,
8282
$database_charset = $zabbix::params::server_database_charset,

manifests/database/mysql.pp

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -16,13 +16,15 @@
1616
$database_schema_path = '',
1717
$database_name = '',
1818
$database_user = '',
19-
$database_password = '',
19+
Variant[Sensitive[String], String] $database_password = '',
2020
$database_host = '',
2121
Optional[Stdlib::Port::Unprivileged] $database_port = undef,
2222
$database_path = $zabbix::params::database_path,
2323
) inherits zabbix::params {
2424
assert_private()
2525

26+
$database_password_unsensitive = $database_password.unwrap
27+
2628
if ($database_schema_path == false) or ($database_schema_path == '') {
2729
if versioncmp($zabbix_version, '6.0') >= 0 {
2830
$schema_path = '/usr/share/zabbix-sql-scripts/mysql/'
@@ -43,14 +45,14 @@
4345
case $zabbix_type {
4446
'proxy': {
4547
$zabbix_proxy_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? {
46-
true => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done",
47-
false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done"
48+
true => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done",
49+
false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done"
4850
}
4951
}
5052
default: {
5153
$zabbix_server_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? {
52-
true => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done",
53-
false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done"
54+
true => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done",
55+
false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done"
5456
}
5557
}
5658
}
@@ -59,7 +61,11 @@
5961
case $zabbix_type {
6062
'proxy' : {
6163
exec { 'zabbix_proxy_create.sql':
62-
command => $zabbix_proxy_create_sql,
64+
command => if $database_password =~ Sensitive {
65+
Sensitive($zabbix_proxy_create_sql)
66+
} else {
67+
$zabbix_proxy_create_sql
68+
},
6369
path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}",
6470
unless => 'test -f /etc/zabbix/.schema.done',
6571
provider => 'shell',

manifests/database/postgresql.pp

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,13 +16,16 @@
1616
$database_schema_path = '',
1717
$database_name = '',
1818
$database_user = '',
19-
$database_password = '',
19+
Variant[Sensitive[String], String] $database_password = '',
2020
$database_host = '',
2121
Stdlib::Port::Unprivileged $database_port = 5432,
2222
$database_path = $zabbix::params::database_path,
2323
) inherits zabbix::params {
2424
assert_private()
2525

26+
# TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
27+
$database_password_unsensitive = $database_password.unwrap
28+
2629
if $database_schema_path != false and $database_schema_path != '' {
2730
$schema_path = $database_schema_path
2831
} elsif versioncmp($zabbix_version, '6.0') >= 0 {
@@ -56,7 +59,7 @@
5659
"PGHOST=${database_host}",
5760
"PGPORT=${database_port}",
5861
"PGUSER=${database_user}",
59-
"PGPASSWORD=${database_password}",
62+
"PGPASSWORD=${database_password_unsensitive}",
6063
"PGDATABASE=${database_name}",
6164
]
6265

manifests/init.pp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -251,7 +251,7 @@
251251
Optional[Stdlib::Absolutepath] $ldap_clientkey = $zabbix::params::ldap_clientkey,
252252
Optional[Enum['never', 'allow', 'try', 'demand', 'hard']] $ldap_reqcert = $zabbix::params::ldap_reqcert,
253253
$zabbix_api_user = $zabbix::params::server_api_user,
254-
$zabbix_api_pass = $zabbix::params::server_api_pass,
254+
Variant[Sensitive[String], String] $zabbix_api_pass = $zabbix::params::server_api_pass,
255255
Optional[Array[Stdlib::Host,1]] $zabbix_api_access = $zabbix::params::server_api_access,
256256
$listenport = $zabbix::params::server_listenport,
257257
$sourceip = $zabbix::params::server_sourceip,
@@ -265,7 +265,7 @@
265265
$database_schema = $zabbix::params::server_database_schema,
266266
Boolean $database_double_ieee754 = $zabbix::params::server_database_double_ieee754,
267267
$database_user = $zabbix::params::server_database_user,
268-
$database_password = $zabbix::params::server_database_password,
268+
Variant[Sensitive[String], String] $database_password = $zabbix::params::server_database_password,
269269
$database_socket = $zabbix::params::server_database_socket,
270270
$database_port = $zabbix::params::server_database_port,
271271
$database_charset = $zabbix::params::server_database_charset,

manifests/proxy.pp

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -222,7 +222,7 @@
222222
$database_name = $zabbix::params::proxy_database_name,
223223
$database_schema = $zabbix::params::proxy_database_schema,
224224
$database_user = $zabbix::params::proxy_database_user,
225-
$database_password = $zabbix::params::proxy_database_password,
225+
Variant[Sensitive[String], String] $database_password = $zabbix::params::proxy_database_password,
226226
$database_socket = $zabbix::params::proxy_database_socket,
227227
$database_port = $zabbix::params::proxy_database_port,
228228
$database_charset = $zabbix::params::server_database_charset,
@@ -306,6 +306,9 @@
306306
Boolean $manage_selinux = $zabbix::params::manage_selinux,
307307
Optional[Stdlib::Absolutepath] $socketdir = $zabbix::params::proxy_socketdir,
308308
) inherits zabbix::params {
309+
# TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
310+
$database_password_unsensitive = $database_password.unwrap
311+
309312
# check osfamily, Arch is currently not supported for web
310313
if $facts['os']['family'] == 'Archlinux' {
311314
fail('Archlinux is currently not supported for zabbix::proxy ')

manifests/resources/web.pp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
class zabbix::resources::web (
77
String[1] $zabbix_url,
88
String[1] $zabbix_user,
9-
String[1] $zabbix_pass,
9+
Variant[Sensitive[String[1]], String[1]] $zabbix_pass,
1010
Boolean $apache_use_ssl,
1111
) {
1212
file { '/etc/zabbix/api.conf':

manifests/server.pp

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -195,7 +195,7 @@
195195
$database_name = $zabbix::params::server_database_name,
196196
$database_schema = $zabbix::params::server_database_schema,
197197
$database_user = $zabbix::params::server_database_user,
198-
$database_password = $zabbix::params::server_database_password,
198+
Variant[Sensitive[String], String] $database_password = $zabbix::params::server_database_password,
199199
$database_socket = $zabbix::params::server_database_socket,
200200
Optional[Stdlib::Port::Unprivileged] $database_port = $zabbix::params::server_database_port,
201201
Optional[Enum['required', 'verify_ca', 'verify_full']] $database_tlsconnect = $zabbix::params::server_database_tlsconnect,
@@ -281,6 +281,9 @@
281281
Optional[String[1]] $hanodename = $zabbix::params::server_hanodename,
282282
Optional[String[1]] $nodeaddress = $zabbix::params::server_nodeaddress,
283283
) inherits zabbix::params {
284+
# TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
285+
$database_password_unsensitive = $database_password.unwrap
286+
284287
# zabbix server 5.2, 5.4 and 6.0 is not supported on RHEL 7.
285288
# https://www.zabbix.com/documentation/current/manual/installation/install_from_packages/rhel_centos
286289
if $facts['os']['family'] == 'RedHat' and versioncmp($zabbix_version, '5.2') >= 0 {

manifests/web.pp

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -114,14 +114,14 @@
114114
Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport = $zabbix::params::apache_listenport,
115115
Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport_ssl = $zabbix::params::apache_listenport_ssl,
116116
$zabbix_api_user = $zabbix::params::server_api_user,
117-
$zabbix_api_pass = $zabbix::params::server_api_pass,
117+
Variant[Sensitive[String], String] $zabbix_api_pass = $zabbix::params::server_api_pass,
118118
Optional[Array[Stdlib::Host,1]] $zabbix_api_access = $zabbix::params::server_api_access,
119119
$database_host = $zabbix::params::server_database_host,
120120
$database_name = $zabbix::params::server_database_name,
121121
$database_schema = $zabbix::params::server_database_schema,
122122
Boolean $database_double_ieee754 = $zabbix::params::server_database_double_ieee754,
123123
$database_user = $zabbix::params::server_database_user,
124-
$database_password = $zabbix::params::server_database_password,
124+
Variant[Sensitive[String], String] $database_password = $zabbix::params::server_database_password,
125125
$database_socket = $zabbix::params::server_database_socket,
126126
$database_port = $zabbix::params::server_database_port,
127127
$zabbix_server = $zabbix::params::zabbix_server,
@@ -146,6 +146,9 @@
146146
Boolean $manage_selinux = $zabbix::params::manage_selinux,
147147
Hash[String[1], Any] $apache_vhost_custom_params = {},
148148
) inherits zabbix::params {
149+
# TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
150+
$database_password_unsensitive = $database_password.unwrap
151+
149152
# check osfamily, Arch is currently not supported for web
150153
if $facts['os']['family'] in ['Archlinux', 'Gentoo',] {
151154
fail("${facts['os']['family']} is currently not supported for zabbix::web")
@@ -262,7 +265,11 @@
262265
group => $web_config_group,
263266
mode => '0640',
264267
replace => true,
265-
content => template('zabbix/web/zabbix.conf.php.erb'),
268+
content => if $database_password =~ Sensitive {
269+
Sensitive(template('zabbix/web/zabbix.conf.php.erb'))
270+
} else {
271+
template('zabbix/web/zabbix.conf.php.erb')
272+
},
266273
}
267274

268275
# For API to work on Zabbix 5.x zabbix.conf.php needs to be in the root folder.

templates/api.conf.epp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<%- | String[1] $zabbix_url,
22
String[1] $zabbix_user,
3-
String[1] $zabbix_pass,
3+
Variant[Sensitive[String[1]], String[1]] $zabbix_pass,
44
Boolean $apache_use_ssl,
55
| -%>
66
# MANAGED BY PUPPET

0 commit comments

Comments
 (0)