feat: manage openbao audit devices

- manage openbao audit devices in the configuration file - enable audit and audit_raw logs - enable api access to creating audit devices - restart vault service when changing the configuration file
2025-11-20 19:48:37 +11:00 · 2025-11-20 19:48:37 +11:00 · 35935db963
commit 35935db963
parent a5b9850e82
2 changed files with 20 additions and 22 deletions
--- a/hieradata/roles/infra/storage/vault.yaml
+++ b/hieradata/roles/infra/storage/vault.yaml
@ -4,7 +4,21 @@ profiles::vault::server::members_lookup: true
 profiles::vault::server::data_dir: /data/vault
 profiles::vault::server::manage_storage_dir: true
 profiles::vault::server::tls_disable: false
-profiles::vault::server::audit_log: /data/vault/audit.log
+profiles::vault::server::audit_devices:
+  - file:
+      audit_raw:
+        options:
+          path: audit_raw
+          type: file
+          file_path: /data/vault/audit_raw.log
+          log_raw: "true"
+  - file:
+      audit_file:
+        options:
+          path: audit_file
+          type: file
+          file_path: /data/vault/audit.log
+          log_raw: "false"
 vault::package_name: openbao
 vault::package_ensure: latest

--- a/site/profiles/manifests/vault/server.pp
+++ b/site/profiles/manifests/vault/server.pp
@ -15,7 +15,7 @@ class profiles::vault::server (
  Stdlib::Absolutepath $ssl_crt     = '/etc/pki/tls/vault/certificate.crt',
  Stdlib::Absolutepath $ssl_key     = '/etc/pki/tls/vault/private.key',
  Stdlib::Absolutepath $ssl_ca      = '/etc/pki/tls/certs/ca-bundle.crt',
-  Stdlib::Absolutepath $audit_log   = '/var/log/vault_audit.log',
+  Optional[Array[Hash]] $audit_devices = undef,
 ){

  # set a datacentre/cluster name
@ -64,18 +64,9 @@ class profiles::vault::server (
      },
      api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
      extra_config       => {
-        cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
-        audit        => [
-          {
-            file => {
-              'audit-file' => {
-                options => {
-                  file_path => $audit_log,
-                }
-              }
-            }
-          }
-        ],
+        cluster_addr                    => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
+        audit                           => $audit_devices,
+        unsafe_allow_api_audit_creation => true,
      },
      listener           => [
        {
@ -97,18 +88,11 @@ class profiles::vault::server (
      ]
    }

-    # ensure the vault audit log exists
-    file { $audit_log:
-      ensure => 'file',
-      owner  => 'vault',
-      group  => 'vault',
-      mode   => '0600',
-    }

    service { 'vault':
      ensure    => true,
      enable    => true,
-      subscribe => [File[$ssl_crt], File[$ssl_key]],
+      subscribe => [File[$ssl_crt], File[$ssl_key], File['/etc/vault/config.json']],
    }

    # include classes to manage vault