From 669f0153aa39b070657724fb1d544b771459c98e Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Thu, 20 Nov 2025 19:48:37 +1100
Subject: [PATCH] feat: manage openbao audit devices

- manage openbao audit devices in the configuration file
- enable audit and audit_raw logs
---
 hieradata/roles/infra/storage/vault.yaml | 13 ++++++++++++-
 site/profiles/manifests/vault/server.pp  | 23 +++--------------------
 2 files changed, 15 insertions(+), 21 deletions(-)

diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml
index c7b0ff1..45ac99a 100644
--- a/hieradata/roles/infra/storage/vault.yaml
+++ b/hieradata/roles/infra/storage/vault.yaml
@@ -4,7 +4,18 @@ profiles::vault::server::members_lookup: true
 profiles::vault::server::data_dir: /data/vault
 profiles::vault::server::manage_storage_dir: true
 profiles::vault::server::tls_disable: false
-profiles::vault::server::audit_log: /data/vault/audit.log
+profiles::vault::server::audit_devices:
+  - file:
+      audit-raw:
+        options:
+          file_path: /data/vault/audit_raw.log
+          log_raw: "true"
+          type: request
+  - file:
+      audit-file:
+        options:
+          file_path: /data/vault/audit.log
+          log_raw: "false"
 vault::package_name: openbao
 vault::package_ensure: latest
 
diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp
index e5dcf9c..32f2b53 100644
--- a/site/profiles/manifests/vault/server.pp
+++ b/site/profiles/manifests/vault/server.pp
@@ -15,7 +15,7 @@ class profiles::vault::server (
   Stdlib::Absolutepath $ssl_crt     = '/etc/pki/tls/vault/certificate.crt',
   Stdlib::Absolutepath $ssl_key     = '/etc/pki/tls/vault/private.key',
   Stdlib::Absolutepath $ssl_ca      = '/etc/pki/tls/certs/ca-bundle.crt',
-  Stdlib::Absolutepath $audit_log   = '/var/log/vault_audit.log',
+  Optional[Array[Hash]] $audit_devices = undef,
 ){
 
   # set a datacentre/cluster name
@@ -64,18 +64,8 @@ class profiles::vault::server (
       },
       api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
       extra_config       => {
-        cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
-        audit        => [
-          {
-            file => {
-              'audit-file' => {
-                options => {
-                  file_path => $audit_log,
-                }
-              }
-            }
-          }
-        ],
+        cluster_addr                    => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
+        unsafe_allow_api_audit_creation => 'true',
       },
       listener           => [
         {
@@ -97,13 +87,6 @@ class profiles::vault::server (
       ]
     }
 
-    # ensure the vault audit log exists
-    file { $audit_log:
-      ensure => 'file',
-      owner  => 'vault',
-      group  => 'vault',
-      mode   => '0600',
-    }
 
     service { 'vault':
       ensure    => true,