From 8f8a79c601acf8fcdbe0d86ab443183bb25b0cfd Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 3 May 2025 22:20:31 +1000
Subject: [PATCH] feat: ensure the vault audit_log exists

- without this, vault will not take a leadership role
---
 site/profiles/manifests/vault/server.pp | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp
index 84398f4..d73a4a3 100644
--- a/site/profiles/manifests/vault/server.pp
+++ b/site/profiles/manifests/vault/server.pp
@@ -15,6 +15,7 @@ class profiles::vault::server (
   Stdlib::Absolutepath $ssl_crt     = '/etc/pki/tls/vault/certificate.crt',
   Stdlib::Absolutepath $ssl_key     = '/etc/pki/tls/vault/private.key',
   Stdlib::Absolutepath $ssl_ca      = '/etc/pki/tls/certs/ca-bundle.crt',
+  Stdlib::Absolutepath $audit_log   = '/var/log/vault_audit.log',
 ){
 
   # set a datacentre/cluster name
@@ -85,6 +86,14 @@ class profiles::vault::server (
       ]
     }
 
+    # ensure the vault audit log exists
+    file { $audit_log:
+      ensure => 'file',
+      owner  => 'vault',
+      group  => 'vault',
+      mode   => '0600',
+    }
+
     service { 'vault':
       ensure    => true,
       enable    => true,