feat: manage openbao audit devices

- manage openbao audit devices in the configuration file

hieradata/roles/infra/storage/vault.yaml

@@ -4,7 +4,11 @@ profiles::vault::server::members_lookup: true
 profiles::vault::server::data_dir: /data/vault
 profiles::vault::server::manage_storage_dir: true
 profiles::vault::server::tls_disable: false
-profiles::vault::server::audit_log: /data/vault/audit.log
+profiles::vault::server::audit_devices:
+  - file:
+      audit-file:
+        options:
+          file_path: /data/vault/audit.log
 vault::package_name: openbao
 vault::package_ensure: latest
 

site/profiles/manifests/vault/server.pp

@@ -15,7 +15,7 @@ class profiles::vault::server (
   Stdlib::Absolutepath $ssl_crt     = '/etc/pki/tls/vault/certificate.crt',
   Stdlib::Absolutepath $ssl_key     = '/etc/pki/tls/vault/private.key',
   Stdlib::Absolutepath $ssl_ca      = '/etc/pki/tls/certs/ca-bundle.crt',
-  Stdlib::Absolutepath $audit_log   = '/var/log/vault_audit.log',
+  Optional[Array[Hash]] $audit_devices = undef,
 ){
 
   # set a datacentre/cluster name
@@ -65,18 +65,8 @@ class profiles::vault::server (
       api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
       extra_config       => {
         cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
-        audit        => [
-          {
-            file => {
-              'audit-file' => {
-                options => {
-                  file_path => $audit_log,
-                }
-              }
-            }
-          }
-        ],
       },
+      audit              => $audit_devices,
       listener           => [
         {
           tcp => {
@@ -97,13 +87,6 @@ class profiles::vault::server (
       ]
     }
 
-    # ensure the vault audit log exists
-    file { $audit_log:
-      ensure => 'file',
-      owner  => 'vault',
-      group  => 'vault',
-      mode   => '0600',
-    }
 
     service { 'vault':
       ensure    => true,