feat: manage openbao audit devices

- manage openbao audit devices in the configuration file
- enable audit and audit_raw logs
- enable api access to creating audit devices
- restart vault service when changing the configuration file

hieradata/roles/infra/storage/vault.yaml

@@ -4,6 +4,21 @@ profiles::vault::server::members_lookup: true
 profiles::vault::server::data_dir: /data/vault
 profiles::vault::server::manage_storage_dir: true
 profiles::vault::server::tls_disable: false
+profiles::vault::server::audit_devices:
+  - file:
+      audit_raw:
+        options:
+          path: audit_raw
+          type: file
+          file_path: /data/vault/audit_raw.log
+          log_raw: "true"
+  - file:
+      audit_file:
+        options:
+          path: audit_file
+          type: file
+          file_path: /data/vault/audit.log
+          log_raw: "false"
 vault::package_name: openbao
 vault::package_ensure: latest
 

site/profiles/manifests/vault/server.pp

@@ -15,7 +15,7 @@ class profiles::vault::server (
   Stdlib::Absolutepath $ssl_crt     = '/etc/pki/tls/vault/certificate.crt',
   Stdlib::Absolutepath $ssl_key     = '/etc/pki/tls/vault/private.key',
   Stdlib::Absolutepath $ssl_ca      = '/etc/pki/tls/certs/ca-bundle.crt',
-  Stdlib::Absolutepath $audit_log   = '/var/log/vault_audit.log',
+  Optional[Array[Hash]] $audit_devices = undef,
 ){
 
   # set a datacentre/cluster name
@@ -64,7 +64,9 @@ class profiles::vault::server (
       },
       api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
       extra_config       => {
-        cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
+        cluster_addr                    => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
+        audit                           => $audit_devices,
+        unsafe_allow_api_audit_creation => true,
       },
       listener           => [
         {
@@ -86,18 +88,11 @@ class profiles::vault::server (
       ]
     }
 
-    # ensure the vault audit log exists
-    file { $audit_log:
-      ensure => 'file',
-      owner  => 'vault',
-      group  => 'vault',
-      mode   => '0600',
-    }
 
     service { 'vault':
       ensure    => true,
       enable    => true,
-      subscribe => [File[$ssl_crt], File[$ssl_key]],
+      subscribe => [File[$ssl_crt], File[$ssl_key], File['/etc/vault/config.json']],
     }
 
     # include classes to manage vault