unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
3ce2ec3754
puppet-prod/site/profiles/manifests/vault/unseal.pp
Ben Vincent 7863d54275 feat: auto-unseal vault every hour 
- add cron job to run vault unsealing service hourly
2024-08-06 22:51:16 +10:00

48 lines
1.3 KiB
Puppet
Raw Blame History

# profiles::vault::unseal
class profiles::vault::unseal (
Array[String] $unseal_keys = lookup('vault::unseal_keys', Array[String], 'first', []),
Variant[
Stdlib::HTTPSUrl,
Stdlib::HTTPUrl
] $vault_address = 'http://127.0.0.1:8200',
){
# deploy the unseal keys file
file { '/etc/vault/unseal_keys':
ensure => file,
owner => 'root',
group => 'root',
mode => '0600',
content => Sensitive(template('profiles/vault/unseal_keys.erb')),
require => Class['vault'],
}
# deploy the unseal script
file { '/usr/local/bin/vault-unseal.sh':
ensure => file,
owner => 'root',
group => 'root',
mode => '0750',
content => template('profiles/vault/vault_unseal.sh.erb'),
}
# create systemd service unit
systemd::unit_file { 'vault-unseal.service':
content => template('profiles/vault/vault-unseal.service.erb'),
active => true,
enable => true,
require => File['/usr/local/bin/vault-unseal.sh'],
subscribe => [Service['vault'],File['/etc/vault/unseal_keys']],
}
# restart the vault-unseal service hourly to ensure vault is unsealled
cron { 'restart_vault_unseal':
ensure => 'present',
user => 'root',
command => '/bin/systemctl restart vault-unseal',
minute => fqdn_rand(60),
hour => '*',
require => Service['vault-unseal'],
}
}
Reference in New Issue View Git Blame Copy Permalink