├── .editorconfig ├── .envrc ├── .gitattributes ├── .github ├── CODEOWNERS ├── lock.yml └── workflows │ ├── ci.yml │ └── stale.yml ├── .gitignore ├── .markdownlint-cli2.yaml ├── .mdlrc ├── .overcommit.yml ├── .rubocop.yml ├── .vscode └── extensions.json ├── .yamllint ├── Berksfile ├── CHANGELOG.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── Dangerfile ├── LICENSE ├── README.md ├── TESTING.md ├── UPGRADING.md ├── chefignore ├── documentation ├── .gitkeep ├── hashicorp_vault_config.md ├── hashicorp_vault_config_auto_auth.md ├── hashicorp_vault_config_entropy.md ├── hashicorp_vault_config_global.md ├── hashicorp_vault_config_listener.md ├── hashicorp_vault_config_seal.md ├── hashicorp_vault_config_service_registration.md ├── hashicorp_vault_config_storage.md ├── hashicorp_vault_config_template.md ├── hashicorp_vault_install.md └── hashicorp_vault_service.md ├── kitchen.dokken.yml ├── kitchen.exec.yml ├── kitchen.global.yml ├── kitchen.yml ├── libraries ├── common.rb ├── helpers.rb ├── install.rb ├── resource.rb └── template.rb ├── metadata.rb ├── renovate.json ├── resources ├── config.rb ├── config_auto_auth.rb ├── config_entropy.rb ├── config_global.rb ├── config_listener.rb ├── config_seal.rb ├── config_service_registration.rb ├── config_storage.rb ├── config_template.rb ├── install.rb ├── partial │ ├── _config_hcl_base.rb │ ├── _config_hcl_item.rb │ └── _config_hcl_item_type.rb └── service.rb ├── spec ├── spec_helper.rb └── unit │ └── resources │ ├── config_auto_auth_spec.rb │ ├── config_entropy_spec.rb │ ├── config_listener_spec.rb │ ├── config_seal_spec.rb │ ├── config_service_registration_spec.rb │ ├── config_storage_spec.rb │ ├── config_template_spec.rb │ ├── install_spec.rb │ └── service_spec.rb ├── templates └── default │ └── vault │ ├── _hcl_item.erb │ ├── _hcl_items_contained.erb │ ├── _hcl_settings.erb │ └── hcl.erb └── test ├── cookbooks └── test │ ├── metadata.rb │ └── recipes │ ├── agent_hcl.rb │ ├── agent_json.rb │ ├── server_hcl.rb │ ├── server_hcl_ark.rb │ └── server_json.rb └── integration ├── agent_hcl └── default_spec.rb ├── agent_json └── default_spec.rb ├── server_hcl └── default_spec.rb ├── server_hcl_ark └── default_spec.rb └── server_json └── default_spec.rb /.editorconfig: -------------------------------------------------------------------------------- 1 | # https://EditorConfig.org 2 | 3 | # top-most EditorConfig file 4 | root=true 5 | 6 | # Unix-style newlines with a newline ending every file 7 | [*] 8 | end_of_line = lf 9 | insert_final_newline = true 10 | 11 | # 2 space indentation 12 | indent_style = space 13 | indent_size = 2 14 | 15 | # Avoid issues parsing cookbook files later 16 | charset = utf-8 17 | 18 | # Avoid cookstyle warnings 19 | trim_trailing_whitespace = true 20 | -------------------------------------------------------------------------------- /.envrc: -------------------------------------------------------------------------------- 1 | use chefworkstation 2 | export KITCHEN_GLOBAL_YAML=kitchen.global.yml 3 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto eol=lf 2 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @sous-chefs/maintainers 2 | -------------------------------------------------------------------------------- /.github/lock.yml: -------------------------------------------------------------------------------- 1 | --- 2 | daysUntilLock: 365 3 | exemptLabels: [] 4 | lockLabel: false 5 | lockComment: > 6 | This thread has been automatically locked since there has not been 7 | any recent activity after it was closed. Please open a new issue for 8 | related bugs. 9 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | "on": 4 | pull_request: 5 | push: 6 | branches: [main] 7 | 8 | jobs: 9 | lint-unit: 10 | uses: sous-chefs/.github/.github/workflows/lint-unit.yml@3.1.1 11 | with: 12 | gems: "hcl-checker" 13 | 14 | integration: 15 | needs: lint-unit 16 | runs-on: ubuntu-latest 17 | strategy: 18 | matrix: 19 | os: 20 | - almalinux-8 21 | - amazonlinux-2 22 | - centos-7 23 | - centos-stream-8 24 | - debian-10 25 | - debian-11 26 | - fedora-latest 27 | - rockylinux-8 28 | - ubuntu-1804 29 | - ubuntu-2004 30 | suite: 31 | - server-json 32 | - server-hcl 33 | - server-hcl-ark 34 | - agent-json 35 | - agent-hcl 36 | fail-fast: false 37 | 38 | steps: 39 | - name: Check out code 40 | uses: actions/checkout@v4 41 | - name: Install Chef 42 | uses: actionshub/chef-install@3.0.0 43 | - name: Dokken 44 | uses: actionshub/test-kitchen@3.0.0 45 | env: 46 | CHEF_LICENSE: accept-no-persist 47 | KITCHEN_LOCAL_YAML: kitchen.dokken.yml 48 | with: 49 | suite: ${{ matrix.suite }} 50 | os: ${{ matrix.os }} 51 | -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Mark stale issues and pull requests 3 | 4 | "on": 5 | schedule: [cron: "0 0 * * *"] 6 | 7 | jobs: 8 | stale: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/stale@v9 12 | with: 13 | repo-token: ${{ secrets.GITHUB_TOKEN }} 14 | close-issue-message: > 15 | Closing due to inactivity. 16 | If this is still an issue please reopen or open another issue. 17 | Alternatively drop by the #sous-chefs channel on the [Chef Community Slack](http://community-slack.chef.io/) and we'll be happy to help! 18 | Thanks, Sous-Chefs. 19 | days-before-close: 7 20 | days-before-stale: 365 21 | stale-issue-message: > 22 | Marking stale due to inactivity. 23 | Remove stale label or comment or this will be closed in 7 days. 24 | Alternatively drop by the #sous-chefs channel on the [Chef Community Slack](http://community-slack.chef.io/) and we'll be happy to help! 25 | Thanks, Sous-Chefs. 26 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.rbc 2 | .config 3 | InstalledFiles 4 | pkg 5 | test/tmp 6 | test/version_tmp 7 | tmp 8 | _Store 9 | *~ 10 | *# 11 | .#* 12 | \#*# 13 | *.un~ 14 | *.tmp 15 | *.bk 16 | *.bkup 17 | 18 | # editor files 19 | .idea 20 | .*.sw[a-z] 21 | 22 | # ruby/bundler/rspec files 23 | .ruby-version 24 | .ruby-gemset 25 | .rvmrc 26 | Gemfile.lock 27 | .bundle 28 | *.gem 29 | coverage 30 | spec/reports 31 | 32 | # YARD / rdoc artifacts 33 | .yardoc 34 | _yardoc 35 | doc/ 36 | rdoc 37 | 38 | # chef infra stuff 39 | Berksfile.lock 40 | .kitchen 41 | kitchen.local.yml 42 | vendor/ 43 | .coverage/ 44 | .zero-knife.rb 45 | Policyfile.lock.json 46 | 47 | # vagrant stuff 48 | .vagrant/ 49 | .vagrant.d/ 50 | -------------------------------------------------------------------------------- /.markdownlint-cli2.yaml: -------------------------------------------------------------------------------- 1 | config: 2 | ul-indent: false # MD007 3 | line-length: false # MD013 4 | no-duplicate-heading: false # MD024 5 | reference-links-images: false # MD052 6 | ignores: 7 | - .github/copilot-instructions.md 8 | -------------------------------------------------------------------------------- /.mdlrc: -------------------------------------------------------------------------------- 1 | rules "~MD013", "~MD024", "~MD033", "~MD034" 2 | -------------------------------------------------------------------------------- /.overcommit.yml: -------------------------------------------------------------------------------- 1 | --- 2 | PreCommit: 3 | TrailingWhitespace: 4 | enabled: true 5 | YamlLint: 6 | enabled: true 7 | required_executable: "yamllint" 8 | ChefSpec: 9 | enabled: true 10 | required_executable: "chef" 11 | command: ["chef", "exec", "rspec"] 12 | Cookstyle: 13 | enabled: true 14 | required_executable: "cookstyle" 15 | command: ["cookstyle"] 16 | MarkdownLint: 17 | enabled: false 18 | required_executable: "npx" 19 | command: ["npx", "markdownlint-cli2", "'**/*.md'"] 20 | include: ["**/*.md"] 21 | 22 | CommitMsg: 23 | HardTabs: 24 | enabled: true 25 | -------------------------------------------------------------------------------- /.rubocop.yml: -------------------------------------------------------------------------------- 1 | AllCops: 2 | Exclude: 3 | - libraries/hcl-checker/**/* 4 | -------------------------------------------------------------------------------- /.vscode/extensions.json: -------------------------------------------------------------------------------- 1 | { 2 | "recommendations": [ 3 | "chef-software.chef", 4 | "rebornix.ruby", 5 | "editorconfig.editorconfig", 6 | "DavidAnson.vscode-markdownlint" 7 | ] 8 | } 9 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | extends: default 3 | rules: 4 | line-length: 5 | max: 256 6 | level: warning 7 | document-start: disable 8 | braces: 9 | forbid: false 10 | min-spaces-inside: 0 11 | max-spaces-inside: 1 12 | min-spaces-inside-empty: -1 13 | max-spaces-inside-empty: -1 14 | comments: 15 | min-spaces-from-content: 1 16 | -------------------------------------------------------------------------------- /Berksfile: -------------------------------------------------------------------------------- 1 | source 'https://supermarket.chef.io' 2 | 3 | metadata 4 | 5 | group :integration do 6 | cookbook 'test', path: './test/cookbooks/test' 7 | end 8 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Change Log 2 | 3 | All notable changes to this project will be documented in this file. 4 | 5 | ## Unreleased 6 | 7 | ## 6.3.20 - *2024-11-18* 8 | 9 | Standardise files with files in sous-chefs/repo-management 10 | 11 | Standardise files with files in sous-chefs/repo-management 12 | 13 | ## 6.3.19 - *2024-07-15* 14 | 15 | Standardise files with files in sous-chefs/repo-management 16 | 17 | Standardise files with files in sous-chefs/repo-management 18 | 19 | Standardise files with files in sous-chefs/repo-management 20 | 21 | ## 6.3.18 - *2024-05-02* 22 | 23 | ## 6.3.17 - *2024-05-02* 24 | 25 | ## 6.3.16 - *2023-10-03* 26 | 27 | ## 6.3.15 - *2023-09-04* 28 | 29 | ## 6.3.14 - *2023-09-04* 30 | 31 | ## 6.3.13 - *2023-05-16* 32 | 33 | ## 6.3.12 - *2023-05-03* 34 | 35 | ## 6.3.11 - *2023-04-07* 36 | 37 | Standardise files with files in sous-chefs/repo-management 38 | 39 | ## 6.3.10 - *2023-04-01* 40 | 41 | ## 6.3.9 - *2023-04-01* 42 | 43 | ## 6.3.8 - *2023-04-01* 44 | 45 | Standardise files with files in sous-chefs/repo-management 46 | 47 | ## 6.3.7 - *2023-03-20* 48 | 49 | Standardise files with files in sous-chefs/repo-management 50 | 51 | ## 6.3.6 - *2023-03-15* 52 | 53 | Standardise files with files in sous-chefs/repo-management 54 | 55 | ## 6.3.5 - *2023-03-02* 56 | 57 | Standardise files with files in sous-chefs/repo-management 58 | 59 | ## 6.3.4 - *2023-02-27* 60 | 61 | Standardise files with files in sous-chefs/repo-management 62 | 63 | ## 6.3.3 - *2023-02-23* 64 | 65 | Standardise files with files in sous-chefs/repo-management 66 | 67 | ## 6.3.2 - *2023-02-15* 68 | 69 | Standardise files with files in sous-chefs/repo-management 70 | 71 | Standardise files with files in sous-chefs/repo-management 72 | 73 | Standardise files with files in sous-chefs/repo-management 74 | 75 | ## 6.3.1 - *2022-02-08* 76 | 77 | - Remove delivery folder 78 | - Standardise files with files in sous-chefs/repo-management 79 | - Update tested platforms 80 | - Update Test Kitchen provisioner settings 81 | - Remove .delivery folder 82 | - Move to calling RSpec directly via a reusable workflow 83 | 84 | ## 6.3.0 - *2021-10-19* 85 | 86 | - Unify `:type` property as name_property in partial 87 | 88 | ## 6.2.0 - *2021-10-19* 89 | 90 | - Use `new_resource.name` as `type` part 2 91 | 92 | ## 6.1.0 - *2021-10-13* 93 | 94 | - Use `new_resource.name` as `type` 95 | 96 | ## 6.0.3 - *2021-08-30* 97 | 98 | - Standardise files with files in sous-chefs/repo-management 99 | 100 | ## 6.0.2 - *2021-06-18* 101 | 102 | - Un-vendor hcl-checker gem 103 | 104 | ## 6.0.1 - *2021-06-01* 105 | 106 | - Standardise files with files in sous-chefs/repo-management 107 | 108 | ## 6.0.0 - *2021-05-25* 109 | 110 | **Breaking changes, please see [UPGRADING.md](./UPGRADING.md).** 111 | 112 | - Chef 16 is now required 113 | - Resource partials now in use 114 | - Refactor all HCL resources to use `load_current_value` and `converge_if_changed` 115 | - Resource notifications now function as per the core resources 116 | - Changed values are displayed and can be reported upon 117 | - Server configuration items are written to indiviual files 118 | - Agent configuration is still accumulated as per previous versions 119 | - Refactor json configuration resource to use `load_current_value` and `converge_if_changed` 120 | 121 | ## 5.3.1 - *2021-05-11* 122 | 123 | ## 5.3.0 - *2021-03-26* 124 | 125 | - Refactor service action to use standard action and allow multiple actions - [@bmhughes](https://github.com/bmhughes) 126 | 127 | ## 5.2.0 - *2021-02-09* 128 | 129 | - Support ark installation for aarch64/i386/x86_64 architectures 130 | 131 | ## 5.1.0 - *2021-02-08* 132 | 133 | - Added ark installation method support for Amazon Linux 134 | 135 | ## 5.0.2 - *2021-02-03* 136 | 137 | - Update metadata supported platforms 138 | 139 | ## 5.0.1 - *2021-01-20* 140 | 141 | - Update supporting files () 142 | 143 | ## 5.0.0 - *2021-01-20* 144 | 145 | **Breaking changes, please see [UPGRADING.md](./UPGRADING.md).** 146 | 147 | - Add service resource 148 | - Add package installation to install resource 149 | - HCL configuration support 150 | - Unify server and agent under common resources. 151 | - Add HCL server configuration resources. 152 | - HCL configuration file as accumulated template. 153 | - HCL support for agent configuration. 154 | 155 | - JSON configuration changes 156 | - Remove configuration properties and consolidate configuration in a `config` Hash property to allow new configuration items to be added without requiring a cookbook change. 157 | - Add base default configuration similar to vault defaults 158 | - Set sensitive by default 159 | 160 | ## 4.3.0 (2020-10-19) 161 | 162 | - Added 'unauthenticated_metrics_access' config option 163 | 164 | ## 4.2.0 (2020-08-11) 165 | 166 | - Created hashicorp_vault_agent_install resource 167 | - Created hashicorp_vault_agent_template resource 168 | - Created hashicorp_vault_agent_config resource 169 | - Updated hashicorp_vault_service resource to be configurable for vault agent and server 170 | - Set vault default version to 1.4.1 171 | 172 | ## 4.1.0 (2020-05-14) 173 | 174 | - resolved cookstyle error: resources/config.rb:211:66 convention: `Layout/TrailingWhitespace` 175 | - resolved cookstyle error: resources/config.rb:211:67 refactor: `ChefModernize/FoodcriticComments` 176 | - resolved cookstyle error: resources/config.rb:215:60 convention: `Layout/TrailingWhitespace` 177 | - resolved cookstyle error: resources/config.rb:215:61 refactor: `ChefModernize/FoodcriticComments` 178 | - Resource config now supports property `max_open_files` to tune LimitNOFILE in Systemd unit file. Value is 16384 by default. 179 | 180 | ## v4.0.1 (2020-02-20) 181 | 182 | - Runtime directory of 0740 on the systemd 183 | - Telemetry configuration no longer recieves the correct configuration. 184 | 185 | ## v4.0.0 (2020-01-26) 186 | 187 | - Option to specify configuration as sensitive via property 188 | - Switched to GitHub Actions 189 | - Rewrote all resources to be custom resource sso there's no longer a dependency on poise 190 | 191 | ## v3.0.2 (2019-06-11) 192 | 193 | - Changes the function names for `config_prefix_path` and `data_path` 194 | 195 | ## v3.0.1 (2019-06-01) 196 | 197 | - added `x_forwarded_for_*` and `cluster_addr` config options 198 | - disabled unit tests as we cannot bundle install currently 199 | - upgrade to chef 13 minimum 200 | - migrate to circleci 2.0 testing 201 | - added option to set `plugin_directory` 202 | 203 | ## v3.0.0 (2018-12-09) 204 | 205 | - added options to set `seal` options, `ui`, and `disable_performance_standby` 206 | - updated tests to test new config options 207 | - added Circle CI tests 208 | - removed support for Ubuntu 12.04 as it's EOL-ed 209 | - added Ubuntu 18.04 tests 210 | 211 | ## v2.5.0 (2017-03-27) 212 | 213 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v2.4.0...v2.5.0) 214 | 215 | - undefined method `cluster\_address' for VaultCookbook::Resource::VaultConfig [\#93](https://github.com/johnbellone/vault-cookbook/issues/93) 216 | - Service Logging [\#89](https://github.com/johnbellone/vault-cookbook/issues/89) 217 | - disable\_cache option [\#84](https://github.com/johnbellone/vault-cookbook/issues/84) 218 | - CentOS-\- kitchen tests fail w/ sudo issue [\#78](https://github.com/johnbellone/vault-cookbook/issues/78) 219 | - Vault archive download address should be configurable [\#74](https://github.com/johnbellone/vault-cookbook/issues/74) 220 | - Vault 0.5.3 -\> 0.6.0 is breaking. Cookbook major version should have been rev'd. [\#70](https://github.com/johnbellone/vault-cookbook/issues/70) 221 | - Initializing and unsealing [\#69](https://github.com/johnbellone/vault-cookbook/issues/69) 222 | - Added shasums for vault 0.6.4 and 0.6.5 [\#94](https://github.com/johnbellone/vault-cookbook/pull/94) ([onetwopunch](https://github.com/onetwopunch)) 223 | - Update test configuration, fix Travis builds [\#92](https://github.com/johnbellone/vault-cookbook/pull/92) ([legal90](https://github.com/legal90)) 224 | - fix typo in error message [\#90](https://github.com/johnbellone/vault-cookbook/pull/90) ([chrisminton](https://github.com/chrisminton)) 225 | - add additional ssl options to vault\_secret [\#88](https://github.com/johnbellone/vault-cookbook/pull/88) ([chrisminton](https://github.com/chrisminton)) 226 | - Vault 0.6.3 [\#87](https://github.com/johnbellone/vault-cookbook/pull/87) ([vijaybandari](https://github.com/vijaybandari)) 227 | - Fixes foodcritic, previous fix caused all checks to be ignored [\#86](https://github.com/johnbellone/vault-cookbook/pull/86) ([madeddie](https://github.com/madeddie)) 228 | - Add disable\_cache config option [\#85](https://github.com/johnbellone/vault-cookbook/pull/85) ([madeddie](https://github.com/madeddie)) 229 | - Add log-level support for service [\#82](https://github.com/johnbellone/vault-cookbook/pull/82) ([vijaybandari](https://github.com/vijaybandari)) 230 | - Update Changelog [\#81](https://github.com/johnbellone/vault-cookbook/pull/81) ([legal90](https://github.com/legal90)) 231 | - Enable passwordless sudo for tests [\#80](https://github.com/johnbellone/vault-cookbook/pull/80) ([legal90](https://github.com/legal90)) 232 | - Add 0.6.2 support [\#79](https://github.com/johnbellone/vault-cookbook/pull/79) ([Ginja](https://github.com/Ginja)) 233 | - Add cluster\_address for listener options [\#77](https://github.com/johnbellone/vault-cookbook/pull/77) ([freimer](https://github.com/freimer)) 234 | - Refactor integration tests and Travis CI configuration [\#75](https://github.com/johnbellone/vault-cookbook/pull/75) ([legal90](https://github.com/legal90)) 235 | - Fix init script syntax for compatibility with RHEL/CentOS 5 [\#73](https://github.com/johnbellone/vault-cookbook/pull/73) ([legal90](https://github.com/legal90)) 236 | - Add support of Vault 0.6.1 [\#71](https://github.com/johnbellone/vault-cookbook/pull/71) ([legal90](https://github.com/legal90)) 237 | - Create/Delete symbolic link to /usr/local/bin [\#68](https://github.com/johnbellone/vault-cookbook/pull/68) ([dpattmann](https://github.com/dpattmann)) 238 | - Add default recipe to kitchen run\_list [\#67](https://github.com/johnbellone/vault-cookbook/pull/67) ([dpattmann](https://github.com/dpattmann)) 239 | - Remove 'godep restore' for vault versions \> 0.5.0 [\#66](https://github.com/johnbellone/vault-cookbook/pull/66) ([dpattmann](https://github.com/dpattmann)) 240 | 241 | ## v2.4.0 (2016-06-24) 242 | 243 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v2.3.0...v2.4.0) 244 | 245 | - Service doesn't come back after reboot because the default service directory is missing [\#55](https://github.com/johnbellone/vault-cookbook/issues/55) 246 | - Failing to run service as nonroot [\#54](https://github.com/johnbellone/vault-cookbook/issues/54) 247 | - Vault 0.6.0 [\#65](https://github.com/johnbellone/vault-cookbook/pull/65) ([axtl](https://github.com/axtl)) 248 | - Create work dir before service starts as it does not persist across restarts [\#64](https://github.com/johnbellone/vault-cookbook/pull/64) ([willejs](https://github.com/willejs)) 249 | - Liberate "build-essential" version constraint [\#63](https://github.com/johnbellone/vault-cookbook/pull/63) ([legal90](https://github.com/legal90)) 250 | - vault\_secret: Raise an exception if Vault read has failed [\#61](https://github.com/johnbellone/vault-cookbook/pull/61) ([legal90](https://github.com/legal90)) 251 | 252 | ## v2.3.0 (2016-06-09) 253 | 254 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v2.2.0...v2.3.0) 255 | 256 | - What are bag\_name, bag\_item attributes used for? [\#58](https://github.com/johnbellone/vault-cookbook/issues/58) 257 | - Test against newer build-essential [\#57](https://github.com/johnbellone/vault-cookbook/issues/57) 258 | - Vault 0.5.3 update \(with test fixes, build-essential update\) [\#62](https://github.com/johnbellone/vault-cookbook/pull/62) ([axtl](https://github.com/axtl)) 259 | - Fix default value of "leases" attribute [\#60](https://github.com/johnbellone/vault-cookbook/pull/60) ([legal90](https://github.com/legal90)) 260 | - vault\_secret: Save lease ID to the nested attribute [\#56](https://github.com/johnbellone/vault-cookbook/pull/56) ([legal90](https://github.com/legal90)) 261 | 262 | ## v2.2.0 (2016-04-19) 263 | 264 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v2.1.1...v2.2.0) 265 | 266 | - Specifying 'root' removes root login shell [\#53](https://github.com/johnbellone/vault-cookbook/issues/53) 267 | - Configure consul backend in hashicorp-vault \> 1.5.x [\#48](https://github.com/johnbellone/vault-cookbook/issues/48) 268 | - Prevent "vault" service to be restarted on update [\#52](https://github.com/johnbellone/vault-cookbook/pull/52) ([legal90](https://github.com/legal90)) 269 | - Use custom templates for "systemd" and "sysvinit" service providers [\#51](https://github.com/johnbellone/vault-cookbook/pull/51) ([legal90](https://github.com/legal90)) 270 | - Added a resource for reading secrets from Vault [\#49](https://github.com/johnbellone/vault-cookbook/pull/49) ([Ginja](https://github.com/Ginja)) 271 | 272 | ## v2.1.1 (2016-03-17) 273 | 274 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v2.1.0...v2.1.1) 275 | 276 | - Fixed typo in vault\_config provider property [\#47](https://github.com/johnbellone/vault-cookbook/pull/47) ([Ginja](https://github.com/Ginja)) 277 | 278 | ## v2.1.0 (2016-03-17) 279 | 280 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v2.0.0...v2.1.0) 281 | 282 | - Getting warning message in Chef run [\#46](https://github.com/johnbellone/vault-cookbook/issues/46) 283 | - Fix binary installation for i386 architectures. [\#44](https://github.com/johnbellone/vault-cookbook/pull/44) ([johnbellone](https://github.com/johnbellone)) 284 | 285 | ## v2.0.0 (2016-03-04) 286 | 287 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v1.5.1...v2.0.0) 288 | 289 | - etcd in not supported as backend secret storage [\#25](https://github.com/johnbellone/vault-cookbook/issues/25) 290 | - tls\_disable attribute only accepts strings [\#40](https://github.com/johnbellone/vault-cookbook/issues/40) 291 | - Error executing action `create` on resource 'vault\_config\[/home/vault/.vault.json\]' [\#39](https://github.com/johnbellone/vault-cookbook/issues/39) 292 | - undefined method `delete' for nil:NilClass [\#34](https://github.com/johnbellone/vault-cookbook/issues/34) 293 | - metadata updates [\#33](https://github.com/johnbellone/vault-cookbook/issues/33) 294 | - No method chef\_vault\_item [\#24](https://github.com/johnbellone/vault-cookbook/issues/24) 295 | - vault\_config.rb doesn't writes out telemetry section properly [\#6](https://github.com/johnbellone/vault-cookbook/issues/6) 296 | - Fixed Install Issues [\#42](https://github.com/johnbellone/vault-cookbook/pull/42) ([Ginja](https://github.com/Ginja)) 297 | - Coerce tls\_disable attribute to a string. [\#41](https://github.com/johnbellone/vault-cookbook/pull/41) ([CodeGnome](https://github.com/CodeGnome)) 298 | 299 | ## v1.5.1 (2016-02-18) 300 | 301 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v1.5.0...v1.5.1) 302 | 303 | - Add support for Vault 0.5.0 [\#36](https://github.com/johnbellone/vault-cookbook/pull/36) ([legal90](https://github.com/legal90)) 304 | 305 | ## v1.5.0 (2016-02-03) 306 | 307 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v1.4.0...v1.5.0) 308 | 309 | - \['vault'\]\['config'\]\['manage\_certificate'\] = false does not end up getting set on vault\_config resource [\#31](https://github.com/johnbellone/vault-cookbook/issues/31) 310 | - Vault 0.2.0 - Does not like tls\_disable entered as empty string [\#8](https://github.com/johnbellone/vault-cookbook/issues/8) 311 | - Multiple fixes [\#35](https://github.com/johnbellone/vault-cookbook/pull/35) ([sh9189](https://github.com/sh9189)) 312 | - Fix tls\_disable with vault 0.4.0 [\#30](https://github.com/johnbellone/vault-cookbook/pull/30) ([shaneramey](https://github.com/shaneramey)) 313 | - support vault 0.4.0 [\#28](https://github.com/johnbellone/vault-cookbook/pull/28) ([shaneramey](https://github.com/shaneramey)) 314 | - Modify attributes to support vault 0.3.1 [\#26](https://github.com/johnbellone/vault-cookbook/pull/26) ([NickLaMuro](https://github.com/NickLaMuro)) 315 | 316 | ## v1.4.0 (2015-09-28) 317 | 318 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v1.3.1...v1.4.0) 319 | 320 | - Fails to start vault server on CentOS 7.1 [\#22](https://github.com/johnbellone/vault-cookbook/issues/22) 321 | - Add note into documentation about chef-vault coobook version [\#21](https://github.com/johnbellone/vault-cookbook/issues/21) 322 | - Spec test issue for vault\_config: Chef::Provider does not implement \#chef\_vault\_item [\#11](https://github.com/johnbellone/vault-cookbook/issues/11) 323 | - Move test data bag item to standard location [\#19](https://github.com/johnbellone/vault-cookbook/pull/19) ([jeffbyrnes](https://github.com/jeffbyrnes)) 324 | - Clean up spec tests & switch to using Rake [\#18](https://github.com/johnbellone/vault-cookbook/pull/18) ([jeffbyrnes](https://github.com/jeffbyrnes)) 325 | - Pin chef-vault to specific ref [\#16](https://github.com/johnbellone/vault-cookbook/pull/16) ([jeffbyrnes](https://github.com/jeffbyrnes)) 326 | - Update Serverspec assertions as per Rspec 3 [\#15](https://github.com/johnbellone/vault-cookbook/pull/15) ([jeffbyrnes](https://github.com/jeffbyrnes)) 327 | - Make the TLS certificate management optional [\#13](https://github.com/johnbellone/vault-cookbook/pull/13) ([jeffbyrnes](https://github.com/jeffbyrnes)) 328 | - Update tests for SSL cert/key to match attributes [\#12](https://github.com/johnbellone/vault-cookbook/pull/12) ([jeffbyrnes](https://github.com/jeffbyrnes)) 329 | 330 | ## v1.3.1 (2015-08-13) 331 | 332 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v1.3.0...v1.3.1) 333 | 334 | ## v1.3.0 (2015-08-13) 335 | 336 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v1.2.1...v1.3.0) 337 | 338 | ## v1.2.1 (2015-08-07) 339 | 340 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v1.2.0...v1.2.1) 341 | 342 | ## v1.2.0 (2015-08-04) 343 | 344 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v1.1.0...v1.2.0) 345 | 346 | - Vault service fails to start [\#5](https://github.com/johnbellone/vault-cookbook/issues/5) 347 | - Upgrading to Vault 0.2.0 [\#2](https://github.com/johnbellone/vault-cookbook/issues/2) 348 | - fixing default attributes based on HWRP [\#3](https://github.com/johnbellone/vault-cookbook/pull/3) ([zarry](https://github.com/zarry)) 349 | 350 | ## v1.1.0 (2015-06-16) 351 | 352 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v1.0.1...v1.1.0) 353 | 354 | ## v1.0.1 (2015-06-15) 355 | 356 | [Full Changelog](https://github.com/johnbellone/vault-cookbook/compare/v1.0.0...v1.0.1) 357 | 358 | ## v1.0.0 (2015-06-12) 359 | 360 | \- -This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)-\- -This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)- 361 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Community Guidelines 2 | 3 | This project follows the Chef Community Guidelines 4 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | Please refer to 4 | [https://github.com/chef-cookbooks/community_cookbook_documentation/blob/main/CONTRIBUTING.MD](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/main/CONTRIBUTING.MD) 5 | -------------------------------------------------------------------------------- /Dangerfile: -------------------------------------------------------------------------------- 1 | # Reference: http://danger.systems/reference.html 2 | 3 | # A pull request summary is required. Add a description of the pull request purpose. 4 | # Changelog must be updated for each pull request that changes code. 5 | # Warnings will be issued for: 6 | # Pull request with more than 400 lines of code changed 7 | # Pull reqest that change more than 5 lines without test changes 8 | # Failures will be issued for: 9 | # Pull request without summary 10 | # Pull requests with code changes without changelog entry 11 | 12 | def code_changes? 13 | code = %w(libraries attributes recipes resources files templates) 14 | code.each do |location| 15 | return true unless git.modified_files.grep(/#{location}/).empty? 16 | end 17 | false 18 | end 19 | 20 | def test_changes? 21 | tests = %w(spec test kitchen.yml kitchen.dokken.yml) 22 | tests.each do |location| 23 | return true unless git.modified_files.grep(/#{location}/).empty? 24 | end 25 | false 26 | end 27 | 28 | failure 'Please provide a summary of your Pull Request.' if github.pr_body.length < 10 29 | 30 | warn 'This is a big Pull Request.' if git.lines_of_code > 400 31 | 32 | warn 'This is a Table Flip.' if git.lines_of_code > 2000 33 | 34 | # Require a CHANGELOG entry for non-test changes. 35 | if !git.modified_files.include?('CHANGELOG.md') && code_changes? 36 | failure 'Please include a CHANGELOG entry.' 37 | end 38 | 39 | # Require Major Minor Patch version labels 40 | unless github.pr_labels.grep /minor|major|patch/i 41 | warn 'Please add a release label to this pull request' 42 | end 43 | 44 | # A sanity check for tests. 45 | if git.lines_of_code > 5 && code_changes? && !test_changes? 46 | warn 'This Pull Request is probably missing tests.' 47 | end 48 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2015-2018, Bloomberg Finance L.P. 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # hashicorp-vault cookbook 2 | 3 | [![Cookbook Version](https://img.shields.io/cookbook/v/hashicorp-vault.svg)](https://supermarket.chef.io/cookbooks/hashicorp-vault) 4 | [![CI State](https://github.com/sous-chefs/vault/workflows/ci/badge.svg)](https://github.com/sous-chefs/vault/actions?query=workflow%3Aci) 5 | [![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers) 6 | [![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors) 7 | [![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0) 8 | 9 | Install and configure Hashicorp Vault in server and agent mode. 10 | 11 | **Version 5.0.0 constitutes a major change and rewrite, please see [UPGRADING.md](./UPGRADING.md).** 12 | 13 | ## Maintainers 14 | 15 | This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF). 16 | 17 | ## Platforms 18 | 19 | The following platforms have been certified with integration tests 20 | using Test Kitchen: 21 | 22 | - Debian/Ubuntu 23 | - RHEL/CentOS and derivatives 24 | - Fedora and derivatives 25 | 26 | ## Requirements 27 | 28 | - Chef 14+ 29 | - ark Community Cookbook () 30 | 31 | ## Usage 32 | 33 | It is recommended to create a project or organization specific [wrapper cookbook](https://www.chef.io/blog/2013/12/03/doing-wrapper-cookbooks-right/) and add the desired custom resources to the run list of a node. Depending on your environment, you may have multiple roles that use different recipes from this cookbook. Adjust any attributes as desired. 34 | 35 | Example of a basic server configuration using Hashicorp HCL for configuration 36 | 37 | ```ruby 38 | hashicorp_vault_install 'package' do 39 | action :upgrade 40 | end 41 | 42 | hashicorp_vault_config_global 'vault' do 43 | sensitive false 44 | telemetry( 45 | statsite_address: '127.0.0.1:8125', 46 | disable_hostname: true 47 | ) 48 | 49 | notifies :restart, 'hashicorp_vault_service[vault]', :delayed 50 | 51 | action :create 52 | end 53 | 54 | hashicorp_vault_config_listener 'tcp' do 55 | options( 56 | 'address' => '127.0.0.1:8200', 57 | 'cluster_address' => '127.0.0.1:8201', 58 | 'tls_cert_file' => '/opt/vault/tls/tls.crt', 59 | 'tls_key_file' => '/opt/vault/tls/tls.key', 60 | 'telemetry' => { 61 | 'unauthenticated_metrics_access' => false, 62 | } 63 | ) 64 | 65 | notifies :restart, 'hashicorp_vault_service[vault]', :delayed 66 | end 67 | 68 | hashicorp_vault_config_storage 'Test file storage' do 69 | type 'file' 70 | options( 71 | 'path' => '/opt/vault/data' 72 | ) 73 | 74 | notifies :restart, 'hashicorp_vault_service[vault]', :delayed 75 | end 76 | 77 | hashicorp_vault_service 'vault' do 78 | action %i(create enable start) 79 | end 80 | 81 | ``` 82 | 83 | ## External Documentation 84 | 85 | - 86 | - 87 | 88 | ## Resources 89 | 90 | - [hashicorp_vault_config_auto_auth](documentation/hashicorp_vault_config_auto_auth.md) 91 | - [hashicorp_vault_config_entropy](documentation/hashicorp_vault_config_entropy.md) 92 | - [hashicorp_vault_config_global](documentation/hashicorp_vault_config_global.md) 93 | - [hashicorp_vault_config_listener](documentation/hashicorp_vault_config_listener.md) 94 | - [hashicorp_vault_config_seal](documentation/hashicorp_vault_config_seal.md) 95 | - [hashicorp_vault_config_service_registration](documentation/hashicorp_vault_config_service_registration.md) 96 | - [hashicorp_vault_config_storage](documentation/hashicorp_vault_config_storage.md) 97 | - [hashicorp_vault_config_template](documentation/hashicorp_vault_config_template.md) 98 | - [hashicorp_vault_config](documentation/hashicorp_vault_config.md) 99 | - [hashicorp_vault_install](documentation/hashicorp_vault_install.md) 100 | - [hashicorp_vault_service](documentation/hashicorp_vault_service.md) 101 | 102 | ## Contributors 103 | 104 | This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false) 105 | 106 | ### Backers 107 | 108 | Thank you to all our backers! 109 | 110 | ![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40) 111 | 112 | ### Sponsors 113 | 114 | Support this project by becoming a sponsor. Your logo will show up here with a link to your website. 115 | 116 | ![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100) 117 | ![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100) 118 | ![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100) 119 | ![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100) 120 | ![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100) 121 | ![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100) 122 | ![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100) 123 | ![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100) 124 | ![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100) 125 | ![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100) 126 | -------------------------------------------------------------------------------- /TESTING.md: -------------------------------------------------------------------------------- 1 | # Testing 2 | 3 | Please refer to [the community cookbook documentation on testing](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/main/TESTING.MD). 4 | -------------------------------------------------------------------------------- /UPGRADING.md: -------------------------------------------------------------------------------- 1 | # Upgrading 2 | 3 | This document will give you help on upgrading major versions of hashicorp_vault 4 | 5 | ## 6.0.0 6 | 7 | Version 6.0.0 is a refactoring of the configuration resources to use `load_current_value` and `converge_if_changed` to support full resource notifications and reporting. 8 | 9 | Several breaking changes have been introduced to support this: 10 | 11 | ### Breaking Changes 12 | 13 | #### Resource 14 | 15 | - The `type` property is now required to be set to allow retrieval by `load_current_value` and will be used to generate the configuration template 16 | - The `vault_mode` property must be configured for HCL items that are used for both server and agent configuration 17 | - Default to :server for items that apply to both server and agent mode 18 | - Default to :agent for items that apply only to agent mode 19 | 20 | - Agent only configuration resources (auto_auth, template) now require identifying properties to be specified external to the `config` Hash 21 | - `auto_auth` 22 | - The `entry_type` property is added and must be set to either `:method` or `:sink` to identify which configuration sub-type to generate 23 | - The `path` property is set and merged into the config hash upon template generation (for `:sink` types **only**) 24 | - `template` - The `:destination` property is set and merged into the config hash upon template generation 25 | 26 | #### Configuration File Generation 27 | 28 | - Unless overridden, server mode configuration items are now generated as individual files within the vault configuration directory 29 | - Allow simple loading of the current value 30 | - Agent mode generates an accumulated template as per v5.0.0. 31 | 32 | ## 5.0.0 33 | 34 | Version 5.0.0 is a major rewrite of the cookbook to current standards. 35 | 36 | - Remodel fully as a resource library cookbook. 37 | - Unified configuration resources, the same resources are to be used for both server and agent configuration. 38 | 39 | ### Removed 40 | 41 | - All attributes 42 | - Resource `hashicorp_vault_install_dist` 43 | - Resource `hashicorp_vault_agent_config` 44 | - Resource `hashicorp_vault_agent_install` 45 | - Resource `hashicorp_vault_agent_template` 46 | 47 | ### Added 48 | 49 | - HCL configuration support 50 | 51 | #### Configuration Resources - HCL 52 | 53 | - `hashicorp_vault_config_auto_auth` - [Documentation](./documentation/hashicorp_vault_config_auto_auth.md) 54 | - `hashicorp_vault_config_entropy` - [Documentation](./documentation/hashicorp_vault_config_entropy.md) 55 | - `hashicorp_vault_config_global` - [Documentation](./documentation/hashicorp_vault_config_global.md) 56 | - `hashicorp_vault_config_listener` - [Documentation](./documentation/hashicorp_vault_config_listener.md) 57 | - `hashicorp_vault_config_seal` - [Documentation](./documentation/hashicorp_vault_config_seal.md) 58 | - `hashicorp_vault_config_service_registration` - [Documentation](./documentation/hashicorp_vault_config_service_registration.md) 59 | - `hashicorp_vault_config_storage` - [Documentation](./documentation/hashicorp_vault_config_storage.md) 60 | - `hashicorp_vault_config_template` - [Documentation](./documentation/hashicorp_vault_config_template.md) 61 | 62 | #### Configuration - HCL 63 | 64 | - `hashicorp_vault_config_global` should always be used to add the base configuration settings for a vault configuration 65 | - The compilation and convergence of *any* of the `hashicorp_vault_config_*` resources will result in the instantiation of the accumulated template to the create the HCL configuration file 66 | - Due to the above it is possible to create a configuration file elements missing that are required for vault operation, see the vault documentation for details on which configuration items and thus resources you will require. 67 | 68 | ### Changed 69 | 70 | #### Common 71 | 72 | - Custom resources have been rewritten in current style. 73 | - Vault configuration items that were previously represented as individual Chef resource properties have been moved to a single `options` Hash property. 74 | - Unified configuration resources - the same resources are used for both `server` and `agent` mode. 75 | 76 | #### Install 77 | 78 | - The `hashicorp_vault_install` resource is no longer an AIO resource and will *not* configure vault nor create the service. 79 | - Previous use of the install resource should be migrated to a wrapper recipe with install, configuration and service management implemented by the user. 80 | 81 | #### Configuration - JSON 82 | 83 | - The `hashicorp_vault_config` resource should be implemented for users who wish to continue using Vault with `json` configuration format. 84 | - All resource properties and values should be migrated to the `config` Hash property. 85 | 86 | #### Agent Configuration 87 | 88 | - Vault can be configured in `agent` mode with a `json` configuration by the use of `hashicorp_vault_config`, with the `config_file` property overridden if server and agent mode are to co-exist. 89 | - The vault agent service can be managed via `hashicorp_vault_service` with the `mode` property set to `:agent`. 90 | -------------------------------------------------------------------------------- /chefignore: -------------------------------------------------------------------------------- 1 | # Put files/directories that should be ignored in this file when uploading 2 | # to a Chef Infra Server or Supermarket. 3 | # Lines that start with '# ' are comments. 4 | 5 | # OS generated files # 6 | ###################### 7 | .DS_Store 8 | ehthumbs.db 9 | Icon? 10 | nohup.out 11 | Thumbs.db 12 | .envrc 13 | 14 | # EDITORS # 15 | ########### 16 | .#* 17 | .project 18 | .settings 19 | *_flymake 20 | *_flymake.* 21 | *.bak 22 | *.sw[a-z] 23 | *.tmproj 24 | *~ 25 | \#* 26 | REVISION 27 | TAGS* 28 | tmtags 29 | .vscode 30 | .editorconfig 31 | 32 | ## COMPILED ## 33 | ############## 34 | *.class 35 | *.com 36 | *.dll 37 | *.exe 38 | *.o 39 | *.pyc 40 | *.so 41 | */rdoc/ 42 | a.out 43 | mkmf.log 44 | 45 | # Testing # 46 | ########### 47 | .circleci/* 48 | .codeclimate.yml 49 | .delivery/* 50 | .foodcritic 51 | .kitchen* 52 | .mdlrc 53 | .overcommit.yml 54 | .rspec 55 | .rubocop.yml 56 | .travis.yml 57 | .watchr 58 | .yamllint 59 | azure-pipelines.yml 60 | Dangerfile 61 | examples/* 62 | features/* 63 | Guardfile 64 | kitchen*.yml 65 | mlc_config.json 66 | Procfile 67 | Rakefile 68 | spec/* 69 | test/* 70 | 71 | # SCM # 72 | ####### 73 | .git 74 | .gitattributes 75 | .gitconfig 76 | .github/* 77 | .gitignore 78 | .gitkeep 79 | .gitmodules 80 | .svn 81 | */.bzr/* 82 | */.git 83 | */.hg/* 84 | */.svn/* 85 | 86 | # Berkshelf # 87 | ############# 88 | Berksfile 89 | Berksfile.lock 90 | cookbooks/* 91 | tmp 92 | 93 | # Bundler # 94 | ########### 95 | vendor/* 96 | Gemfile 97 | Gemfile.lock 98 | 99 | # Policyfile # 100 | ############## 101 | Policyfile.rb 102 | Policyfile.lock.json 103 | 104 | # Documentation # 105 | ############# 106 | CODE_OF_CONDUCT* 107 | CONTRIBUTING* 108 | documentation/* 109 | TESTING* 110 | UPGRADING* 111 | 112 | # Vagrant # 113 | ########### 114 | .vagrant 115 | Vagrantfile 116 | -------------------------------------------------------------------------------- /documentation/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sous-chefs/hashicorp-vault/159010dad2daf05f58e17fa542ea75bbd1f5a469/documentation/.gitkeep -------------------------------------------------------------------------------- /documentation/hashicorp_vault_config.md: -------------------------------------------------------------------------------- 1 | # hashicorp_vault_config 2 | 3 | [Back to resource list](../README.md#resources) 4 | 5 | Creates a vault server or agent template JSON configuration 6 | 7 | Introduced: v5.0.0 8 | 9 | ## Actions 10 | 11 | - `:create` 12 | - `:delete` 13 | 14 | ## Properties 15 | 16 | | Name | Type | Default | Description | 17 | | ---------------------- | ------------- | -------------------------------- | ------------------------------------------------------------------- | 18 | | `owner` | String | `vault` | Owner of the generated configuration file | 19 | | `group` | String | `vault` | Group of the generated configuration file | 20 | | `mode` | String | `'0640'` | Filemode of the generated configuration file | 21 | | `config_file` | String | `/etc/vault.d/vault.json` | Configuration file to generate | 22 | | `sensitive` | True, False | `true` | Set template to sensitive by default | 23 | | `config` | Hash | `{}` | Vault configuration | 24 | 25 | ## Examples 26 | 27 | ```ruby 28 | hashicorp_vault_config 'vault' do 29 | sensitive false 30 | config( 31 | 'api_addr' => 'https://127.0.0.1:8200', 32 | 'cluster_addr' => 'https://127.0.0.1:8201', 33 | 'cache_size' => 131072, 34 | 'default_lease_ttl' => '768h', 35 | 'default_max_request_duration' => '90s', 36 | 'disable_cache' => false, 37 | 'disable_clustering' => false, 38 | 'disable_mlock' => false, 39 | 'disable_performance_standby' => true, 40 | 'disable_sealwrap' => false, 41 | 'listener' => { 42 | 'tcp' => { 43 | 'address' => '127.0.0.1:8200', 44 | 'cluster_address' => '127.0.0.1:8201', 45 | 'tls_cert_file' => '/opt/vault/tls/tls.crt', 46 | 'tls_key_file' => '/opt/vault/tls/tls.key', 47 | 'telemetry' => { 48 | 'unauthenticated_metrics_access' => false, 49 | }, 50 | }, 51 | }, 52 | 'max_lease_ttl' => '768h', 53 | 'raw_storage_endpoint' => false, 54 | 'storage' => { 55 | 'file' => { 56 | 'path' => '/opt/vault/data', 57 | }, 58 | }, 59 | 'ui' => true 60 | ) 61 | 62 | action :create 63 | end 64 | ``` 65 | 66 | ```ruby 67 | hashicorp_vault_config 'vault' do 68 | action :delete 69 | end 70 | ``` 71 | -------------------------------------------------------------------------------- /documentation/hashicorp_vault_config_auto_auth.md: -------------------------------------------------------------------------------- 1 | # hashicorp_vault_config_auto_auth 2 | 3 | [Back to resource list](../README.md#resources) 4 | 5 | Creates a vault agent automatic authentication HCL configuration stanza () 6 | 7 | Introduced: v5.0.0 8 | 9 | ## Actions 10 | 11 | - `:create` 12 | - `:delete` 13 | 14 | ## Properties 15 | 16 | | Name | Type | Default | Description | 17 | | ------------- | -------------- | ------------------------ | ------------------------------------------------------------------------- | 18 | | `owner` | String | `vault` | Owner of the generated configuration file | 19 | | `group` | String | `vault` | Group of the generated configuration file | 20 | | `mode` | String | `'0640'` | Filemode of the generated configuration file | 21 | | `config_file` | String | `/etc/vault.d/vault.hcl` | Configuration file to generate stanza in | 22 | | `cookbook` | String | `hashicorp-vault` | Cookbook to source configuration file template from | 23 | | `template` | String | `hcl.erb` | Template to use to generate the configuration file | 24 | | `sensitive` | True, False | `true` | Set template to sensitive by default | 25 | | `type` | String, Symbol | `nil` | Configuration stanza type | 26 | | `entry_type` | String, Symbol | `nil` | Configuration stanza sub-type (`:method` or `:sink`) | 27 | | `path` | String | `nil` | Path setting for `:sink` types, will be merged with options automatically | 28 | | `options` | Hash | `nil` | Options for the configuration stanza | 29 | 30 | ## Examples 31 | 32 | ### Automatic authentication method 33 | 34 | - 35 | 36 | ```ruby 37 | hashicorp_vault_config_auto_auth 'aws' do 38 | type 'method' 39 | options( 40 | 'mount_path' => 'auth/aws-subaccount', 41 | 'config' => { 42 | 'type' => 'iam', 43 | 'role' => 'foobar', 44 | } 45 | ) 46 | end 47 | ``` 48 | 49 | ### Automatic authentication sink 50 | 51 | - 52 | 53 | ```ruby 54 | hashicorp_vault_config_auto_auth 'file' do 55 | type 'sink' 56 | options( 57 | 'config' => { 58 | 'path' => '/tmp/file-foo', 59 | } 60 | ) 61 | end 62 | ``` 63 | 64 | ```ruby 65 | hashicorp_vault_config_auto_auth 'file' do 66 | type 'sink' 67 | options( 68 | 'wrap_ttl' => '5m', 69 | 'aad_env_var' => 'TEST_AAD_ENV', 70 | 'dh_type' => 'curve25519', 71 | 'dh_path' => '/tmp/file-foo-dhpath2', 72 | 'config' => { 73 | 'path' => '/tmp/file-bar', 74 | } 75 | ) 76 | end 77 | ``` 78 | -------------------------------------------------------------------------------- /documentation/hashicorp_vault_config_entropy.md: -------------------------------------------------------------------------------- 1 | # hashicorp_vault_config_entropy 2 | 3 | [Back to resource list](../README.md#resources) 4 | 5 | Creates a vault server entropy augmentation HCL configuration stanza () 6 | 7 | Introduced: v5.0.0 8 | 9 | ## Actions 10 | 11 | - `:create` 12 | - `:delete` 13 | 14 | ## Properties 15 | 16 | | Name | Type | Default | Description | 17 | | ---------------------- | ------------- | -------------------------------- | ------------------------------------------------------------------- | 18 | | `owner` | String | `vault` | Owner of the generated configuration file | 19 | | `group` | String | `vault` | Group of the generated configuration file | 20 | | `mode` | String | `'0640'` | Filemode of the generated configuration file | 21 | | `config_file` | String | `/etc/vault.d/vault.hcl` | Configuration file to generate stanza in | 22 | | `cookbook` | String | `hashicorp-vault` | Cookbook to source configuration file template from | 23 | | `template` | String | `hcl.erb` | Template to use to generate the configuration file | 24 | | `sensitive` | True, False | `true` | Set template to sensitive by default | 25 | | `type` | String, Symbol| `new_resource.name` | Configuration stanza type | 26 | | `options` | Hash | `{}` | Options for the configuration stanza | 27 | 28 | ## Examples 29 | 30 | ```ruby 31 | hashicorp_vault_config_entropy 'seal' do 32 | options( 33 | 'mode' => 'augmentation' 34 | ) 35 | end 36 | ``` 37 | -------------------------------------------------------------------------------- /documentation/hashicorp_vault_config_global.md: -------------------------------------------------------------------------------- 1 | # hashicorp_vault_config_global 2 | 3 | [Back to resource list](../README.md#resources) 4 | 5 | Creates vault server and agent global, cache, sentinel, telemetry and vault configuration HCL configuration stanzas 6 | 7 | - () 8 | - () 9 | - () 10 | - () 11 | - () 12 | 13 | Introduced: v5.0.0 14 | 15 | ## Actions 16 | 17 | - `:create` 18 | - `:delete` 19 | 20 | ## Properties 21 | 22 | | Name | Type | Default | Description | 23 | | ---------------------- | ------------- | -------------------------------- | ------------------------------------------------------------------- | 24 | | `owner` | String | `vault` | Owner of the generated configuration file | 25 | | `group` | String | `vault` | Group of the generated configuration file | 26 | | `mode` | String | `'0640'` | Filemode of the generated configuration file | 27 | | `config_file` | String | `/etc/vault.d/vault.hcl` | Configuration file to generate stanza in | 28 | | `cookbook` | String | `hashicorp-vault` | Cookbook to source configuration file template from | 29 | | `template` | String | `hcl.erb` | Template to use to generate the configuration file | 30 | | `sensitive` | True, False | `true` | Set template to sensitive by default | 31 | | `global` | Hash | `default_vault_config_hcl` | Global configuration options | 32 | | `cache` | Hash | `{}` | Cache configuration options | 33 | | `sentinel` | Hash | `{}` | Sentinel configuration options | 34 | | `telemetry` | Hash | `{}` | Telemetry configuration options | 35 | | `vault` | Hash | `{}` | Vault configuration options | 36 | 37 | ## Examples 38 | 39 | ```ruby 40 | hashicorp_vault_config_global 'vault' do 41 | sensitive false 42 | telemetry( 43 | statsite_address: '127.0.0.1:8125', 44 | disable_hostname: true 45 | ) 46 | 47 | action :create 48 | end 49 | ``` 50 | -------------------------------------------------------------------------------- /documentation/hashicorp_vault_config_listener.md: -------------------------------------------------------------------------------- 1 | # hashicorp_vault_config_listener 2 | 3 | [Back to resource list](../README.md#resources) 4 | 5 | Creates a vault server listener HCL configuration stanza () 6 | 7 | Introduced: v5.0.0 8 | 9 | ## Actions 10 | 11 | - `:create` 12 | - `:delete` 13 | 14 | ## Properties 15 | 16 | | Name | Type | Default | Description | 17 | | ---------------------- | ------------- | -------------------------------- | ------------------------------------------------------------------- | 18 | | `owner` | String | `vault` | Owner of the generated configuration file | 19 | | `group` | String | `vault` | Group of the generated configuration file | 20 | | `mode` | String | `'0640'` | Filemode of the generated configuration file | 21 | | `config_file` | String | `/etc/vault.d/vault.hcl` | Configuration file to generate stanza in | 22 | | `cookbook` | String | `hashicorp-vault` | Cookbook to source configuration file template from | 23 | | `template` | String | `hcl.erb` | Template to use to generate the configuration file | 24 | | `sensitive` | True, False | `true` | Set template to sensitive by default | 25 | | `type` | String, Symbol| `new_resource.name` | Configuration stanza type | 26 | | `options` | Hash | `{}` | Options for the configuration stanza | 27 | 28 | ## Examples 29 | 30 | ```ruby 31 | hashicorp_vault_config_listener 'tcp' do 32 | options( 33 | 'address' => '127.0.0.1:8200', 34 | 'cluster_address' => '127.0.0.1:8201', 35 | 'tls_cert_file' => '/opt/vault/tls/tls.crt', 36 | 'tls_key_file' => '/opt/vault/tls/tls.key', 37 | 'telemetry' => { 38 | 'unauthenticated_metrics_access' => false, 39 | } 40 | ) 41 | end 42 | ``` 43 | -------------------------------------------------------------------------------- /documentation/hashicorp_vault_config_seal.md: -------------------------------------------------------------------------------- 1 | # hashicorp_vault_config_seal 2 | 3 | [Back to resource list](../README.md#resources) 4 | 5 | Creates a vault server seal HCL configuration stanza () 6 | 7 | Introduced: v5.0.0 8 | 9 | ## Actions 10 | 11 | - `:create` 12 | - `:delete` 13 | 14 | ## Properties 15 | 16 | | Name | Type | Default | Description | 17 | | ---------------------- | ------------- | -------------------------------- | ------------------------------------------------------------------- | 18 | | `owner` | String | `vault` | Owner of the generated configuration file | 19 | | `group` | String | `vault` | Group of the generated configuration file | 20 | | `mode` | String | `'0640'` | Filemode of the generated configuration file | 21 | | `config_file` | String | `/etc/vault.d/vault.hcl` | Configuration file to generate stanza in | 22 | | `cookbook` | String | `hashicorp-vault` | Cookbook to source configuration file template from | 23 | | `template` | String | `hcl.erb` | Template to use to generate the configuration file | 24 | | `sensitive` | True, False | `true` | Set template to sensitive by default | 25 | | `type` | String, Symbol| `new_resource.name` | Configuration stanza type | 26 | | `options` | Hash | `{}` | Options for the configuration stanza | 27 | 28 | ## Examples 29 | 30 | ```ruby 31 | hashicorp_vault_config_seal 'awskms' do 32 | options( 33 | 'region' => 'us-east-1', 34 | 'access_key' => 'AKIAIOSFODNN7EXAMPLE', 35 | 'secret_key' => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY', 36 | 'kms_key_id' => '19ec80b0-dfdd-4d97-8164-c6examplekey', 37 | 'endpoint' => 'https://vpce-0e1bb1852241f8cc6-pzi0do8n.kms.us-east-1.vpce.amazonaws.com' 38 | ) 39 | end 40 | ``` 41 | -------------------------------------------------------------------------------- /documentation/hashicorp_vault_config_service_registration.md: -------------------------------------------------------------------------------- 1 | # hashicorp_vault_config_service_registration 2 | 3 | [Back to resource list](../README.md#resources) 4 | 5 | Creates a vault server service registration HCL configuration stanza () 6 | 7 | Introduced: v5.0.0 8 | 9 | ## Actions 10 | 11 | - `:create` 12 | - `:delete` 13 | 14 | ## Properties 15 | 16 | | Name | Type | Default | Description | 17 | | ---------------------- | ------------- | -------------------------------- | ------------------------------------------------------------------- | 18 | | `owner` | String | `vault` | Owner of the generated configuration file | 19 | | `group` | String | `vault` | Group of the generated configuration file | 20 | | `mode` | String | `'0640'` | Filemode of the generated configuration file | 21 | | `config_file` | String | `/etc/vault.d/vault.hcl` | Configuration file to generate stanza in | 22 | | `cookbook` | String | `hashicorp-vault` | Cookbook to source configuration file template from | 23 | | `template` | String | `hcl.erb` | Template to use to generate the configuration file | 24 | | `sensitive` | True, False | `true` | Set template to sensitive by default | 25 | | `type` | String, Symbol| `new_resource.name` | Configuration stanza type | 26 | | `options` | Hash | `{}` | Options for the configuration stanza | 27 | 28 | ## Examples 29 | 30 | ```ruby 31 | hashicorp_vault_config_service_registration 'kubernetes' do 32 | options( 33 | 'namespace' => 'my-namespace', 34 | 'pod_name' => 'my-pod-name' 35 | ) 36 | end 37 | ``` 38 | -------------------------------------------------------------------------------- /documentation/hashicorp_vault_config_storage.md: -------------------------------------------------------------------------------- 1 | # hashicorp_vault_config_storage 2 | 3 | [Back to resource list](../README.md#resources) 4 | 5 | Creates a vault server storage HCL configuration stanza () 6 | 7 | Introduced: v5.0.0 8 | 9 | ## Actions 10 | 11 | - `:create` 12 | - `:delete` 13 | 14 | ## Properties 15 | 16 | | Name | Type | Default | Description | 17 | | ---------------------- | ------------- | -------------------------------- | ------------------------------------------------------------------- | 18 | | `owner` | String | `vault` | Owner of the generated configuration file | 19 | | `group` | String | `vault` | Group of the generated configuration file | 20 | | `mode` | String | `'0640'` | Filemode of the generated configuration file | 21 | | `config_file` | String | `/etc/vault.d/vault.hcl` | Configuration file to generate stanza in | 22 | | `cookbook` | String | `hashicorp-vault` | Cookbook to source configuration file template from | 23 | | `template` | String | `hcl.erb` | Template to use to generate the configuration file | 24 | | `sensitive` | True, False | `true` | Set template to sensitive by default | 25 | | `type` | String, Symbol| `new_resource.name` | Configuration stanza type | 26 | | `options` | Hash | `{}` | Options for the configuration stanza | 27 | 28 | ## Examples 29 | 30 | ```ruby 31 | hashicorp_vault_config_storage 'Test file storage' do 32 | type 'file' 33 | options( 34 | 'path' => '/opt/vault/data' 35 | ) 36 | end 37 | ``` 38 | -------------------------------------------------------------------------------- /documentation/hashicorp_vault_config_template.md: -------------------------------------------------------------------------------- 1 | # hashicorp_vault_config_template 2 | 3 | [Back to resource list](../README.md#resources) 4 | 5 | Creates a vault agent template HCL configuration stanza () 6 | 7 | Introduced: v5.0.0 8 | 9 | ## Actions 10 | 11 | - `:create` 12 | - `:delete` 13 | 14 | ## Properties 15 | 16 | | Name | Type | Default | Description | 17 | | ---------------------- | ------------- | -------------------------------- | ------------------------------------------------------------------- | 18 | | `owner` | String | `vault` | Owner of the generated configuration file | 19 | | `group` | String | `vault` | Group of the generated configuration file | 20 | | `mode` | String | `'0640'` | Filemode of the generated configuration file | 21 | | `config_file` | String | `/etc/vault.d/vault.hcl` | Configuration file to generate stanza in | 22 | | `cookbook` | String | `hashicorp-vault` | Cookbook to source configuration file template from | 23 | | `template` | String | `hcl.erb` | Template to use to generate the configuration file | 24 | | `sensitive` | True, False | `true` | Set template to sensitive by default | 25 | | `type` | String, Symbol| `new_resource.name` | Configuration stanza type | 26 | | `options` | Hash | `{}` | Options for the configuration stanza | 27 | 28 | ## Examples 29 | 30 | ```ruby 31 | hashicorp_vault_config_template '/etc/vault/server.key' do 32 | options( 33 | 'source' => '/etc/vault/server.key.ctmpl', 34 | 'destination' => '/etc/vault/server.key' 35 | ) 36 | end 37 | 38 | hashicorp_vault_config_template '/etc/vault/server.crt' do 39 | options( 40 | 'source' => '/etc/vault/server.crt.ctmpl', 41 | 'destination' => '/etc/vault/server.crt' 42 | ) 43 | end 44 | ``` 45 | -------------------------------------------------------------------------------- /documentation/hashicorp_vault_install.md: -------------------------------------------------------------------------------- 1 | # hashicorp_vault_install 2 | 3 | [Back to resource list](../README.md#resources) 4 | 5 | Installs vault from repository and package or via the [ark](https://supermarket.chef.io/cookbooks/ark) cookbook. 6 | 7 | Introduced: v5.0.0 8 | 9 | ## Actions 10 | 11 | - `:install` 12 | - `:upgrade` 13 | - `:remove` 14 | 15 | ## Properties 16 | 17 | | Name | Type | Default | Description | 18 | | ---------------------- | ------------- | -------------------------------- | ------------------------------------------------------------------- | 19 | | `user` | String | `vault` | Vault run-as user | 20 | | `group` | String | `vault` | Vault run-as group | 21 | | `install_method` | String, Symbol| `:repository` | Installation method to use | 22 | | `packages` | String, Array | `[ 'vault' ]` | Packages to install for `:repository` installation method) | 23 | | `test_repo` | True, False | `false` | Enable the hashicorp-test repository | 24 | | `version` | String | `nil` | Version to install (required for `:ark` installation method) | 25 | | `url` | String | `vault_source(version)` | URL to fetch vault archive from for `:ark` installation method | 26 | | `checksum` | Hash | `nil` | Expected checksum of vault archive for `:ark` installation method | 27 | 28 | ## Examples 29 | 30 | ```ruby 31 | hashicorp_vault_install 'package' do 32 | action :upgrade 33 | end 34 | ``` 35 | -------------------------------------------------------------------------------- /documentation/hashicorp_vault_service.md: -------------------------------------------------------------------------------- 1 | # hashicorp_vault_service 2 | 3 | [Back to resource list](../README.md#resources) 4 | 5 | Creates a vault server or agent template JSON configuration 6 | 7 | Introduced: v5.0.0 8 | 9 | ## Actions 10 | 11 | - `:create` 12 | - `:delete` 13 | - `:start` 14 | - `:stop` 15 | - `:restart` 16 | - `:reload` 17 | - `:enable` 18 | - `:disable` 19 | 20 | ## Properties 21 | 22 | | Name | Type | Default | Description | 23 | | ---------------------- | ------------- | -------------------------------- | ------------------------------------------------------------------- | 24 | | `service_name` | String | `vault` | Vault service name | 25 | | `config_type` | Symbol, String| `:hcl` | Vault configuration type | 26 | | `systemd_unit_content` | String, Hash | `default_vault_unit_content` | Vault service systemd unit file content | 27 | | `user` | String | `vault` | Vault run-as user | 28 | | `group` | String | `vault` | Vault run-as group | 29 | | `config_file` | String | `/etc/vault.d/vault.(hcl\|json)` | Configuration file | 30 | | `mode` | Symbol, String| `:server` | Vault service operation type | 31 | 32 | ## Examples 33 | 34 | ### HCL Server 35 | 36 | ```ruby 37 | hashicorp_vault_service 'vault' do 38 | action %i(create enable start) 39 | end 40 | ``` 41 | 42 | ### JSON Server 43 | 44 | ```ruby 45 | hashicorp_vault_service 'vault' do 46 | config_type :json 47 | action %i(create enable start) 48 | end 49 | ``` 50 | 51 | ### HCL Agent 52 | 53 | ```ruby 54 | hashicorp_vault_service 'vault-agent' do 55 | mode :agent 56 | 57 | action %i(create enable start) 58 | end 59 | ``` 60 | -------------------------------------------------------------------------------- /kitchen.dokken.yml: -------------------------------------------------------------------------------- 1 | driver: 2 | name: dokken 3 | privileged: true 4 | chef_version: <%= ENV['CHEF_VERSION'] || 'current' %> 5 | 6 | transport: { name: dokken } 7 | provisioner: { name: dokken } 8 | 9 | platforms: 10 | - name: almalinux-8 11 | driver: 12 | image: dokken/almalinux-8 13 | pid_one_command: /usr/lib/systemd/systemd 14 | 15 | - name: almalinux-9 16 | driver: 17 | image: dokken/almalinux-9 18 | pid_one_command: /usr/lib/systemd/systemd 19 | 20 | - name: almalinux-10 21 | driver: 22 | image: dokken/almalinux-10 23 | pid_one_command: /usr/lib/systemd/systemd 24 | 25 | - name: amazonlinux-2023 26 | driver: 27 | image: dokken/amazonlinux-2023 28 | pid_one_command: /usr/lib/systemd/systemd 29 | 30 | - name: centos-stream-9 31 | driver: 32 | image: dokken/centos-stream-9 33 | pid_one_command: /usr/lib/systemd/systemd 34 | 35 | - name: centos-stream-10 36 | driver: 37 | image: dokken/centos-stream-10 38 | pid_one_command: /usr/lib/systemd/systemd 39 | 40 | - name: debian-11 41 | driver: 42 | image: dokken/debian-11 43 | pid_one_command: /bin/systemd 44 | 45 | - name: debian-12 46 | driver: 47 | image: dokken/debian-12 48 | pid_one_command: /bin/systemd 49 | 50 | - name: fedora-latest 51 | driver: 52 | image: dokken/fedora-latest 53 | pid_one_command: /usr/lib/systemd/systemd 54 | 55 | - name: opensuse-leap-15 56 | driver: 57 | image: dokken/opensuse-leap-15 58 | pid_one_command: /usr/lib/systemd/systemd 59 | 60 | - name: oraclelinux-8 61 | driver: 62 | image: dokken/oraclelinux-8 63 | pid_one_command: /usr/lib/systemd/systemd 64 | 65 | - name: oraclelinux-9 66 | driver: 67 | image: dokken/oraclelinux-9 68 | pid_one_command: /usr/lib/systemd/systemd 69 | 70 | - name: rockylinux-8 71 | driver: 72 | image: dokken/rockylinux-8 73 | pid_one_command: /usr/lib/systemd/systemd 74 | 75 | - name: rockylinux-9 76 | driver: 77 | image: dokken/rockylinux-9 78 | pid_one_command: /usr/lib/systemd/systemd 79 | 80 | - name: ubuntu-20.04 81 | driver: 82 | image: dokken/ubuntu-20.04 83 | pid_one_command: /bin/systemd 84 | 85 | - name: ubuntu-22.04 86 | driver: 87 | image: dokken/ubuntu-22.04 88 | pid_one_command: /bin/systemd 89 | 90 | - name: ubuntu-24.04 91 | driver: 92 | image: dokken/ubuntu-24.04 93 | pid_one_command: /bin/systemd 94 | -------------------------------------------------------------------------------- /kitchen.exec.yml: -------------------------------------------------------------------------------- 1 | --- 2 | driver: { name: exec } 3 | transport: { name: exec } 4 | 5 | platforms: 6 | - name: macos-latest 7 | - name: windows-latest 8 | -------------------------------------------------------------------------------- /kitchen.global.yml: -------------------------------------------------------------------------------- 1 | --- 2 | provisioner: 3 | name: chef_infra 4 | product_name: chef 5 | product_version: <%= ENV['CHEF_VERSION'] || 'latest' %> 6 | channel: stable 7 | install_strategy: once 8 | chef_license: accept 9 | enforce_idempotency: <%= ENV['ENFORCE_IDEMPOTENCY'] || true %> 10 | multiple_converge: <%= ENV['MULTIPLE_CONVERGE'] || 2 %> 11 | deprecations_as_errors: true 12 | log_level: <%= ENV['CHEF_LOG_LEVEL'] || 'auto' %> 13 | 14 | verifier: 15 | name: inspec 16 | 17 | platforms: 18 | - name: almalinux-8 19 | - name: almalinux-9 20 | - name: amazonlinux-2023 21 | - name: centos-stream-9 22 | - name: debian-11 23 | - name: debian-12 24 | - name: fedora-latest 25 | - name: opensuse-leap-15 26 | - name: oraclelinux-8 27 | - name: oraclelinux-9 28 | - name: rockylinux-8 29 | - name: rockylinux-9 30 | - name: ubuntu-20.04 31 | - name: ubuntu-22.04 32 | - name: ubuntu-24.04 33 | -------------------------------------------------------------------------------- /kitchen.yml: -------------------------------------------------------------------------------- 1 | --- 2 | driver: 3 | name: vagrant 4 | 5 | provisioner: 6 | name: chef_infra 7 | product_name: <%= ENV['CHEF_PRODUCT_NAME'] || 'chef' %> 8 | product_version: <%= ENV['CHEF_VERSION'] || 'latest' %> 9 | chef_license: accept-no-persist 10 | enforce_idempotency: true 11 | multiple_converge: 2 12 | deprecations_as_errors: true 13 | log_level: <%= ENV['CHEF_LOG_LEVEL'] || 'auto' %> 14 | 15 | verifier: 16 | name: inspec 17 | 18 | platforms: 19 | - name: almalinux-8 20 | - name: amazonlinux-2 21 | - name: centos-7 22 | - name: centos-stream-8 23 | - name: debian-10 24 | - name: debian-11 25 | - name: fedora-latest 26 | - name: opensuse-leap-15 27 | - name: rockylinux-8 28 | - name: ubuntu-18.04 29 | - name: ubuntu-20.04 30 | 31 | suites: 32 | - name: server_json 33 | run_list: 34 | - recipe[test::server_json] 35 | - name: server_hcl 36 | run_list: 37 | - recipe[test::server_hcl] 38 | - name: server_hcl_ark 39 | run_list: 40 | - recipe[test::server_hcl_ark] 41 | - name: agent_json 42 | run_list: 43 | - recipe[test::agent_json] 44 | - name: agent_hcl 45 | run_list: 46 | - recipe[test::agent_hcl] 47 | -------------------------------------------------------------------------------- /libraries/common.rb: -------------------------------------------------------------------------------- 1 | module Vault 2 | module Cookbook 3 | module CommonHelpers 4 | def nil_or_empty?(v) 5 | v.nil? || (v.respond_to?(:empty?) && v.empty?) 6 | end 7 | 8 | def array_wrap(obj) 9 | return obj if obj.is_a?(Array) 10 | 11 | [obj] 12 | end 13 | 14 | private 15 | 16 | # Hash compact implementation for empties as well as nils 17 | def compact_hash(hash) 18 | return unless hash.is_a?(Hash) 19 | 20 | hash.delete_if { |_, v| v.nil? || (v.respond_to?(:empty?) && v.empty?) } 21 | end 22 | end 23 | end 24 | end 25 | -------------------------------------------------------------------------------- /libraries/helpers.rb: -------------------------------------------------------------------------------- 1 | module Vault 2 | module Cookbook 3 | module Helpers 4 | def default_vault_user 5 | 'vault' 6 | end 7 | 8 | def default_vault_group 9 | 'vault' 10 | end 11 | 12 | def default_vault_packages 13 | %w(vault) 14 | end 15 | 16 | def default_vault_config_dir 17 | '/etc/vault.d' 18 | end 19 | 20 | def default_vault_config_file(config_type) 21 | case config_type 22 | when :hcl 23 | vault_mode.eql?(:server) ? "#{config_dir}/#{vault_hcl_file_prefix}_#{name.gsub(' ', '_').downcase}.hcl" : '/etc/vault.d/vault.hcl' 24 | when :json 25 | '/etc/vault.d/vault.json' 26 | else 27 | raise ArgumentError, "default_vault_config_file: Invalid configuration type #{config_type}." 28 | end 29 | end 30 | 31 | def default_vault_config_json 32 | { 33 | 'api_addr' => 'https://127.0.0.1:8200', 34 | 'cluster_addr' => 'https://127.0.0.1:8201', 35 | 'cache_size' => 131072, 36 | 'default_lease_ttl' => '768h', 37 | 'default_max_request_duration' => '90s', 38 | 'disable_cache' => false, 39 | 'disable_clustering' => false, 40 | 'disable_mlock' => false, 41 | 'disable_performance_standby' => true, 42 | 'disable_sealwrap' => false, 43 | 'listener' => { 44 | 'tcp' => { 45 | 'address' => '127.0.0.1:8200', 46 | 'cluster_address' => '127.0.0.1:8201', 47 | 'tls_cert_file' => '/opt/vault/tls/tls.crt', 48 | 'tls_key_file' => '/opt/vault/tls/tls.key', 49 | 'telemetry' => { 50 | 'unauthenticated_metrics_access' => false, 51 | }, 52 | }, 53 | }, 54 | 'max_lease_ttl' => '768h', 55 | 'raw_storage_endpoint' => false, 56 | 'storage' => { 57 | 'file' => { 58 | 'path' => '/opt/vault/data', 59 | }, 60 | }, 61 | 'ui' => true, 62 | } 63 | end 64 | 65 | def default_vault_config_hcl(section) 66 | case section 67 | when :global 68 | { 69 | 'api_addr' => 'https://127.0.0.1:8200', 70 | 'cluster_addr' => 'https://127.0.0.1:8201', 71 | 'cache_size' => 131072, 72 | 'default_lease_ttl' => '768h', 73 | 'default_max_request_duration' => '90s', 74 | 'disable_cache' => false, 75 | 'disable_clustering' => false, 76 | 'disable_mlock' => false, 77 | 'disable_performance_standby' => true, 78 | 'disable_sealwrap' => false, 79 | 'max_lease_ttl' => '768h', 80 | 'raw_storage_endpoint' => false, 81 | 'ui' => true, 82 | } 83 | else 84 | {} 85 | end 86 | end 87 | 88 | def default_vault_service_name 89 | vault_mode.eql?(:server) ? 'vault' : 'vault-agent' 90 | end 91 | 92 | def default_vault_unit_content 93 | unit_content = { 94 | 'Unit' => { 95 | 'After' => [ 96 | 'network-online.target', 97 | ], 98 | 'Description' => 'HashiCorp Vault - A tool for managing secrets', 99 | 'Documentation' => 'https://www.vaultproject.io/docs/', 100 | 'Requires' => 'network-online.target', 101 | 'StartLimitIntervalSec' => 60, 102 | 'StartLimitBurst' => 3, 103 | }, 104 | 'Service' => { 105 | 'Type' => 'exec', 106 | 'User' => user, 107 | 'Group' => group, 108 | 'ProtectSystem' => 'full', 109 | 'ProtectHome' => 'read-only', 110 | 'PrivateTmp' => 'yes', 111 | 'PrivateDevices' => 'yes', 112 | 'SecureBits' => 'keep-caps', 113 | 'AmbientCapabilities' => 'CAP_IPC_LOCK', 114 | 'CapabilityBoundingSet' => 'CAP_SYSLOG CAP_IPC_LOCK', 115 | 'NoNewPrivileges' => 'yes', 116 | 'ExecStart' => "#{vault_binary_path} #{vault_mode.to_s} -config=#{vault_mode.eql?(:server) ? config_dir : config_file}", 117 | 'ExecReload' => '/bin/kill --signal HUP $MAINPID', 118 | 'KillMode' => 'process', 119 | 'KillSignal' => 'SIGINT', 120 | 'Restart' => 'on-failure', 121 | 'RestartSec' => 5, 122 | 'TimeoutStopSec' => 30, 123 | 'StartLimitInterval' => 60, 124 | 'StartLimitBurst' => 3, 125 | 'LimitNOFILE' => 65536, 126 | 'LimitMEMLOCK' => 'infinity', 127 | }, 128 | 'Install' => { 129 | 'WantedBy' => 'multi-user.target', 130 | }, 131 | } 132 | 133 | case vault_mode 134 | when :server 135 | unit_content['Unit']['ConditionPathIsDirectory'] = [ config_dir ] 136 | when :agent 137 | unit_content['Unit']['ConditionFileNotEmpty'] = [ config_file ] 138 | end 139 | unit_content['Unit'] = unit_content['Unit'].sort.to_h 140 | 141 | unit_content 142 | end 143 | end 144 | end 145 | end 146 | -------------------------------------------------------------------------------- /libraries/install.rb: -------------------------------------------------------------------------------- 1 | module Vault 2 | module Cookbook 3 | module InstallHelpers 4 | def vault_source(version) 5 | platform = case node['platform_family'] 6 | when 'debian', 'rhel', 'suse', 'fedora', 'amazon' 7 | 'linux' 8 | when 'windows' 9 | 'windows' 10 | when 'mac_os_x' 11 | 'darwin' 12 | else 13 | raise ArgumentError, "vault_source: Unsupported platform family #{node['platform_family']}" 14 | end 15 | 16 | arch = case node['kernel']['machine'] 17 | when 'aarch64' 18 | 'arm64' 19 | when 'i386' 20 | '386' 21 | else 22 | 'amd64' 23 | end 24 | 25 | "https://releases.hashicorp.com/vault/#{version}/vault_#{version}_#{platform}_#{arch}.zip" 26 | end 27 | 28 | def vault_supporting_packages 29 | pkg = %w(unzip rsync) 30 | pkg.push('libcap2-bin') if platform_family?('debian') 31 | 32 | pkg 33 | end 34 | 35 | def vault_repo_platform 36 | case node['platform_family'] 37 | when 'rhel' 38 | 'RHEL' 39 | when 'fedora' 40 | 'fedora' 41 | when 'amazon' 42 | 'AmazonLinux' 43 | when 'debian' 44 | require 'mixlib/shellout' 45 | 46 | lsb_command = Mixlib::ShellOut.new('lsb_release -cs') 47 | lsb_command.run_command 48 | lsb_command.error! 49 | 50 | lsb_command.stdout.delete("\n") 51 | else 52 | raise ArgumentError, "vault_repo_platform: Unsupported platform family #{node['platform_family']}" 53 | end 54 | end 55 | end 56 | end 57 | end 58 | -------------------------------------------------------------------------------- /libraries/resource.rb: -------------------------------------------------------------------------------- 1 | require 'hcl/checker' 2 | 3 | module Vault 4 | module Cookbook 5 | module ResourceHelpers 6 | include Vault::Cookbook::CommonHelpers 7 | 8 | VAULT_GLOBAL_PROPERTIES = %i(global cache sentinel telemetry vault).freeze 9 | 10 | def vault_hcl_file_prefix 11 | "config_#{vault_hcl_config_type}" 12 | end 13 | 14 | def vault_hcl_config_type 15 | rn = defined?(new_resource) ? new_resource.resource_name : resource_name 16 | rn.to_s.gsub('hashicorp_vault_config_', '').to_sym 17 | end 18 | 19 | def vault_hcl_resource_template_add(type = vault_hcl_config_type, value = vault_hcl_resource_data) 20 | with_run_context(:root) do 21 | edit_resource(:file, '/etc/vault.d/vault.hcl').action(:delete) if new_resource.vault_mode.eql?(:server) && ::File.exist?('/etc/vault.d/vault.hcl') 22 | edit_resource(:directory, new_resource.config_dir) do |new_resource| 23 | owner new_resource.owner 24 | group new_resource.group 25 | mode '0750' 26 | 27 | recursive true 28 | 29 | action :create 30 | end 31 | 32 | edit_resource(:template, new_resource.config_file) do |new_resource| 33 | cookbook new_resource.cookbook 34 | source new_resource.template 35 | 36 | owner new_resource.owner 37 | group new_resource.group 38 | mode new_resource.mode 39 | sensitive new_resource.sensitive 40 | 41 | helpers(Vault::Cookbook::TemplateHelpers) 42 | 43 | if VAULT_GLOBAL_PROPERTIES.include?(type) 44 | variables[type] = value 45 | else 46 | variables[type] ||= [] 47 | variables[type].push(value) unless variables[type].include?(value) 48 | end 49 | 50 | case new_resource.vault_mode 51 | when :server 52 | action :create 53 | when :agent 54 | action :nothing 55 | delayed_action :create 56 | else 57 | raise "vault_hcl_resource_template: Invalid vault_mode #{new_resource.vault_mode}" 58 | end 59 | end 60 | end 61 | end 62 | 63 | def vault_hcl_resource_template_remove(type = vault_hcl_config_type, value = vault_hcl_resource_data) 64 | edit_resource(:template, new_resource.config_file).variables[type].delete(value) 65 | end 66 | 67 | def vault_hcl_resource_template?(type = vault_hcl_config_type, value = vault_hcl_resource_data) 68 | edit_resource(:template, new_resource.config_file).variables[type].include?(value) 69 | end 70 | 71 | def vault_hcl_config_current_load(config_file, config_type = nil) 72 | return {} unless vault_hcl_config_current_valid?(config_file) 73 | 74 | hclconf = HCL::Checker.parse(File.read(config_file)).transform_keys!(&:to_sym) 75 | hclconf[:global] = hclconf.filter { |_, v| !v.is_a?(Hash) && !v.is_a?(Array) } 76 | hclconf.filter! { |_, v| v.is_a?(Hash) || v.is_a?(Array) } 77 | hclconf = compact_hash(hclconf) 78 | 79 | return hclconf.fetch(config_type, {}) if config_type 80 | hclconf 81 | end 82 | 83 | private 84 | 85 | def vault_hcl_config_current_valid?(config_file) 86 | HCL::Checker.valid?(File.read(config_file)) 87 | rescue Errno::ENOENT 88 | false 89 | end 90 | 91 | def vault_hcl_resource_data 92 | case vault_hcl_config_type 93 | when :auto_auth 94 | resource_data = { 95 | name: new_resource.type, 96 | options: new_resource.options, 97 | type: new_resource.entry_type, 98 | } 99 | 100 | if new_resource.entry_type.eql?(:sink) 101 | resource_data[:options]['config'] ||= {} 102 | resource_data[:options]['config']['path'] = new_resource.path 103 | end 104 | 105 | resource_data 106 | when :template 107 | { 108 | description: new_resource.description, 109 | item_type: vault_hcl_config_type, 110 | options: new_resource.options.merge('destination' => new_resource.destination), 111 | } 112 | else 113 | { 114 | description: new_resource.description, 115 | item_type: vault_hcl_config_type, 116 | options: new_resource.options, 117 | name: new_resource.type, 118 | } 119 | end 120 | end 121 | end 122 | end 123 | end 124 | -------------------------------------------------------------------------------- /libraries/template.rb: -------------------------------------------------------------------------------- 1 | module Vault 2 | module Cookbook 3 | module TemplateHelpers 4 | include Vault::Cookbook::CommonHelpers 5 | 6 | VAULT_HCL_CONFIG_CONTAINED = %i(auto_auth).freeze 7 | VAULT_HCL_CONFIGURATION_ITEMS = %i(@global @auto_auth @cache @entropy @listener @seal @sentinel @service_registration @storage @telemetry @template @vault).freeze 8 | VAULT_HCL_CONFIG_BLOCK = %w(autopilot retry_join replication telemetry).freeze 9 | 10 | def vault_hcl_key(key) 11 | VAULT_HCL_CONFIG_BLOCK.include?(key) ? key : "#{key} =" 12 | end 13 | 14 | def vault_hcl_value(value) 15 | case value 16 | when TrueClass, FalseClass, Array 17 | value.to_s 18 | when String 19 | "\"#{value}\"" 20 | when Integer 21 | value 22 | else 23 | raise ArgumentError, "vault_hcl_value: Unsupported variable type #{value.class}. Value: #{value}." 24 | end 25 | end 26 | 27 | def template_render_hcl(type, items) 28 | hcl = [] 29 | 30 | case items 31 | when Array 32 | if VAULT_HCL_CONFIG_CONTAINED.include?(type.to_sym) 33 | hcl.push(render('vault/_hcl_items_contained.erb', cookbook: 'hashicorp-vault', variables: { container: type, items: items })) 34 | else 35 | items.each do |conf_item| 36 | hcl.push( 37 | render( 38 | 'vault/_hcl_item.erb', 39 | cookbook: 'hashicorp-vault', 40 | variables: { type: conf_item[:item_type], name: conf_item[:name], description: conf_item[:description], properties: conf_item[:options] } 41 | ) 42 | ) 43 | end 44 | end 45 | when Hash 46 | if type.eql?('global') 47 | hcl.push(render('vault/_hcl_settings.erb', cookbook: 'hashicorp-vault', variables: { properties: items })) 48 | else 49 | hcl.push(render('vault/_hcl_item.erb', cookbook: 'hashicorp-vault', variables: { type: type, properties: items })) 50 | end 51 | else 52 | raise ArgumentError, "Expected Array or Hash, got #{items.class}" 53 | end 54 | 55 | hcl.join("\n") 56 | end 57 | 58 | private 59 | 60 | def template_partial_indent(output, level, spaces = 2) 61 | raise ArgumentError, 'Spaces must be greater than 0' unless spaces > 0 62 | 63 | output.split("\n").each { |l| l.prepend(' ' * (level * spaces)) }.join("\n") 64 | end 65 | end 66 | end 67 | end 68 | -------------------------------------------------------------------------------- /metadata.rb: -------------------------------------------------------------------------------- 1 | name 'hashicorp-vault' 2 | maintainer 'Sous Chefs' 3 | maintainer_email 'help@sous-chefs.org' 4 | license 'Apache-2.0' 5 | description 'Application cookbook for installing and configuring Vault.' 6 | issues_url 'https://github.com/sous-chefs/vault/issues' 7 | source_url 'https://github.com/sous-chefs/vault' 8 | chef_version '>= 16' 9 | version '6.3.20' 10 | 11 | supports 'amazon' 12 | supports 'debian' 13 | supports 'centos' 14 | supports 'redhat' 15 | supports 'opensuseleap' 16 | supports 'suse' 17 | supports 'ubuntu' 18 | 19 | depends 'ark', '~> 6.0' 20 | 21 | gem 'hcl-checker', '~> 1.6' 22 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": ["config:base"], 4 | "packageRules": [ 5 | { 6 | "groupName": "Actions", 7 | "matchUpdateTypes": ["minor", "patch", "pin"], 8 | "automerge": true, 9 | "addLabels": ["Release: Patch", "Skip: Announcements"] 10 | }, 11 | { 12 | "groupName": "Actions", 13 | "matchUpdateTypes": ["major"], 14 | "automerge": false, 15 | "addLabels": ["Release: Patch", "Skip: Announcements"] 16 | } 17 | ] 18 | } 19 | -------------------------------------------------------------------------------- /resources/config.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: hashicorp-vault 3 | # Resource:: config 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | unified_mode true 19 | 20 | include Vault::Cookbook::Helpers 21 | 22 | deprecated_property_alias 'config_location', 'config_file', 'The config_location property was renamed config_file in the 5.0 release of this cookbook. Please update your cookbooks to use the new property name.' 23 | 24 | property :owner, String, 25 | default: lazy { default_vault_user }, 26 | description: 'Set to override default vault user. Defaults to vault.' 27 | 28 | property :group, String, 29 | default: lazy { default_vault_group }, 30 | description: 'Set to override default vault group. Defaults to vault.' 31 | 32 | property :mode, String, 33 | default: '0640', 34 | description: 'Set to override default vault config file mode. Defaults to 0600.' 35 | 36 | property :config_file, String, 37 | default: lazy { default_vault_config_file(:json) }, 38 | description: 'Set to override vault configuration file. Defaults to /etc/vault.d/vault.json', 39 | desired_state: false 40 | 41 | property :cookbook, String, 42 | default: 'hashicorp-vault', 43 | description: 'Template source cookbook for the HCL configuration type.', 44 | desired_state: false 45 | 46 | property :template, String, 47 | default: 'vault/hcl.erb', 48 | description: 'Template source file for the HCL configuration type.', 49 | desired_state: false 50 | 51 | property :sensitive, [true, false], 52 | default: true, 53 | description: 'Ensure that sensitive resource data is not output by Chef Infra Client.', 54 | desired_state: false 55 | 56 | property :config, Hash, 57 | default: lazy { default_vault_config_json }, 58 | description: 'Vault server configuration as a ruby Hash.' 59 | 60 | action_class do 61 | include Vault::Cookbook::Helpers 62 | include Vault::Cookbook::ResourceHelpers 63 | end 64 | 65 | load_current_value do |new_resource| 66 | current_value_does_not_exist! unless ::File.exist?(new_resource.config_file) 67 | 68 | require 'json' 69 | config JSON.parse(::File.read(new_resource.config_file)) if ::File.exist?(new_resource.config_file) 70 | end 71 | 72 | action :create do 73 | edit_resource(:file, '/etc/vault.d/vault.hcl') { action(:delete) } if ::File.exist?('/etc/vault.d/vault.hcl') 74 | 75 | converge_if_changed do 76 | chef_gem 'deepsort' do 77 | compile_time true 78 | end 79 | 80 | directory ::File.dirname(new_resource.config_file) do 81 | owner new_resource.owner 82 | group new_resource.group 83 | mode '0750' 84 | 85 | action :create 86 | end 87 | 88 | require 'json' 89 | require 'deepsort' 90 | 91 | file new_resource.config_file do 92 | content JSON.pretty_generate(new_resource.config.map { |key, val| [key.to_s, val] }.to_h.deep_sort).concat("\n") 93 | 94 | owner new_resource.owner 95 | group new_resource.group 96 | mode '0640' 97 | 98 | sensitive new_resource.sensitive 99 | 100 | action :create 101 | end 102 | end 103 | end 104 | 105 | action :delete do 106 | edit_resource(:file, new_resource.config_file) { action(:delete) } 107 | end 108 | -------------------------------------------------------------------------------- /resources/config_auto_auth.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: hashicorp-vault 3 | # Resource:: config_auto_auth 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | unified_mode true 19 | 20 | %w(base item item_type).each { |t| use "partial/_config_hcl_#{t}" } 21 | 22 | property :entry_type, [String, Symbol], 23 | equal_to: %i(method sink), 24 | coerce: proc { |p| p.to_sym }, 25 | required: true, 26 | identity: true, 27 | description: 'Vault auto_auth configuration element entry type' 28 | 29 | property :path, String, 30 | identity: true, 31 | description: 'File path for sink configuration' 32 | 33 | property :vault_mode, [String, Symbol], 34 | coerce: proc { |p| p.to_sym }, 35 | equal_to: [:agent], 36 | default: :agent, 37 | desired_state: false, 38 | description: 'Vault service operation mode. Defaults to agent.' 39 | 40 | load_current_value do |new_resource| 41 | case entry_type 42 | when :method 43 | option_data = vault_hcl_config_current_load(new_resource.config_file, vault_hcl_config_type).dig(new_resource.entry_type.to_s, new_resource.type) 44 | 45 | current_value_does_not_exist! if nil_or_empty?(option_data) 46 | 47 | options option_data 48 | when :sink 49 | option_data = vault_hcl_config_current_load(new_resource.config_file, vault_hcl_config_type).fetch(new_resource.entry_type.to_s, []) 50 | option_data = array_wrap(option_data).filter { |s| s.dig(type, 'config', 'path').eql?(path) } 51 | 52 | current_value_does_not_exist! if nil_or_empty?(option_data) 53 | raise Chef::Exceptions::InvalidResourceReference, 54 | "Filter matched #{option_data.count} auto_auth #{new_resource.entry_type} configuration items but only should match one." if option_data.count > 1 55 | 56 | option_data = option_data.first&.fetch(type) 57 | option_data['config']&.delete('path') 58 | 59 | options compact_hash(option_data) 60 | end 61 | 62 | if ::File.exist?(new_resource.config_file) 63 | owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name 64 | group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name 65 | mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1] 66 | end 67 | end 68 | 69 | action :create do 70 | raise Chef::Exceptions::ValidationFailed, 'The path property is required for sink entries' if new_resource.entry_type.eql?(:sink) && !property_is_set?(:path) 71 | 72 | converge_if_changed { vault_hcl_resource_template_add } 73 | 74 | # We have to do this twice as the agent config file is accumulated and converge_if_changed won't always fire 75 | vault_hcl_resource_template_add if new_resource.vault_mode.eql?(:agent) 76 | end 77 | 78 | action :delete do 79 | raise Chef::Exceptions::ValidationFailed, 'The path property is required for sink entries' if new_resource.entry_type.eql?(:sink) && !property_is_set?(:path) 80 | 81 | converge_by('Remove configuration from accumulator template') { vault_hcl_resource_template_remove } if vault_hcl_resource_template? 82 | end 83 | -------------------------------------------------------------------------------- /resources/config_entropy.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: hashicorp-vault 3 | # Resource:: config_entropy 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | unified_mode true 19 | 20 | %w(base item item_type).each { |t| use "partial/_config_hcl_#{t}" } 21 | 22 | load_current_value do |new_resource| 23 | current_value_does_not_exist! unless ::File.exist?(new_resource.config_file) 24 | 25 | if ::File.exist?(new_resource.config_file) 26 | owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name 27 | group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name 28 | mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1] 29 | end 30 | 31 | options vault_hcl_config_current_load(new_resource.config_file).dig(vault_hcl_config_type, new_resource.type) 32 | end 33 | 34 | action :create do 35 | converge_if_changed { vault_hcl_resource_template_add } 36 | end 37 | 38 | action :delete do 39 | edit_resource(:file, new_resource.config_file) { action(:delete) } if ::File.exist?(new_resource.config_file) 40 | end 41 | -------------------------------------------------------------------------------- /resources/config_global.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: hashicorp-vault 3 | # Resource:: config_global 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | unified_mode true 19 | 20 | include Vault::Cookbook::Helpers 21 | include Vault::Cookbook::ResourceHelpers 22 | 23 | use 'partial/_config_hcl_base' 24 | 25 | property :global, Hash, 26 | default: lazy { default_vault_config_hcl(:global) }, 27 | coerce: proc { |p| p.transform_keys(&:to_s) }, 28 | description: 'Vault global configuration.' 29 | 30 | property :cache, Hash, 31 | default: lazy { default_vault_config_hcl(:cache) }, 32 | coerce: proc { |p| p.transform_keys(&:to_s) }, 33 | description: 'Vault global cache configuration.' 34 | 35 | property :sentinel, Hash, 36 | default: lazy { default_vault_config_hcl(:sentinel) }, 37 | coerce: proc { |p| p.transform_keys(&:to_s) }, 38 | description: 'Vault global sentinel configuration.' 39 | 40 | property :telemetry, Hash, 41 | default: lazy { default_vault_config_hcl(:telemetry) }, 42 | coerce: proc { |p| p.transform_keys(&:to_s) }, 43 | description: 'Vault global telemetry configuration.' 44 | 45 | property :vault, Hash, 46 | default: lazy { default_vault_config_hcl(:vault) }, 47 | coerce: proc { |p| p.transform_keys(&:to_s) }, 48 | description: 'Vault agent global vault configuration.' 49 | 50 | load_current_value do |new_resource| 51 | current_value_does_not_exist! unless ::File.exist?(new_resource.config_file) 52 | 53 | if ::File.exist?(new_resource.config_file) 54 | owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name 55 | group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name 56 | mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1] 57 | end 58 | 59 | Vault::Cookbook::ResourceHelpers::VAULT_GLOBAL_PROPERTIES.each { |property| send(property, vault_hcl_config_current_load(new_resource.config_file).fetch(property, {})) } 60 | end 61 | 62 | action :create do 63 | converge_if_changed do 64 | Vault::Cookbook::ResourceHelpers::VAULT_GLOBAL_PROPERTIES.each { |property| vault_hcl_resource_template_add(property, new_resource.send(property)) } 65 | end 66 | 67 | # We have to do this twice as the agent config file is accumulated and converge_if_changed won't always fire 68 | if new_resource.vault_mode.eql?(:agent) 69 | Vault::Cookbook::ResourceHelpers::VAULT_GLOBAL_PROPERTIES.each { |property| vault_hcl_resource_template_add(property, new_resource.send(property)) } 70 | end 71 | end 72 | 73 | action :delete do 74 | edit_resource(:file, new_resource.config_file) { action(:delete) } if ::File.exist?(new_resource.config_file) 75 | end 76 | -------------------------------------------------------------------------------- /resources/config_listener.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: hashicorp-vault 3 | # Resource:: config_listener 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | unified_mode true 19 | 20 | %w(base item item_type).each { |t| use "partial/_config_hcl_#{t}" } 21 | 22 | load_current_value do |new_resource| 23 | case vault_mode 24 | when :server 25 | current_value_does_not_exist! unless ::File.exist?(new_resource.config_file) 26 | 27 | options vault_hcl_config_current_load(config_file).dig(vault_hcl_config_type, new_resource.type) 28 | when :agent 29 | option_data = array_wrap(vault_hcl_config_current_load(new_resource.config_file, vault_hcl_config_type)).select { |l| l.keys.first.eql?(new_resource.type) } 30 | 31 | current_value_does_not_exist! if nil_or_empty?(option_data) 32 | raise Chef::Exceptions::InvalidResourceReference, 33 | "Filter matched #{option_data.count} listener configuration items but only should match one." if option_data.count > 1 34 | 35 | options option_data.first&.fetch(type) 36 | end 37 | 38 | if ::File.exist?(new_resource.config_file) 39 | owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name 40 | group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name 41 | mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1] 42 | end 43 | end 44 | 45 | action :create do 46 | converge_if_changed { vault_hcl_resource_template_add } 47 | 48 | # We have to do this twice as the agent config file is accumulated and converge_if_changed won't always fire 49 | vault_hcl_resource_template_add if new_resource.vault_mode.eql?(:agent) 50 | end 51 | 52 | action :delete do 53 | case vault_mode 54 | when :server 55 | edit_resource(:file, new_resource.config_file) { action(:delete) } if ::File.exist?(new_resource.config_file) 56 | when :agent 57 | converge_by('Remove configuration from accumulator template') { vault_hcl_resource_template_remove } if vault_hcl_resource_template? 58 | end 59 | end 60 | -------------------------------------------------------------------------------- /resources/config_seal.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: hashicorp-vault 3 | # Resource:: config_seal 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | unified_mode true 19 | 20 | %w(base item item_type).each { |t| use "partial/_config_hcl_#{t}" } 21 | 22 | load_current_value do |new_resource| 23 | current_value_does_not_exist! unless ::File.exist?(new_resource.config_file) 24 | 25 | if ::File.exist?(new_resource.config_file) 26 | owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name 27 | group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name 28 | mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1] 29 | end 30 | 31 | options vault_hcl_config_current_load(config_file).dig(vault_hcl_config_type, new_resource.type) 32 | end 33 | 34 | action :create do 35 | converge_if_changed { vault_hcl_resource_template_add } 36 | end 37 | 38 | action :delete do 39 | edit_resource(:file, new_resource.config_file) { action(:delete) } if ::File.exist?(new_resource.config_file) 40 | end 41 | -------------------------------------------------------------------------------- /resources/config_service_registration.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: hashicorp-vault 3 | # Resource:: service_registration 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | unified_mode true 19 | 20 | %w(base item item_type).each { |t| use "partial/_config_hcl_#{t}" } 21 | 22 | load_current_value do |new_resource| 23 | current_value_does_not_exist! unless ::File.exist?(new_resource.config_file) 24 | 25 | if ::File.exist?(new_resource.config_file) 26 | owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name 27 | group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name 28 | mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1] 29 | end 30 | 31 | options vault_hcl_config_current_load(config_file).dig(vault_hcl_config_type, new_resource.type) 32 | end 33 | 34 | action :create do 35 | converge_if_changed { vault_hcl_resource_template_add } 36 | end 37 | 38 | action :delete do 39 | edit_resource(:file, new_resource.config_file) { action(:delete) } if ::File.exist?(new_resource.config_file) 40 | end 41 | -------------------------------------------------------------------------------- /resources/config_storage.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: hashicorp-vault 3 | # Resource:: config_storage 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | unified_mode true 19 | 20 | %w(base item item_type).each { |t| use "partial/_config_hcl_#{t}" } 21 | 22 | load_current_value do |new_resource| 23 | current_value_does_not_exist! unless ::File.exist?(new_resource.config_file) 24 | 25 | if ::File.exist?(new_resource.config_file) 26 | owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name 27 | group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name 28 | mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1] 29 | end 30 | 31 | options vault_hcl_config_current_load(config_file).dig(vault_hcl_config_type, new_resource.type) 32 | end 33 | 34 | action :create do 35 | converge_if_changed { vault_hcl_resource_template_add } 36 | end 37 | 38 | action :delete do 39 | edit_resource(:file, new_resource.config_file) { action(:delete) } if ::File.exist?(new_resource.config_file) 40 | end 41 | -------------------------------------------------------------------------------- /resources/config_template.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: hashicorp-vault 3 | # Resource:: config_template 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | unified_mode true 19 | 20 | %w(base item).each { |t| use "partial/_config_hcl_#{t}" } 21 | 22 | property :destination, String, 23 | coerce: proc { |p| p.to_s }, 24 | name_property: true, 25 | description: 'Vault template destination file.' 26 | 27 | property :vault_mode, [String, Symbol], 28 | coerce: proc { |p| p.to_sym }, 29 | equal_to: [:agent], 30 | default: :agent, 31 | desired_state: false, 32 | description: 'Vault service operation mode. Defaults to agent.' 33 | 34 | load_current_value do |new_resource| 35 | option_data = vault_hcl_config_current_load(new_resource.config_file).fetch(vault_hcl_config_type, []).select { |t| t['destination'].eql?(new_resource.destination) } 36 | 37 | current_value_does_not_exist! if nil_or_empty?(option_data) 38 | raise Chef::Exceptions::InvalidResourceReference, 39 | "Filter matched #{option_data.count} template configuration items but only should match one." if option_data.count > 1 40 | 41 | options option_data.first.filter { |k, _| !k.eql?('destination') } 42 | 43 | if ::File.exist?(new_resource.config_file) 44 | owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name 45 | group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name 46 | mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1] 47 | end 48 | end 49 | 50 | action :create do 51 | raise 'The template resource can only be used in agent mode' unless new_resource.vault_mode.eql?(:agent) 52 | 53 | converge_if_changed { vault_hcl_resource_template_add } 54 | 55 | # We have to do this twice as the agent config file is accumulated and converge_if_changed won't always fire 56 | vault_hcl_resource_template_add if new_resource.vault_mode.eql?(:agent) 57 | end 58 | 59 | action :delete do 60 | converge_by('Remove configuration from accumulator template') { vault_hcl_resource_template_remove } if vault_hcl_resource_template? 61 | end 62 | -------------------------------------------------------------------------------- /resources/install.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: hashicorp-vault 3 | # Resource:: install 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | unified_mode true 19 | 20 | include Vault::Cookbook::Helpers 21 | include Vault::Cookbook::InstallHelpers 22 | 23 | property :user, String, 24 | default: lazy { default_vault_user }, 25 | description: 'Set to override default vault user. Defaults to vault.' 26 | 27 | property :group, String, 28 | default: lazy { default_vault_group }, 29 | description: 'Set to override default vault group. Defaults to vault.' 30 | 31 | property :install_method, [String, Symbol], 32 | default: :repository, 33 | equal_to: [:repository, :ark], 34 | description: 'Set the method to install vault. Default to repo.' 35 | 36 | property :packages, [String, Array], 37 | coerce: proc { |p| p.is_a?(Array) ? p : [ p ] }, 38 | default: lazy { default_vault_packages }, 39 | description: 'Vault packages to install.' 40 | 41 | property :test_repo, [true, false], 42 | default: false, 43 | description: 'Enable hashicorp-testing repository' 44 | 45 | property :version, String, 46 | description: 'Set to specify the version of Vault to install.' 47 | 48 | property :url, String, 49 | default: lazy { vault_source(version) }, 50 | description: 'Set to specify the source path to the zip file. Defaults to Vault public download site.' 51 | 52 | property :checksum, String, 53 | description: 'Set to specify the SHA256 checksum for the installation zip package.' 54 | 55 | action_class do 56 | include Vault::Cookbook::InstallHelpers 57 | 58 | def do_repository_action(resource_action) 59 | case node['platform_family'] 60 | when 'rhel', 'fedora', 'amazon' 61 | yum_repository 'hashicorp' do 62 | description 'Hashicorp Stable - $basearch' 63 | baseurl "https://rpm.releases.hashicorp.com/#{vault_repo_platform}/$releasever/$basearch/stable" 64 | enabled true 65 | gpgcheck true 66 | gpgkey 'https://rpm.releases.hashicorp.com/gpg' 67 | 68 | action resource_action.eql?(:remove) ? :remove : :create 69 | end 70 | 71 | yum_repository 'hashicorp-test' do 72 | description 'Hashicorp Test - $basearch' 73 | baseurl "https://rpm.releases.hashicorp.com/#{vault_repo_platform}/$releasever/$basearch/test" 74 | enabled new_resource.test_repo 75 | gpgcheck true 76 | gpgkey 'https://rpm.releases.hashicorp.com/gpg' 77 | 78 | action resource_action.eql?(:remove) ? :remove : :create 79 | end 80 | when 'debian' 81 | apt_repository 'hashicorp' do 82 | uri 'https://apt.releases.hashicorp.com' 83 | distribution vault_repo_platform 84 | components ['main'] 85 | arch 'amd64' 86 | key 'https://apt.releases.hashicorp.com/gpg' 87 | action resource_action.eql?(:remove) ? :remove : :add 88 | end 89 | else 90 | raise "Vault repository installation is unsupported for platform: #{platform}" 91 | end 92 | end 93 | 94 | def do_package_action(resource_action) 95 | package 'vault' do 96 | package_name new_resource.packages 97 | version new_resource.version 98 | 99 | notifies :run, 'execute[vault -autocomplete-install]', :immediately 100 | action resource_action 101 | end 102 | 103 | execute 'vault -autocomplete-install' do 104 | action :nothing 105 | only_if { ::File.exist?("#{Dir.home}/.bashrc") } 106 | end 107 | end 108 | end 109 | 110 | action :install do 111 | case new_resource.install_method 112 | when :repository 113 | do_repository_action(action) 114 | do_package_action(action) 115 | when :ark 116 | raise ArgumentError, 'ARK installation method requires version to be set' if new_resource.version.nil? 117 | 118 | group new_resource.group do 119 | comment 'Hashicorp Vault' 120 | system true 121 | 122 | action :create 123 | end 124 | 125 | user new_resource.user do 126 | comment 'Hashicorp Vault' 127 | group new_resource.group 128 | shell '/bin/false' 129 | system true 130 | 131 | action :create 132 | end 133 | 134 | package 'vault supporting packages' do 135 | package_name vault_supporting_packages 136 | 137 | action :install 138 | end 139 | 140 | ark 'vault' do 141 | url new_resource.url 142 | version new_resource.version 143 | checksum new_resource.checksum 144 | prefix_root '/opt/vault' 145 | has_binaries ['vault'] 146 | prefix_bin '/usr/local/bin' 147 | strip_components 0 148 | 149 | action :install 150 | end 151 | 152 | execute 'setcap cap_ipc_lock' do 153 | command 'setcap cap_ipc_lock=+ep $(readlink -f /usr/local/bin/vault)' 154 | not_if 'setcap -v cap_ipc_lock+ep $(readlink -f /usr/local/bin/vault)' 155 | 156 | action :run 157 | end 158 | end 159 | end 160 | 161 | action :upgrade do 162 | case new_resource.install_method 163 | when :repository 164 | do_repository_action(action) 165 | do_package_action(action) 166 | when :ark 167 | raise ArgumentError, 'Update action is not supported for :ark install method.' 168 | end 169 | end 170 | 171 | action :remove do 172 | case new_resource.install_method 173 | when :repository 174 | do_repository_action(action) 175 | do_package_action(action) 176 | when :ark 177 | link '/usr/local/bin/vault' do 178 | action :delete 179 | end 180 | 181 | directory "/opt/vault/vault-#{new_resource.version}" do 182 | recursive true 183 | 184 | action :delete 185 | end 186 | 187 | edit_resource(:user, new_resource.user).action(:delete) 188 | edit_resource(:group, new_resource.user).action(:delete) 189 | end 190 | end 191 | -------------------------------------------------------------------------------- /resources/partial/_config_hcl_base.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: hashicorp-vault 3 | # Resource:: _config_hcl_base 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | unified_mode true 19 | 20 | include Vault::Cookbook::Helpers 21 | include Vault::Cookbook::ResourceHelpers 22 | 23 | property :owner, String, 24 | default: lazy { default_vault_user }, 25 | description: 'Set to override default vault user. Defaults to vault.' 26 | 27 | property :group, String, 28 | default: lazy { default_vault_group }, 29 | description: 'Set to override default vault group. Defaults to vault.' 30 | 31 | property :mode, String, 32 | default: '0640', 33 | description: 'Set to override default vault config file mode. Defaults to 0600.' 34 | 35 | property :config_dir, String, 36 | default: lazy { default_vault_config_dir }, 37 | desired_state: false, 38 | description: 'Set to override vault configuration directory.' 39 | 40 | property :config_file, String, 41 | default: lazy { default_vault_config_file(:hcl) }, 42 | desired_state: false, 43 | description: 'Set to override vault configuration file. Defaults to /etc/vault.d/{CONFIG_TYPE}_{name}.hcl' 44 | 45 | property :cookbook, String, 46 | default: 'hashicorp-vault', 47 | desired_state: false, 48 | description: 'Template source cookbook for the HCL configuration type.' 49 | 50 | property :template, String, 51 | default: 'vault/hcl.erb', 52 | desired_state: false, 53 | description: 'Template source file for the HCL configuration type.' 54 | 55 | property :sensitive, [true, false], 56 | default: true, 57 | desired_state: false, 58 | description: 'Ensure that sensitive resource data is not output by Chef Infra Client.' 59 | 60 | property :vault_mode, [String, Symbol], 61 | coerce: proc { |p| p.to_sym }, 62 | equal_to: [:server, :agent], 63 | default: :server, 64 | desired_state: false, 65 | description: 'Vault service operation mode. Defaults to server.' 66 | 67 | action_class do 68 | include Vault::Cookbook::Helpers 69 | include Vault::Cookbook::ResourceHelpers 70 | end 71 | -------------------------------------------------------------------------------- /resources/partial/_config_hcl_item.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: hashicorp-vault 3 | # Resource:: _config_hcl_item 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | include Vault::Cookbook::Helpers 19 | 20 | property :options, Hash, 21 | default: lazy { default_vault_config_hcl(vault_hcl_config_type) }, 22 | description: 'Vault server configuration element configuration.' 23 | 24 | property :description, String, 25 | desired_state: false, 26 | description: 'Unparsed description to add to the configuration file.' 27 | -------------------------------------------------------------------------------- /resources/partial/_config_hcl_item_type.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: hashicorp-vault 3 | # Resource:: _config_hcl_item_type 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | property :type, [String, Symbol], 19 | coerce: proc { |p| p.to_s }, 20 | name_property: true, 21 | identity: true, 22 | required: true, 23 | description: 'Vault server configuration element type.' 24 | -------------------------------------------------------------------------------- /resources/service.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook:: hashicorp-vault 3 | # Resource:: service 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | unified_mode true 19 | 20 | include Vault::Cookbook::Helpers 21 | include Vault::Cookbook::ResourceHelpers 22 | 23 | property :service_name, String, 24 | coerce: proc { |p| "#{p}.service" }, 25 | default: lazy { default_vault_service_name }, 26 | description: 'Set to override service name. Defaults to vault.' 27 | 28 | property :config_type, [Symbol, String], 29 | coerce: proc { |p| p.to_sym }, 30 | equal_to: [:hcl, :json], 31 | default: :hcl, 32 | description: 'Vault configuration type used. Defaults to HCL.' 33 | 34 | property :systemd_unit_content, [String, Hash], 35 | default: lazy { default_vault_unit_content }, 36 | description: 'Override the systemd unit file contents' 37 | 38 | property :vault_binary_path, String, 39 | default: '/usr/bin/vault', 40 | description: 'Path to the vault binary on disk.' 41 | 42 | property :user, String, 43 | default: lazy { default_vault_user }, 44 | description: 'Set to override default vault user. Defaults to vault.' 45 | 46 | property :group, String, 47 | default: lazy { default_vault_group }, 48 | description: 'Set to override default vault group. Defaults to vault.' 49 | 50 | property :config_file, String, 51 | default: lazy { default_vault_config_file(:hcl) }, 52 | description: 'Set to override vault configuration file. Defaults to /etc/vault.d/vault.hcl' 53 | 54 | property :config_dir, String, 55 | default: lazy { default_vault_config_dir }, 56 | description: 'Set to override vault configuration directory.' 57 | 58 | property :vault_mode, [String, Symbol], 59 | coerce: proc { |p| p.to_sym }, 60 | equal_to: [:server, :agent], 61 | default: :server, 62 | description: 'Vault service operation mode. Defaults to server.' 63 | 64 | action_class do 65 | def do_service_action(resource_action) 66 | declare_resource(:service, new_resource.service_name.delete_suffix('.service')) do 67 | supports status: true, restart: true, reload: true 68 | 69 | action resource_action 70 | end 71 | end 72 | end 73 | 74 | action :create do 75 | systemd_unit new_resource.service_name do 76 | content new_resource.systemd_unit_content 77 | triggers_reload true 78 | 79 | action :create 80 | end 81 | end 82 | 83 | action :delete do 84 | do_service_action(:stop) 85 | 86 | systemd_unit new_resource.name do 87 | triggers_reload true 88 | 89 | action :delete 90 | end 91 | end 92 | 93 | %i(start stop restart reload enable disable).each do |action_type| 94 | send(:action, action_type) { do_service_action(action) } 95 | end 96 | -------------------------------------------------------------------------------- /spec/spec_helper.rb: -------------------------------------------------------------------------------- 1 | require 'chefspec' 2 | require 'chefspec/berkshelf' 3 | 4 | RSpec.configure do |config| 5 | config.color = true # Use color in STDOUT 6 | config.formatter = :documentation # Use the specified formatter 7 | config.log_level = :error # Avoid deprecation notice SPAM 8 | end 9 | -------------------------------------------------------------------------------- /spec/unit/resources/config_auto_auth_spec.rb: -------------------------------------------------------------------------------- 1 | require 'spec_helper' 2 | 3 | describe 'hashicorp_vault_config_auto_auth' do 4 | step_into :hashicorp_vault_config_auto_auth 5 | platform 'centos' 6 | 7 | context 'create a method auto auth HCL configuration' do 8 | recipe do 9 | hashicorp_vault_config_auto_auth 'aws' do 10 | entry_type :method 11 | type 'aws' 12 | options( 13 | 'mount_path' => 'auth/aws-subaccount', 14 | 'config' => { 15 | 'type' => 'iam', 16 | 'role' => 'foobar', 17 | } 18 | ) 19 | end 20 | end 21 | 22 | it 'Creates the configuration file correctly' do 23 | is_expected.to render_file('/etc/vault.d/vault.hcl') 24 | .with_content(/# auto_auth/) 25 | .with_content(%r{ mount_path = "auth\/aws-subaccount"}) 26 | .with_content(/ type = "iam"/) 27 | end 28 | end 29 | 30 | context 'create a sink auto auth HCL configuration' do 31 | recipe do 32 | hashicorp_vault_config_auto_auth 'file' do 33 | entry_type :sink 34 | type 'file' 35 | path '/tmp/file-bar' 36 | options( 37 | 'wrap_ttl' => '5m', 38 | 'aad_env_var' => 'TEST_AAD_ENV', 39 | 'dh_type' => 'curve25519', 40 | 'dh_path' => '/tmp/file-foo-dhpath2' 41 | ) 42 | end 43 | end 44 | 45 | it 'Creates the configuration file correctly' do 46 | is_expected.to render_file('/etc/vault.d/vault.hcl') 47 | .with_content(/# auto_auth/) 48 | .with_content(/ dh_type = "curve25519"/) 49 | .with_content(%r{ path = "\/tmp\/file-bar"}) 50 | end 51 | end 52 | 53 | context 'create a combined method auto auth HCL configuration' do 54 | recipe do 55 | hashicorp_vault_config_auto_auth 'aws_test' do 56 | entry_type :method 57 | type 'aws' 58 | options( 59 | 'mount_path' => 'auth/aws-subaccount', 60 | 'config' => { 61 | 'type' => 'iam', 62 | 'role' => 'foobar', 63 | } 64 | ) 65 | end 66 | 67 | hashicorp_vault_config_auto_auth 'aws_test' do 68 | entry_type :sink 69 | type 'file' 70 | path '/tmp/file-bar' 71 | options( 72 | 'wrap_ttl' => '5m', 73 | 'aad_env_var' => 'TEST_AAD_ENV', 74 | 'dh_type' => 'curve25519', 75 | 'dh_path' => '/tmp/file-foo-dhpath2' 76 | ) 77 | end 78 | end 79 | 80 | it 'Creates the configuration file correctly' do 81 | is_expected.to render_file('/etc/vault.d/vault.hcl') 82 | .with_content(/# auto_auth/) 83 | .with_content(/method "aws"/) 84 | .with_content(%r{ mount_path = "auth\/aws-subaccount"}) 85 | .with_content(/ type = "iam"/) 86 | .with_content(/sink "file"/) 87 | .with_content(/ dh_type = "curve25519"/) 88 | .with_content(%r{ path = "\/tmp\/file-bar"}) 89 | end 90 | end 91 | end 92 | -------------------------------------------------------------------------------- /spec/unit/resources/config_entropy_spec.rb: -------------------------------------------------------------------------------- 1 | require 'spec_helper' 2 | 3 | describe 'hashicorp_vault_config_entropy' do 4 | step_into :hashicorp_vault_config_entropy 5 | platform 'centos' 6 | 7 | context 'create entropy HCL configuration' do 8 | recipe do 9 | hashicorp_vault_config_entropy 'seal' do 10 | type 'seal' 11 | options( 12 | 'mode' => 'augmentation' 13 | ) 14 | end 15 | end 16 | 17 | it 'Creates the configuration file correctly' do 18 | is_expected.to render_file('/etc/vault.d/config_entropy_seal.hcl') 19 | .with_content(/# entropy/) 20 | .with_content(/entropy "seal" {/) 21 | .with_content(/ mode = "augmentation"/) 22 | end 23 | end 24 | end 25 | -------------------------------------------------------------------------------- /spec/unit/resources/config_listener_spec.rb: -------------------------------------------------------------------------------- 1 | require 'spec_helper' 2 | 3 | describe 'hashicorp_vault_config_listener' do 4 | step_into :hashicorp_vault_config_listener 5 | platform 'centos' 6 | 7 | context 'create server listener HCL configuration' do 8 | recipe do 9 | hashicorp_vault_config_listener 'tcp' do 10 | type 'tcp' 11 | options( 12 | 'address' => '127.0.0.1:8200', 13 | 'cluster_address' => '127.0.0.1:8201', 14 | 'tls_cert_file' => '/opt/vault/tls/tls.crt', 15 | 'tls_key_file' => '/opt/vault/tls/tls.key', 16 | 'telemetry' => { 17 | 'unauthenticated_metrics_access' => false, 18 | } 19 | ) 20 | end 21 | end 22 | 23 | it 'Creates the configuration file correctly' do 24 | is_expected.to render_file('/etc/vault.d/config_listener_tcp.hcl') 25 | .with_content(/# listener/) 26 | .with_content(/listener "tcp" {/) 27 | .with_content(/ cluster_address = "127.0.0.1:8201"/) 28 | .with_content(/ unauthenticated_metrics_access = false/) 29 | end 30 | end 31 | 32 | context 'create agent tcp listener HCL configuration' do 33 | recipe do 34 | hashicorp_vault_config_listener 'tcp' do 35 | vault_mode :agent 36 | type 'tcp' 37 | options( 38 | 'address' => '127.0.0.1:8200', 39 | 'tls_disable' => true 40 | ) 41 | end 42 | end 43 | 44 | it 'Creates the configuration file correctly' do 45 | is_expected.to render_file('/etc/vault.d/vault.hcl') 46 | .with_content(/# listener/) 47 | .with_content(/listener "tcp" {/) 48 | .with_content(/ address = "127.0.0.1:8200"/) 49 | .with_content(/ tls_disable = true/) 50 | end 51 | end 52 | 53 | context 'create agent unix listener HCL configuration' do 54 | recipe do 55 | hashicorp_vault_config_listener 'unix' do 56 | vault_mode :agent 57 | type 'unix' 58 | options( 59 | 'address' => '/tmp/vault_agent_unix.sock', 60 | 'tls_disable' => false 61 | ) 62 | end 63 | end 64 | 65 | it 'Creates the configuration file correctly' do 66 | is_expected.to render_file('/etc/vault.d/vault.hcl') 67 | .with_content(/# listener/) 68 | .with_content(/listener "unix" {/) 69 | .with_content(%r{ address = "\/tmp\/vault_agent_unix.sock"}) 70 | .with_content(/ tls_disable = false/) 71 | end 72 | end 73 | end 74 | -------------------------------------------------------------------------------- /spec/unit/resources/config_seal_spec.rb: -------------------------------------------------------------------------------- 1 | require 'spec_helper' 2 | 3 | describe 'hashicorp_vault_config_seal' do 4 | step_into :hashicorp_vault_config_seal 5 | platform 'centos' 6 | 7 | context 'create seal HCL configuration' do 8 | recipe do 9 | hashicorp_vault_config_seal 'awskms' do 10 | options( 11 | 'region' => 'us-east-1', 12 | 'access_key' => 'AKIAIOSFODNN7EXAMPLE', 13 | 'secret_key' => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY', 14 | 'kms_key_id' => '19ec80b0-dfdd-4d97-8164-c6examplekey', 15 | 'endpoint' => 'https://vpce-0e1bb1852241f8cc6-pzi0do8n.kms.us-east-1.vpce.amazonaws.com' 16 | ) 17 | end 18 | end 19 | 20 | it 'Creates the configuration file correctly' do 21 | is_expected.to render_file('/etc/vault.d/config_seal_awskms.hcl') 22 | .with_content(/# seal/) 23 | .with_content(/seal "awskms" {/) 24 | .with_content(/ region = "us-east-1"/) 25 | .with_content(%r{ endpoint = "https:\/\/vpce-0e1bb1852241f8cc6-pzi0do8n.kms.us-east-1.vpce.amazonaws.com"}) 26 | end 27 | end 28 | end 29 | -------------------------------------------------------------------------------- /spec/unit/resources/config_service_registration_spec.rb: -------------------------------------------------------------------------------- 1 | require 'spec_helper' 2 | 3 | describe 'hashicorp_vault_config_service_registration' do 4 | step_into :hashicorp_vault_config_service_registration 5 | platform 'centos' 6 | 7 | context 'create service registration HCL configuration' do 8 | recipe do 9 | hashicorp_vault_config_service_registration 'kubernetes' do 10 | type 'kubernetes' 11 | options( 12 | 'namespace' => 'my-namespace', 13 | 'pod_name' => 'my-pod-name' 14 | ) 15 | end 16 | end 17 | 18 | it 'Creates the configuration file correctly' do 19 | is_expected.to render_file('/etc/vault.d/config_service_registration_kubernetes.hcl') 20 | .with_content(/# service_registration/) 21 | .with_content(/service_registration "kubernetes" {/) 22 | .with_content(/ namespace = "my-namespace"/) 23 | .with_content(/ pod_name = "my-pod-name"/) 24 | end 25 | end 26 | end 27 | -------------------------------------------------------------------------------- /spec/unit/resources/config_storage_spec.rb: -------------------------------------------------------------------------------- 1 | require 'spec_helper' 2 | 3 | describe 'hashicorp_vault_config_storage' do 4 | step_into :hashicorp_vault_config_storage 5 | platform 'centos' 6 | 7 | context 'create file storage HCL configuration' do 8 | recipe do 9 | hashicorp_vault_config_storage 'file test' do 10 | type 'file' 11 | options( 12 | 'path' => '/opt/vault/data' 13 | ) 14 | end 15 | end 16 | 17 | it 'Creates the configuration file correctly' do 18 | is_expected.to render_file('/etc/vault.d/config_storage_file_test.hcl') 19 | .with_content(/# storage/) 20 | .with_content(/storage "file" {/) 21 | .with_content(%r{ path = "\/opt\/vault\/data"}) 22 | end 23 | end 24 | 25 | context 'create inmem storage HCL configuration' do 26 | recipe do 27 | hashicorp_vault_config_storage 'inmem test' do 28 | type 'inmem' 29 | end 30 | end 31 | 32 | it 'Creates the configuration file correctly' do 33 | is_expected.to render_file('/etc/vault.d/config_storage_inmem_test.hcl') 34 | .with_content(/# storage/) 35 | .with_content(/storage "inmem" {/) 36 | end 37 | end 38 | end 39 | -------------------------------------------------------------------------------- /spec/unit/resources/config_template_spec.rb: -------------------------------------------------------------------------------- 1 | require 'spec_helper' 2 | 3 | describe 'hashicorp_vault_config_template' do 4 | step_into :hashicorp_vault_config_template 5 | platform 'centos' 6 | 7 | context 'create service registration HCL configuration' do 8 | recipe do 9 | hashicorp_vault_config_template '/etc/vault/server.key' do 10 | options( 11 | 'source' => '/etc/vault/server.key.ctmpl', 12 | 'destination' => '/etc/vault/server.key' 13 | ) 14 | end 15 | 16 | hashicorp_vault_config_template '/etc/vault/server.crt' do 17 | options( 18 | 'source' => '/etc/vault/server.crt.ctmpl', 19 | 'destination' => '/etc/vault/server.crt' 20 | ) 21 | end 22 | end 23 | 24 | it 'Creates the configuration file correctly' do 25 | is_expected.to render_file('/etc/vault.d/vault.hcl') 26 | .with_content(/# template/) 27 | .with_content(/template {/) 28 | .with_content(%r{ source = "/etc/vault/server.crt.ctmpl"}) 29 | .with_content(%r{ destination = "/etc/vault/server.crt"}) 30 | 31 | is_expected.to render_file('/etc/vault.d/vault.hcl') 32 | .with_content(/# template/) 33 | .with_content(/template {/) 34 | .with_content(%r{ source = "/etc/vault/server.key.ctmpl"}) 35 | .with_content(%r{ destination = "/etc/vault/server.key"}) 36 | end 37 | end 38 | end 39 | -------------------------------------------------------------------------------- /spec/unit/resources/install_spec.rb: -------------------------------------------------------------------------------- 1 | require 'spec_helper' 2 | 3 | describe 'hashicorp_vault_install' do 4 | step_into :hashicorp_vault_install 5 | platform 'centos' 6 | 7 | context 'install vault' do 8 | recipe do 9 | hashicorp_vault_install 'package' 10 | end 11 | 12 | describe 'creates repo and installs vault' do 13 | it { is_expected.to create_yum_repository('hashicorp') } 14 | it { is_expected.to create_yum_repository('hashicorp-test') } 15 | it { is_expected.to install_package('vault') } 16 | end 17 | end 18 | end 19 | -------------------------------------------------------------------------------- /spec/unit/resources/service_spec.rb: -------------------------------------------------------------------------------- 1 | require 'spec_helper' 2 | 3 | describe 'hashicorp_vault_service' do 4 | step_into :hashicorp_vault_service 5 | platform 'centos' 6 | 7 | context 'create a vault service and verify service is created properly' do 8 | recipe do 9 | hashicorp_vault_service 'vault' do 10 | action %i(create enable start) 11 | end 12 | end 13 | 14 | describe 'creates systemd unit file' do 15 | it { is_expected.to create_systemd_unit('vault.service') } 16 | end 17 | 18 | describe 'enables and starts service' do 19 | it { is_expected.to enable_service('vault') } 20 | it { is_expected.to start_service('vault') } 21 | end 22 | end 23 | end 24 | -------------------------------------------------------------------------------- /templates/default/vault/_hcl_item.erb: -------------------------------------------------------------------------------- 1 | <% unless nil_or_empty?(@description) %> 2 | # <%= @description %> 3 | <% end %> 4 | <%= @type %><% unless nil_or_empty?(@name) -%> <%= vault_hcl_value(@name) %><% end -%> { 5 | <%= template_partial_indent(render('vault/_hcl_settings.erb', cookbook: 'hashicorp-vault', variables: { properties: @properties }), 1) %> 6 | } 7 | -------------------------------------------------------------------------------- /templates/default/vault/_hcl_items_contained.erb: -------------------------------------------------------------------------------- 1 | <%= @container %><% unless nil_or_empty?(@containername) -%> <%= vault_hcl_value(@containername) %><% end -%> { 2 | <% @items.each_with_index do |conf_item, index| -%> 3 | <%= template_partial_indent(render('vault/_hcl_item.erb', cookbook: 'hashicorp-vault', variables: { type: conf_item[:type], name: conf_item[:name], properties: conf_item[:options] }), 1) %> 4 | <% if index < (@items.count - 1) %> 5 | 6 | <% end -%> 7 | <% end -%> 8 | } 9 | -------------------------------------------------------------------------------- /templates/default/vault/_hcl_settings.erb: -------------------------------------------------------------------------------- 1 | <% @properties.filter { |_, v| !(v.is_a?(Array) || v.is_a?(Hash)) }.sort.each do |key, value| -%> 2 | <%= vault_hcl_key(key.to_s) %> <%= vault_hcl_value(value) %> 3 | <% end -%> 4 | <% unless @properties.filter { |_, v| v.is_a?(Array) || v.is_a?(Hash) }.empty? -%> 5 | 6 | <% @properties.sort.each_with_index do |(key, value), index| -%> 7 | <% if value.is_a?(Array) -%> 8 | <% value.each do |val| %> 9 | <%= vault_hcl_key(key.to_s) %> { 10 | <%= template_partial_indent(render('vault/_hcl_settings.erb', cookbook: 'hashicorp-vault', variables: { properties: val }), 1) %> 11 | } 12 | <% if index < (@properties.count - 1) %> 13 | 14 | <% end -%> 15 | <% end -%> 16 | <% elsif value.is_a?(Hash) -%> 17 | <%= vault_hcl_key(key.to_s) %> { 18 | <%= template_partial_indent(render('vault/_hcl_settings.erb', cookbook: 'hashicorp-vault', variables: { properties: value }), 1) %> 19 | } 20 | <% if index < (@properties.count - 1) %> 21 | 22 | <% end -%> 23 | <% end -%> 24 | <% end -%> 25 | <% end -%> 26 | -------------------------------------------------------------------------------- /templates/default/vault/hcl.erb: -------------------------------------------------------------------------------- 1 | # 2 | # Generated by Chef for <%= node['fqdn'] %> 3 | # Do NOT modify this file by hand, changes will be overwritten. 4 | # 5 | 6 | <% Vault::Cookbook::TemplateHelpers::VAULT_HCL_CONFIGURATION_ITEMS.each do |conf_type| -%> 7 | <% next if nil_or_empty?(instance_variable_get(conf_type)) -%> 8 | # <%= conf_type.to_s.delete('@') %> 9 | <%= template_render_hcl(conf_type.to_s.delete('@'), instance_variable_get(conf_type)) %> 10 | <% end -%> 11 | -------------------------------------------------------------------------------- /test/cookbooks/test/metadata.rb: -------------------------------------------------------------------------------- 1 | name 'test' 2 | maintainer 'Sous Chefs' 3 | maintainer_email 'help@sous-chefs.org' 4 | license 'Apache-2.0' 5 | description 'Installs/Configures test' 6 | version '0.1.0' 7 | 8 | depends 'hashicorp-vault' 9 | -------------------------------------------------------------------------------- /test/cookbooks/test/recipes/agent_hcl.rb: -------------------------------------------------------------------------------- 1 | hashicorp_vault_install 'package' do 2 | action :upgrade 3 | end 4 | 5 | hashicorp_vault_config_global 'vault' do 6 | vault_mode :agent 7 | global( 8 | 'log_level' => 'info' 9 | ) 10 | cache( 11 | 'use_auto_auth_token' => true 12 | ) 13 | vault( 14 | 'address' => 'https://127.0.0.1:8200' 15 | ) 16 | 17 | sensitive false 18 | notifies :restart, 'hashicorp_vault_service[vault-agent]', :delayed 19 | end 20 | 21 | hashicorp_vault_config_auto_auth 'method_approle' do 22 | entry_type :method 23 | type 'approle' 24 | options( 25 | 'config' => { 26 | 'role_id_file_path' => '/etc/vault/role_id', 27 | 'secret_id_file_path' => '/etc/vault/role_secret', 28 | } 29 | ) 30 | sensitive false 31 | end 32 | 33 | hashicorp_vault_config_auto_auth 'sink_file_1' do 34 | entry_type :sink 35 | type 'file' 36 | path '/tmp/file-foo' 37 | sensitive false 38 | end 39 | 40 | hashicorp_vault_config_auto_auth 'sink_file_2' do 41 | entry_type 'sink' 42 | type 'file' 43 | path '/tmp/file-bar' 44 | options( 45 | 'wrap_ttl' => '5m', 46 | 'aad_env_var' => 'TEST_AAD_ENV', 47 | 'dh_type' => 'curve25519', 48 | 'dh_path' => '/tmp/file-foo-dhpath2' 49 | ) 50 | sensitive false 51 | end 52 | 53 | hashicorp_vault_config_listener 'unix' do 54 | vault_mode :agent 55 | options( 56 | 'address' => '/tmp/vault_agent_unix.sock', 57 | 'tls_disable' => true 58 | ) 59 | sensitive false 60 | end 61 | 62 | hashicorp_vault_config_listener 'tcp' do 63 | vault_mode :agent 64 | type 'tcp' 65 | options( 66 | 'address' => '127.0.0.1:8100', 67 | 'tls_disable' => true 68 | ) 69 | sensitive false 70 | end 71 | 72 | %w(crt key).each { |f| file "/etc/vault.d/server.#{f}.ctmpl" } 73 | 74 | hashicorp_vault_config_template '/etc/vault.d/server.key' do 75 | options( 76 | 'source' => '/etc/vault.d/server.key.ctmpl' 77 | ) 78 | sensitive false 79 | end 80 | 81 | hashicorp_vault_config_template '/etc/vault.d/server.crt' do 82 | options( 83 | 'source' => '/etc/vault.d/server.crt.ctmpl' 84 | ) 85 | sensitive false 86 | end 87 | 88 | hashicorp_vault_service 'vault-agent' do 89 | vault_mode :agent 90 | action %i(create enable start) 91 | end 92 | -------------------------------------------------------------------------------- /test/cookbooks/test/recipes/agent_json.rb: -------------------------------------------------------------------------------- 1 | hashicorp_vault_install 'package' do 2 | action :upgrade 3 | end 4 | 5 | hashicorp_vault_config 'vault' do 6 | config_file '/etc/vault.d/vault-agent.json' 7 | config( 8 | 'log_level' => 'info', 9 | 'vault' => { 10 | 'address' => 'https://127.0.0.1:8200', 11 | }, 12 | 'auto_auth' => { 13 | 'method' => [ 14 | { 15 | 'type' => 'approle', 16 | 'config' => { 17 | 'role_id_file_path' => '/etc/vault/role_id', 18 | 'secret_id_file_path' => '/etc/vault/role_secret', 19 | }, 20 | }, 21 | ], 22 | 'sinks' => [ 23 | { 24 | 'sink' => { 25 | 'type' => 'file', 26 | 'config' => { 27 | 'path' => '/tmp/file-sink', 28 | }, 29 | }, 30 | }, 31 | ], 32 | }, 33 | 'cache' => { 34 | 'use_auto_auth_token' => true, 35 | }, 36 | 'listener' => { 37 | 'unix' => { 38 | 'address' => '/tmp/vault_agent_unix.sock', 39 | 'tls_disable' => true, 40 | }, 41 | 'tcp' => { 42 | 'address' => '127.0.0.1:8100', 43 | 'tls_disable' => true, 44 | }, 45 | }, 46 | 'template' => [ 47 | { 48 | 'source' => '/etc/vault.d/server.crt.ctmpl', 49 | 'destination' => '/etc/vault.d/server.crt', 50 | }, 51 | { 52 | 'source' => '/etc/vault.d/server.key.ctmpl', 53 | 'destination' => '/etc/vault.d/server.key', 54 | }, 55 | ] 56 | ) 57 | 58 | sensitive false 59 | end 60 | 61 | %w(crt key).each { |f| file "/etc/vault.d/server.#{f}.ctmpl" } 62 | 63 | hashicorp_vault_service 'vault' do 64 | config_file '/etc/vault.d/vault-agent.json' 65 | vault_mode :agent 66 | 67 | action %i(create enable start) 68 | 69 | subscribes :restart, 'template[/etc/vault.d/vault-agent.json]', :delayed 70 | end 71 | -------------------------------------------------------------------------------- /test/cookbooks/test/recipes/server_hcl.rb: -------------------------------------------------------------------------------- 1 | hashicorp_vault_install 'package' do 2 | action :upgrade 3 | end 4 | 5 | hashicorp_vault_config_global 'vault' do 6 | sensitive false 7 | telemetry( 8 | statsite_address: '127.0.0.1:8125', 9 | disable_hostname: true 10 | ) 11 | notifies :restart, 'hashicorp_vault_service[vault]', :delayed 12 | action :create 13 | end 14 | 15 | hashicorp_vault_config_listener 'tcp' do 16 | sensitive false 17 | type 'tcp' 18 | description 'Test TCP listener' 19 | options( 20 | 'address' => '127.0.0.1:8200', 21 | 'cluster_address' => '127.0.0.1:8201', 22 | 'tls_cert_file' => '/opt/vault/tls/tls.crt', 23 | 'tls_key_file' => '/opt/vault/tls/tls.key', 24 | 'telemetry' => { 25 | 'unauthenticated_metrics_access' => false, 26 | } 27 | ) 28 | notifies :restart, 'hashicorp_vault_service[vault]', :delayed 29 | end 30 | 31 | hashicorp_vault_config_storage 'file' do 32 | sensitive false 33 | options( 34 | 'path' => '/opt/vault/data' 35 | ) 36 | description 'Test file storage' 37 | notifies :restart, 'hashicorp_vault_service[vault]', :delayed 38 | end 39 | 40 | hashicorp_vault_config_storage 'raft' do 41 | config_dir '/etc/vault.test.d' 42 | sensitive false 43 | options( 44 | 'path' => '/opt/vault/data', 45 | 'retry_join' => [ 46 | { 47 | 'leader_api_addr' => 'http://127.0.0.2:8200', 48 | 'leader_ca_cert_file' => '/path/to/ca1', 49 | 'leader_client_cert_file' => '/path/to/client/cert1', 50 | 'leader_client_key_file' => 'path/to/client/key1', 51 | }, 52 | { 53 | 'leader_api_addr' => 'http://127.0.0.3:8200', 54 | 'leader_ca_cert_file' => '/path/to/ca2', 55 | 'leader_client_cert_file' => '/path/to/client/cert2', 56 | 'leader_client_key_file' => 'path/to/client/key2', 57 | }, 58 | { 59 | 'leader_api_addr' => 'http://127.0.0.4:8200', 60 | 'leader_ca_cert_file' => '/path/to/ca3', 61 | 'leader_client_cert_file' => '/path/to/client/cert3', 62 | 'leader_client_key_file' => 'path/to/client/key3', 63 | }, 64 | { 65 | 'auto_join' => 'provider=aws region=eu-west-1 tag_key=vault tag_value=... access_key_id=... secret_access_key=...', 66 | }, 67 | ], 68 | 'autopilot' => { 69 | 'cleanup_dead_servers' => 'true', 70 | 'last_contact_threshold' => '200ms', 71 | 'last_contact_failure_threshold' => '10m', 72 | 'max_trailing_logs' => 250, 73 | 'min_quorum' => 5, 74 | 'server_stabilization_time' => '10s', 75 | } 76 | ) 77 | description 'Test raft storage' 78 | notifies :restart, 'hashicorp_vault_service[vault]', :delayed 79 | end 80 | 81 | hashicorp_vault_service 'vault' do 82 | action %i(create enable start) 83 | end 84 | -------------------------------------------------------------------------------- /test/cookbooks/test/recipes/server_hcl_ark.rb: -------------------------------------------------------------------------------- 1 | hashicorp_vault_install 'package' do 2 | install_method :ark 3 | version '1.6.1' 4 | action :install 5 | end 6 | 7 | directory '/opt/vault/tls' do 8 | owner 'vault' 9 | group 'vault' 10 | mode '0750' 11 | recursive true 12 | 13 | action :create 14 | end 15 | 16 | openssl_x509_certificate '/opt/vault/tls/tls.crt' do 17 | common_name 'Vault Testing' 18 | expire 7 19 | subject_alt_name ['IP:127.0.0.1', 'DNS:localhost.localdomain'] 20 | end 21 | 22 | hashicorp_vault_config_global 'vault' do 23 | sensitive false 24 | telemetry( 25 | statsite_address: '127.0.0.1:8125', 26 | disable_hostname: true 27 | ) 28 | 29 | action :create 30 | end 31 | 32 | hashicorp_vault_config_listener 'tcp' do 33 | type 'tcp' 34 | description 'Test TCP listener' 35 | options( 36 | 'address' => '127.0.0.1:8200', 37 | 'cluster_address' => '127.0.0.1:8201', 38 | 'tls_cert_file' => '/opt/vault/tls/tls.crt', 39 | 'tls_key_file' => '/opt/vault/tls/tls.key', 40 | 'telemetry' => { 41 | 'unauthenticated_metrics_access' => false, 42 | } 43 | ) 44 | end 45 | 46 | hashicorp_vault_config_storage 'Test file storage' do 47 | type 'file' 48 | description 'Test file storage' 49 | options( 50 | 'path' => '/opt/vault/data' 51 | ) 52 | end 53 | 54 | hashicorp_vault_service 'vault' do 55 | vault_binary_path '/usr/local/bin/vault' 56 | action %i(create enable start) 57 | subscribes :restart, 'template[/etc/vault.d/vault.hcl]', :delayed 58 | end 59 | -------------------------------------------------------------------------------- /test/cookbooks/test/recipes/server_json.rb: -------------------------------------------------------------------------------- 1 | hashicorp_vault_install 'package' do 2 | action :upgrade 3 | end 4 | 5 | hashicorp_vault_config 'vault' do 6 | sensitive false 7 | 8 | action :create 9 | end 10 | 11 | hashicorp_vault_service 'vault' do 12 | config_type :json 13 | action %i(create enable start) 14 | subscribes :restart, 'template[/etc/vault.d/vault.json]', :delayed 15 | end 16 | -------------------------------------------------------------------------------- /test/integration/agent_hcl/default_spec.rb: -------------------------------------------------------------------------------- 1 | describe package('vault') do 2 | it { should be_installed } 3 | end 4 | 5 | describe group('vault') do 6 | it { should exist } 7 | end 8 | 9 | describe user('vault') do 10 | it { should exist } 11 | end 12 | 13 | describe file('/etc/vault.d/vault.hcl') do 14 | it { should be_file } 15 | its('owner') { should eq 'vault' } 16 | its('group') { should eq 'vault' } 17 | its('mode') { should cmp '0640' } 18 | its('content') { should match /log_level = \"info\"/ } 19 | its('content') { should match /use_auto_auth_token = true/ } 20 | end 21 | 22 | describe file('/etc/systemd/system/vault-agent.service') do 23 | it { should be_file } 24 | its('content') { should match %r{ConditionFileNotEmpty=\/etc\/vault.d\/vault.hcl} } 25 | its('content') { should match %r{ExecStart=\/usr\/bin\/vault agent -config=\/etc\/vault.d\/vault.hcl} } 26 | end 27 | 28 | describe service('vault-agent') do 29 | it { should be_installed } 30 | it { should be_enabled } 31 | it { should be_running } 32 | end 33 | -------------------------------------------------------------------------------- /test/integration/agent_json/default_spec.rb: -------------------------------------------------------------------------------- 1 | describe package('vault') do 2 | it { should be_installed } 3 | end 4 | 5 | describe group('vault') do 6 | it { should exist } 7 | end 8 | 9 | describe user('vault') do 10 | it { should exist } 11 | end 12 | 13 | describe file('/etc/vault.d/vault-agent.json') do 14 | it { should be_file } 15 | its('owner') { should eq 'vault' } 16 | its('group') { should eq 'vault' } 17 | its('mode') { should cmp '0640' } 18 | end 19 | 20 | describe file('/etc/systemd/system/vault-agent.service') do 21 | it { should be_file } 22 | end 23 | 24 | describe service('vault-agent') do 25 | it { should be_installed } 26 | it { should be_enabled } 27 | it { should be_running } 28 | end 29 | 30 | describe json('/etc/vault.d/vault-agent.json') do 31 | its(%w(listener tcp address)) { should eq '127.0.0.1:8100' } 32 | its(%w(cache use_auto_auth_token)) { should eq true } 33 | end 34 | -------------------------------------------------------------------------------- /test/integration/server_hcl/default_spec.rb: -------------------------------------------------------------------------------- 1 | describe package('vault') do 2 | it { should be_installed } 3 | end 4 | 5 | describe group('vault') do 6 | it { should exist } 7 | end 8 | 9 | describe user('vault') do 10 | it { should exist } 11 | end 12 | 13 | describe file('/etc/vault.d/vault.hcl') do 14 | it { should_not exist } 15 | end 16 | 17 | describe file('/etc/vault.d/config_global_vault.hcl') do 18 | it { should be_file } 19 | its('owner') { should eq 'vault' } 20 | its('group') { should eq 'vault' } 21 | its('mode') { should cmp '0640' } 22 | its('content') { should match /ui = true/ } 23 | its('content') { should match /disable_performance_standby = true/ } 24 | end 25 | 26 | describe file('/etc/vault.d/config_listener_tcp.hcl') do 27 | it { should be_file } 28 | its('owner') { should eq 'vault' } 29 | its('group') { should eq 'vault' } 30 | its('mode') { should cmp '0640' } 31 | its('content') { should match /# Test TCP listener/ } 32 | its('content') { should match /listener "tcp" {/ } 33 | its('content') { should match /address = "127.0.0.1:8200"/ } 34 | its('content') { should match /unauthenticated_metrics_access = false/ } 35 | end 36 | 37 | describe file('/etc/vault.d/config_storage_file.hcl') do 38 | it { should be_file } 39 | its('owner') { should eq 'vault' } 40 | its('group') { should eq 'vault' } 41 | its('mode') { should cmp '0640' } 42 | its('content') { should match /# Test file storage/ } 43 | its('content') { should match /storage "file" {/ } 44 | its('content') { should match %r{path = "/opt/vault/data"} } 45 | end 46 | 47 | describe file('/etc/vault.test.d/config_storage_raft.hcl') do 48 | it { should be_file } 49 | its('owner') { should eq 'vault' } 50 | its('group') { should eq 'vault' } 51 | its('mode') { should cmp '0640' } 52 | its('content') { should match /# Test raft storage/ } 53 | its('content') { should match /storage "raft" {/ } 54 | its('content') { should match /retry_join {/ } 55 | its('content') { should match %r{ leader_api_addr = "http://127.0.0.2:8200"} } 56 | its('content') { should match /autopilot {/ } 57 | its('content') { should match ' cleanup_dead_servers = "true"' } 58 | end 59 | 60 | describe file('/etc/systemd/system/vault.service') do 61 | it { should be_file } 62 | its('content') { should match %r{ConditionPathIsDirectory=\/etc\/vault.d} } 63 | its('content') { should match %r{ExecStart=\/usr\/bin\/vault server -config=\/etc\/vault.d} } 64 | end 65 | 66 | describe service('vault') do 67 | it { should be_installed } 68 | it { should be_enabled } 69 | it { should be_running } 70 | end 71 | -------------------------------------------------------------------------------- /test/integration/server_hcl_ark/default_spec.rb: -------------------------------------------------------------------------------- 1 | describe file('/opt/vault/vault-1.6.1/vault') do 2 | it { should be_file } 3 | it { should be_executable } 4 | end 5 | 6 | describe file('/usr/local/bin/vault') do 7 | it { should be_symlink } 8 | it { should be_file } 9 | it { should_not be_directory } 10 | it { should be_executable } 11 | end 12 | 13 | describe group('vault') do 14 | it { should exist } 15 | end 16 | 17 | describe user('vault') do 18 | it { should exist } 19 | end 20 | 21 | describe file('/etc/vault.d/vault.hcl') do 22 | it { should_not exist } 23 | end 24 | 25 | describe file('/etc/vault.d/config_global_vault.hcl') do 26 | it { should be_file } 27 | its('owner') { should eq 'vault' } 28 | its('group') { should eq 'vault' } 29 | its('mode') { should cmp '0640' } 30 | its('content') { should match /ui = true/ } 31 | its('content') { should match /disable_performance_standby = true/ } 32 | end 33 | 34 | describe file('/etc/vault.d/config_listener_tcp.hcl') do 35 | it { should be_file } 36 | its('owner') { should eq 'vault' } 37 | its('group') { should eq 'vault' } 38 | its('mode') { should cmp '0640' } 39 | its('content') { should match /# Test TCP listener/ } 40 | its('content') { should match /listener "tcp" {/ } 41 | its('content') { should match /address = "127.0.0.1:8200"/ } 42 | its('content') { should match /unauthenticated_metrics_access = false/ } 43 | end 44 | 45 | describe file('/etc/vault.d/config_storage_test_file_storage.hcl') do 46 | it { should be_file } 47 | its('owner') { should eq 'vault' } 48 | its('group') { should eq 'vault' } 49 | its('mode') { should cmp '0640' } 50 | its('content') { should match /# Test file storage/ } 51 | its('content') { should match /storage "file" {/ } 52 | its('content') { should match %r{path = "/opt/vault/data"} } 53 | end 54 | 55 | describe file('/etc/systemd/system/vault.service') do 56 | it { should be_file } 57 | end 58 | 59 | describe service('vault') do 60 | it { should be_installed } 61 | it { should be_enabled } 62 | it { should be_running } 63 | end 64 | -------------------------------------------------------------------------------- /test/integration/server_json/default_spec.rb: -------------------------------------------------------------------------------- 1 | describe package('vault') do 2 | it { should be_installed } 3 | end 4 | 5 | describe group('vault') do 6 | it { should exist } 7 | end 8 | 9 | describe user('vault') do 10 | it { should exist } 11 | end 12 | 13 | describe file('/etc/vault.d/vault.json') do 14 | it { should be_file } 15 | its('owner') { should eq 'vault' } 16 | its('group') { should eq 'vault' } 17 | its('mode') { should cmp '0640' } 18 | end 19 | 20 | describe file('/etc/systemd/system/vault.service') do 21 | it { should be_file } 22 | end 23 | 24 | describe service('vault') do 25 | it { should be_installed } 26 | it { should be_enabled } 27 | it { should be_running } 28 | end 29 | 30 | describe json('/etc/vault.d/vault.json') do 31 | its('ui') { should be_in [true] } 32 | its('disable_performance_standby') { should be_in [true] } 33 | end 34 | --------------------------------------------------------------------------------