I'm attempting to implement encrypted values in yaml in Hiera 5 to inject passwords securely into Puppet (enterprise) 5.3 via automatic lookup. There's excellent guidance from the Puppet blog and PUP-7284 on the necessary setup.
However, I can't seem to get lookup_options correct to ensure conversion to a Sensitive type (to match the class parameters).
Asserting with the puppet lookup command fails with:
[user@rhel7 ~]$ puppet lookup my_module::db_pass --environment test --type Sensitive[String]
Error: Could not run: Found value has wrong type, expects a Sensitive value, got String
It also appears the lookup_options are being found and they look sensible:
[user@rhel7 ~]$ puppet lookup my_module::db_pass --environment test --explain-options
Hierarchy entry "Passwords"
Path "/etc/puppetlabs/code/environments/test/modules/my_module/data/secrets.eyaml"
Original path: "secrets.eyaml"
Found key: "lookup_options" value: {
"^my_module::.*pass$" => {
"convert_to" => "Sensitive"
}
}
Decryption works just fine (unfortunately to cleartext -- not sure if that's expected?)
[user@rhel7 ~]$ puppet lookup my_module::db_pass --environment test
Found key: "my_module::db_pass" value: "password_is_taco"
The setup is as follows:
[user@rhel7 /etc/puppetlabs/puppet/environment/test/modules/my_module]$ cat hiera.eyaml
---
version: 5
defaults:
data_hash: yaml_data
datadir: data
hierarchy:
- name: "Passwords"
lookup_key: eyaml_lookup_key
paths:
- "secrets.eyaml"
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"
[user@rhel7 /etc/puppetlabs/puppet/environment/test/modules/my_module]$ cat ./data/secrets.eyaml
---
lookup_options:
'^my_module::.*pass$':
convert_to: "Sensitive"
my_module::db_pass: >
ENC[PKCS7,MIIBqQYJKoZ...snip]
I've also been unsuccessful with different regexes and/or just using keys directly:
lookup_options:
my_module::db_pass:
convert_to: "Sensitive"
Apologies in advance for any minor copy-paste issues with obfuscated code :)
lookup_optionsfrom data to config. I think it is valid to place hiera config inside the data, but it would probably be easier to start with placing it within theeyamlhierarchy level. As a side note, when I do something like this, I normally just acquiesce to Puppet's desire to lookup encrypted passwords as aString, and then recast to aSensitiveprior to any reporting/output. This might also be a bug in theeyamlbackend. - Matt Schuchardlookup_options, it is the appropriate place for the lookup options. These describe properties of the data, not of the data source(s). Moreover, as far as I can tell from the docs, thelookup_optionsare not recognized in the main config in Hiera 5. - John Bollingerdata_hash: yaml_datafrom thedefaultssection of your config. It is possible that having that among the defaults (and not overridden for your eyaml hierarchy) is confusing Hiera into using the regular yaml backend where you want it to use eyaml. If you have other hierarchy levels where you want to use the yaml back end then add thedata_hashkey to the config of each one. This is the approach demonstrated in the eyaml backend's own docs, though I'm uncertain whether it is actually required. - John Bollingerlookup_optionsis parsed happens when module is loaded (prob cached for later) is log line ~800) whereas the auto param lookup for thedb_passkey happens much later, around ~1100. I wouldn't have guessed that, based on the implementation notes in PUP-7675. - cbrwflo