diff --git a/REFERENCE.md b/REFERENCE.md
index 92e260d75..8a1fb71f7 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -539,7 +539,7 @@ Default value: `$zabbix::params::server_api_user`
##### `zabbix_api_pass`
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
Password of the user which connects to the api. Default: zabbix
@@ -653,7 +653,7 @@ Default value: `$zabbix::params::server_database_user`
##### `database_password`
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
Database password. ignored for sqlite.
@@ -1860,7 +1860,16 @@ Default value: `$zabbix::params::agent_timeout`
##### `tlsaccept`
-Data type: `Optional[Variant[Array[Enum['unencrypted','psk','cert']],Enum['unencrypted','psk','cert']]]`
+Data type:
+
+```puppet
+Optional[
+ Variant[
+ Array[Enum['unencrypted','psk','cert']],
+ Enum['unencrypted','psk','cert']
+ ]
+ ]
+```
What incoming connections to accept from Zabbix server. Used for a passive proxy, ignored on an active proxy.
@@ -2290,7 +2299,7 @@ Default value: `$zabbix::params::server_database_user`
##### `database_password`
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
The password of the database_user.
@@ -2898,7 +2907,7 @@ Default value: `$zabbix::params::proxy_database_user`
##### `database_password`
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
Database password. ignored for sqlite.
@@ -3279,7 +3288,16 @@ Default value: `$zabbix::params::proxy_timeout`
##### `tlsaccept`
-Data type: `Optional[Variant[Array[Enum['unencrypted','psk','cert']],Enum['unencrypted','psk','cert']]]`
+Data type:
+
+```puppet
+Optional[
+ Variant[
+ Array[Enum['unencrypted', 'psk', 'cert']],
+ Enum['unencrypted', 'psk', 'cert']
+ ]
+ ]
+```
What incoming connections to accept from Zabbix server. Used for a passive proxy, ignored on an active proxy.
@@ -3860,7 +3878,7 @@ API username.
##### `zabbix_pass`
-Data type: `String[1]`
+Data type: `Variant[Sensitive[String[1]], String[1]]`
API password.
@@ -4269,7 +4287,7 @@ Default value: `$zabbix::params::server_database_user`
##### `database_password`
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
Database password. ignored for sqlite.
@@ -5254,7 +5272,7 @@ Default value: `$zabbix::params::server_api_user`
##### `zabbix_api_pass`
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
Password of the user which connects to the api. Default: zabbix
@@ -5312,7 +5330,7 @@ Default value: `$zabbix::params::server_database_user`
##### `database_password`
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
Database password. ignored for sqlite.
diff --git a/manifests/agent.pp b/manifests/agent.pp
index 9db33a8ea..b8c20d30c 100644
--- a/manifests/agent.pp
+++ b/manifests/agent.pp
@@ -147,88 +147,93 @@
#
# @author Werner Dijkerman ikben@werner-dijkerman.nl
class zabbix::agent (
- $zabbix_version = $zabbix::params::zabbix_version,
- $zabbix_package_state = $zabbix::params::zabbix_package_state,
- $zabbix_package_agent = $zabbix::params::zabbix_package_agent,
- Optional[String[1]] $zabbix_package_provider = $zabbix::params::zabbix_package_provider,
- Optional[Stdlib::Windowspath] $zabbix_package_source = undef,
- Boolean $manage_choco = $zabbix::params::manage_choco,
- Boolean $manage_firewall = $zabbix::params::manage_firewall,
- Boolean $manage_repo = $zabbix::params::manage_repo,
- Boolean $manage_resources = $zabbix::params::manage_resources,
- $monitored_by_proxy = $zabbix::params::monitored_by_proxy,
- $agent_use_ip = $zabbix::params::agent_use_ip,
- Variant[String[1],Array[String[1]]] $zbx_groups = $zabbix::params::agent_zbx_groups,
- $zbx_group_create = $zabbix::params::agent_zbx_group_create,
- $zbx_templates = $zabbix::params::agent_zbx_templates,
- Array[Hash] $zbx_macros = [],
- Integer[1,4] $zbx_interface_type = 1,
- Variant[Array, Hash] $zbx_interface_details = [],
- $agent_configfile_path = $zabbix::params::agent_configfile_path,
- $pidfile = $zabbix::params::agent_pidfile,
- $servicename = $zabbix::params::agent_servicename,
- Enum['console', 'file', 'system'] $logtype = $zabbix::params::agent_logtype,
- Optional[Stdlib::Absolutepath] $logfile = $zabbix::params::agent_logfile,
- $logfilesize = $zabbix::params::agent_logfilesize,
- $debuglevel = $zabbix::params::agent_debuglevel,
- $sourceip = $zabbix::params::agent_sourceip,
- Optional[String[1]] $allowkey = $zabbix::params::agent_allowkey,
- Optional[String[1]] $denykey = $zabbix::params::agent_denykey,
- $enableremotecommands = $zabbix::params::agent_enableremotecommands,
- $logremotecommands = $zabbix::params::agent_logremotecommands,
- $server = $zabbix::params::agent_server,
- $listenport = $zabbix::params::agent_listenport,
- $listenip = $zabbix::params::agent_listenip,
- $startagents = $zabbix::params::agent_startagents,
- $serveractive = $zabbix::params::agent_serveractive,
- Stdlib::Ensure::Service $service_ensure = $zabbix::params::agent_service_ensure,
- Boolean $service_enable = $zabbix::params::agent_service_enable,
- $hostname = $zabbix::params::agent_hostname,
- $hostnameitem = $zabbix::params::agent_hostnameitem,
- $hostmetadata = $zabbix::params::agent_hostmetadata,
- $hostmetadataitem = $zabbix::params::agent_hostmetadataitem,
- Optional[Stdlib::Fqdn] $hostinterface = $zabbix::params::agent_hostinterface,
- Optional[Stdlib::Fqdn] $hostinterfaceitem = $zabbix::params::agent_hostinterfaceitem,
- $refreshactivechecks = $zabbix::params::agent_refreshactivechecks,
- $buffersend = $zabbix::params::agent_buffersend,
- $buffersize = $zabbix::params::agent_buffersize,
- $maxlinespersecond = $zabbix::params::agent_maxlinespersecond,
- Optional[Array] $zabbix_alias = $zabbix::params::agent_zabbix_alias,
- $timeout = $zabbix::params::agent_timeout,
- $allowroot = $zabbix::params::agent_allowroot,
- Optional[String[1]] $zabbix_user = $zabbix::params::agent_zabbix_user,
- $include_dir = $zabbix::params::agent_include,
- $include_dir_purge = $zabbix::params::agent_include_purge,
- $unsafeuserparameters = $zabbix::params::agent_unsafeuserparameters,
- $userparameter = $zabbix::params::agent_userparameter,
- Optional[String[1]] $loadmodulepath = $zabbix::params::agent_loadmodulepath,
- $loadmodule = $zabbix::params::agent_loadmodule,
- Optional[Variant[Array[Enum['unencrypted','psk','cert']],Enum['unencrypted','psk','cert']]] $tlsaccept = $zabbix::params::agent_tlsaccept,
- $tlscafile = $zabbix::params::agent_tlscafile,
- $tlscertfile = $zabbix::params::agent_tlscertfile,
- Optional[String[1]] $tlscertissuer = undef,
- Optional[String[1]] $tlscertsubject = undef,
- Optional[String[1]] $tlscipherall = $zabbix::params::agent_tlscipherall,
- Optional[String[1]] $tlscipherall13 = $zabbix::params::agent_tlscipherall13,
- Optional[String[1]] $tlsciphercert = $zabbix::params::agent_tlsciphercert,
- Optional[String[1]] $tlsciphercert13 = $zabbix::params::agent_tlsciphercert13,
- Optional[String[1]] $tlscipherpsk = $zabbix::params::agent_tlscipherpsk,
- Optional[String[1]] $tlscipherpsk13 = $zabbix::params::agent_tlscipherpsk13,
+ $zabbix_version = $zabbix::params::zabbix_version,
+ $zabbix_package_state = $zabbix::params::zabbix_package_state,
+ $zabbix_package_agent = $zabbix::params::zabbix_package_agent,
+ Optional[String[1]] $zabbix_package_provider = $zabbix::params::zabbix_package_provider,
+ Optional[Stdlib::Windowspath] $zabbix_package_source = undef,
+ Boolean $manage_choco = $zabbix::params::manage_choco,
+ Boolean $manage_firewall = $zabbix::params::manage_firewall,
+ Boolean $manage_repo = $zabbix::params::manage_repo,
+ Boolean $manage_resources = $zabbix::params::manage_resources,
+ $monitored_by_proxy = $zabbix::params::monitored_by_proxy,
+ $agent_use_ip = $zabbix::params::agent_use_ip,
+ Variant[String[1],Array[String[1]]] $zbx_groups = $zabbix::params::agent_zbx_groups,
+ $zbx_group_create = $zabbix::params::agent_zbx_group_create,
+ $zbx_templates = $zabbix::params::agent_zbx_templates,
+ Array[Hash] $zbx_macros = [],
+ Integer[1,4] $zbx_interface_type = 1,
+ Variant[Array, Hash] $zbx_interface_details = [],
+ $agent_configfile_path = $zabbix::params::agent_configfile_path,
+ $pidfile = $zabbix::params::agent_pidfile,
+ $servicename = $zabbix::params::agent_servicename,
+ Enum['console', 'file', 'system'] $logtype = $zabbix::params::agent_logtype,
+ Optional[Stdlib::Absolutepath] $logfile = $zabbix::params::agent_logfile,
+ $logfilesize = $zabbix::params::agent_logfilesize,
+ $debuglevel = $zabbix::params::agent_debuglevel,
+ $sourceip = $zabbix::params::agent_sourceip,
+ Optional[String[1]] $allowkey = $zabbix::params::agent_allowkey,
+ Optional[String[1]] $denykey = $zabbix::params::agent_denykey,
+ $enableremotecommands = $zabbix::params::agent_enableremotecommands,
+ $logremotecommands = $zabbix::params::agent_logremotecommands,
+ $server = $zabbix::params::agent_server,
+ $listenport = $zabbix::params::agent_listenport,
+ $listenip = $zabbix::params::agent_listenip,
+ $startagents = $zabbix::params::agent_startagents,
+ $serveractive = $zabbix::params::agent_serveractive,
+ Stdlib::Ensure::Service $service_ensure = $zabbix::params::agent_service_ensure,
+ Boolean $service_enable = $zabbix::params::agent_service_enable,
+ $hostname = $zabbix::params::agent_hostname,
+ $hostnameitem = $zabbix::params::agent_hostnameitem,
+ $hostmetadata = $zabbix::params::agent_hostmetadata,
+ $hostmetadataitem = $zabbix::params::agent_hostmetadataitem,
+ Optional[Stdlib::Fqdn] $hostinterface = $zabbix::params::agent_hostinterface,
+ Optional[Stdlib::Fqdn] $hostinterfaceitem = $zabbix::params::agent_hostinterfaceitem,
+ $refreshactivechecks = $zabbix::params::agent_refreshactivechecks,
+ $buffersend = $zabbix::params::agent_buffersend,
+ $buffersize = $zabbix::params::agent_buffersize,
+ $maxlinespersecond = $zabbix::params::agent_maxlinespersecond,
+ Optional[Array] $zabbix_alias = $zabbix::params::agent_zabbix_alias,
+ $timeout = $zabbix::params::agent_timeout,
+ $allowroot = $zabbix::params::agent_allowroot,
+ Optional[String[1]] $zabbix_user = $zabbix::params::agent_zabbix_user,
+ $include_dir = $zabbix::params::agent_include,
+ $include_dir_purge = $zabbix::params::agent_include_purge,
+ $unsafeuserparameters = $zabbix::params::agent_unsafeuserparameters,
+ $userparameter = $zabbix::params::agent_userparameter,
+ Optional[String[1]] $loadmodulepath = $zabbix::params::agent_loadmodulepath,
+ $loadmodule = $zabbix::params::agent_loadmodule,
+ Optional[
+ Variant[
+ Array[Enum['unencrypted','psk','cert']],
+ Enum['unencrypted','psk','cert']
+ ]
+ ] $tlsaccept = $zabbix::params::agent_tlsaccept,
+ $tlscafile = $zabbix::params::agent_tlscafile,
+ $tlscertfile = $zabbix::params::agent_tlscertfile,
+ Optional[String[1]] $tlscertissuer = undef,
+ Optional[String[1]] $tlscertsubject = undef,
+ Optional[String[1]] $tlscipherall = $zabbix::params::agent_tlscipherall,
+ Optional[String[1]] $tlscipherall13 = $zabbix::params::agent_tlscipherall13,
+ Optional[String[1]] $tlsciphercert = $zabbix::params::agent_tlsciphercert,
+ Optional[String[1]] $tlsciphercert13 = $zabbix::params::agent_tlsciphercert13,
+ Optional[String[1]] $tlscipherpsk = $zabbix::params::agent_tlscipherpsk,
+ Optional[String[1]] $tlscipherpsk13 = $zabbix::params::agent_tlscipherpsk13,
Optional[Enum['unencrypted','psk','cert']] $tlsconnect = $zabbix::params::agent_tlsconnect,
- $tlscrlfile = $zabbix::params::agent_tlscrlfile,
- $tlskeyfile = $zabbix::params::agent_tlskeyfile,
- $tlspskfile = $zabbix::params::agent_tlspskfile,
- $tlspskidentity = $zabbix::params::agent_tlspskidentity,
- $tlsservercertissuer = $zabbix::params::agent_tlsservercertissuer,
- $tlsservercertsubject = $zabbix::params::agent_tlsservercertsubject,
- Optional[String[1]] $agent_config_owner = $zabbix::params::agent_config_owner,
- Optional[String[1]] $agent_config_group = $zabbix::params::agent_config_group,
- Boolean $manage_selinux = $zabbix::params::manage_selinux,
- Array[String] $selinux_require = $zabbix::params::selinux_require,
- Hash[String, Array] $selinux_rules = $zabbix::params::selinux_rules,
- String $additional_service_params = $zabbix::params::additional_service_params,
- String $service_type = $zabbix::params::service_type,
- Boolean $manage_startup_script = $zabbix::params::manage_startup_script,
+ $tlscrlfile = $zabbix::params::agent_tlscrlfile,
+ $tlskeyfile = $zabbix::params::agent_tlskeyfile,
+ $tlspskfile = $zabbix::params::agent_tlspskfile,
+ $tlspskidentity = $zabbix::params::agent_tlspskidentity,
+ $tlsservercertissuer = $zabbix::params::agent_tlsservercertissuer,
+ $tlsservercertsubject = $zabbix::params::agent_tlsservercertsubject,
+ Optional[String[1]] $agent_config_owner = $zabbix::params::agent_config_owner,
+ Optional[String[1]] $agent_config_group = $zabbix::params::agent_config_group,
+ Boolean $manage_selinux = $zabbix::params::manage_selinux,
+ Array[String] $selinux_require = $zabbix::params::selinux_require,
+ Hash[String, Array] $selinux_rules = $zabbix::params::selinux_rules,
+ String $additional_service_params = $zabbix::params::additional_service_params,
+ String $service_type = $zabbix::params::service_type,
+ Boolean $manage_startup_script = $zabbix::params::manage_startup_script,
) inherits zabbix::params {
$agent2 = $zabbix_package_agent == 'zabbix-agent2'
diff --git a/manifests/database.pp b/manifests/database.pp
index c78f266ee..bcd4c3308 100644
--- a/manifests/database.pp
+++ b/manifests/database.pp
@@ -64,24 +64,24 @@
# the zabbix_server and zabbix_web parameter.
# @author Werner Dijkerman ikben@werner-dijkerman.nl
class zabbix::database (
- $zabbix_type = 'server',
- $zabbix_web = $zabbix::params::zabbix_web,
- $zabbix_web_ip = $zabbix::params::zabbix_web_ip,
- $zabbix_server = $zabbix::params::zabbix_server,
- $zabbix_server_ip = $zabbix::params::zabbix_server_ip,
- $zabbix_proxy = $zabbix::params::zabbix_proxy,
- $zabbix_proxy_ip = $zabbix::params::zabbix_proxy_ip,
- $manage_database = $zabbix::params::manage_database,
- Zabbix::Databases $database_type = $zabbix::params::database_type,
- $database_schema_path = $zabbix::params::database_schema_path,
- $database_name = $zabbix::params::server_database_name,
- $database_user = $zabbix::params::server_database_user,
- $database_password = $zabbix::params::server_database_password,
- $database_host = $zabbix::params::server_database_host,
- $database_host_ip = $zabbix::params::server_database_host_ip,
- $database_charset = $zabbix::params::server_database_charset,
- $database_collate = $zabbix::params::server_database_collate,
- Optional[String[1]] $database_tablespace = $zabbix::params::server_database_tablespace,
+ $zabbix_type = 'server',
+ $zabbix_web = $zabbix::params::zabbix_web,
+ $zabbix_web_ip = $zabbix::params::zabbix_web_ip,
+ $zabbix_server = $zabbix::params::zabbix_server,
+ $zabbix_server_ip = $zabbix::params::zabbix_server_ip,
+ $zabbix_proxy = $zabbix::params::zabbix_proxy,
+ $zabbix_proxy_ip = $zabbix::params::zabbix_proxy_ip,
+ $manage_database = $zabbix::params::manage_database,
+ Zabbix::Databases $database_type = $zabbix::params::database_type,
+ $database_schema_path = $zabbix::params::database_schema_path,
+ $database_name = $zabbix::params::server_database_name,
+ $database_user = $zabbix::params::server_database_user,
+ Variant[Sensitive[String], String] $database_password = $zabbix::params::server_database_password,
+ $database_host = $zabbix::params::server_database_host,
+ $database_host_ip = $zabbix::params::server_database_host_ip,
+ $database_charset = $zabbix::params::server_database_charset,
+ $database_collate = $zabbix::params::server_database_collate,
+ Optional[String[1]] $database_tablespace = $zabbix::params::server_database_tablespace,
) inherits zabbix::params {
# So lets create the databases and load all files. This can only be
# happen when manage_database is set to true (Default).
diff --git a/manifests/database/mysql.pp b/manifests/database/mysql.pp
index 87cc1a547..e69748b91 100644
--- a/manifests/database/mysql.pp
+++ b/manifests/database/mysql.pp
@@ -11,18 +11,20 @@
# @param database_path Path to the database executable
# @author Werner Dijkerman
class zabbix::database::mysql (
- $zabbix_type = '',
- $zabbix_version = $zabbix::params::zabbix_version,
- $database_schema_path = '',
- $database_name = '',
- $database_user = '',
- $database_password = '',
- $database_host = '',
- Optional[Stdlib::Port::Unprivileged] $database_port = undef,
- $database_path = $zabbix::params::database_path,
+ $zabbix_type = '',
+ $zabbix_version = $zabbix::params::zabbix_version,
+ $database_schema_path = '',
+ $database_name = '',
+ $database_user = '',
+ Variant[Sensitive[String], String] $database_password = '', # lint:ignore:params_empty_string_assignment
+ $database_host = '',
+ Optional[Stdlib::Port::Unprivileged] $database_port = undef,
+ $database_path = $zabbix::params::database_path,
) inherits zabbix::params {
assert_private()
+ $database_password_unsensitive = $database_password.unwrap
+
if ($database_schema_path == false) or ($database_schema_path == '') {
if versioncmp($zabbix_version, '6.0') >= 0 {
$schema_path = '/usr/share/zabbix-sql-scripts/mysql/'
@@ -43,14 +45,14 @@
case $zabbix_type {
'proxy': {
$zabbix_proxy_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? {
- true => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done",
- false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done"
+ true => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done",
+ false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done"
}
}
default: {
$zabbix_server_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? {
- true => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done",
- false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done"
+ true => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done",
+ false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done"
}
}
}
@@ -59,7 +61,11 @@
case $zabbix_type {
'proxy' : {
exec { 'zabbix_proxy_create.sql':
- command => $zabbix_proxy_create_sql,
+ command => if $database_password =~ Sensitive {
+ Sensitive($zabbix_proxy_create_sql)
+ } else {
+ $zabbix_proxy_create_sql
+ },
path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}",
unless => 'test -f /etc/zabbix/.schema.done',
provider => 'shell',
diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp
index 10df743f0..01f259b17 100644
--- a/manifests/database/postgresql.pp
+++ b/manifests/database/postgresql.pp
@@ -11,18 +11,21 @@
# @param database_path Path to the database executable
# @author Werner Dijkerman
class zabbix::database::postgresql (
- $zabbix_type = '',
- $zabbix_version = $zabbix::params::zabbix_version,
- $database_schema_path = '',
- $database_name = '',
- $database_user = '',
- $database_password = '',
- $database_host = '',
- Stdlib::Port::Unprivileged $database_port = 5432,
- $database_path = $zabbix::params::database_path,
+ $zabbix_type = '',
+ $zabbix_version = $zabbix::params::zabbix_version,
+ $database_schema_path = '',
+ $database_name = '',
+ $database_user = '',
+ Variant[Sensitive[String], String] $database_password = '', # lint:ignore:params_empty_string_assignment
+ $database_host = '',
+ Stdlib::Port::Unprivileged $database_port = 5432,
+ $database_path = $zabbix::params::database_path,
) inherits zabbix::params {
assert_private()
+ # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
+ $database_password_unsensitive = $database_password.unwrap
+
if $database_schema_path != false and $database_schema_path != '' {
$schema_path = $database_schema_path
} elsif versioncmp($zabbix_version, '6.0') >= 0 {
@@ -56,7 +59,7 @@
"PGHOST=${database_host}",
"PGPORT=${database_port}",
"PGUSER=${database_user}",
- "PGPASSWORD=${database_password}",
+ "PGPASSWORD=${database_password_unsensitive}",
"PGDATABASE=${database_name}",
]
diff --git a/manifests/init.pp b/manifests/init.pp
index 830218ccd..f85b653a7 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -251,7 +251,7 @@
Optional[Stdlib::Absolutepath] $ldap_clientkey = $zabbix::params::ldap_clientkey,
Optional[Enum['never', 'allow', 'try', 'demand', 'hard']] $ldap_reqcert = $zabbix::params::ldap_reqcert,
$zabbix_api_user = $zabbix::params::server_api_user,
- $zabbix_api_pass = $zabbix::params::server_api_pass,
+ Variant[Sensitive[String], String] $zabbix_api_pass = $zabbix::params::server_api_pass,
Optional[Array[Stdlib::Host,1]] $zabbix_api_access = $zabbix::params::server_api_access,
$listenport = $zabbix::params::server_listenport,
$sourceip = $zabbix::params::server_sourceip,
@@ -265,7 +265,7 @@
$database_schema = $zabbix::params::server_database_schema,
Boolean $database_double_ieee754 = $zabbix::params::server_database_double_ieee754,
$database_user = $zabbix::params::server_database_user,
- $database_password = $zabbix::params::server_database_password,
+ Variant[Sensitive[String], String] $database_password = $zabbix::params::server_database_password,
$database_socket = $zabbix::params::server_database_socket,
$database_port = $zabbix::params::server_database_port,
$database_charset = $zabbix::params::server_database_charset,
diff --git a/manifests/javagateway.pp b/manifests/javagateway.pp
index 721af3520..623765935 100644
--- a/manifests/javagateway.pp
+++ b/manifests/javagateway.pp
@@ -14,15 +14,15 @@
# }
# @author Werner Dijkerman ikben@werner-dijkerman.nl
class zabbix::javagateway (
- $zabbix_version = $zabbix::params::zabbix_version,
- $zabbix_package_state = $zabbix::params::zabbix_package_state,
- Boolean $manage_firewall = $zabbix::params::manage_firewall,
- Boolean $manage_repo = $zabbix::params::manage_repo,
- $pidfile = $zabbix::params::javagateway_pidfile,
- $listenip = $zabbix::params::javagateway_listenip,
- $listenport = $zabbix::params::javagateway_listenport,
- $startpollers = $zabbix::params::javagateway_startpollers,
- $timeout = $zabbix::params::javagateway_timeout,
+ $zabbix_version = $zabbix::params::zabbix_version,
+ $zabbix_package_state = $zabbix::params::zabbix_package_state,
+ Boolean $manage_firewall = $zabbix::params::manage_firewall,
+ Boolean $manage_repo = $zabbix::params::manage_repo,
+ $pidfile = $zabbix::params::javagateway_pidfile,
+ $listenip = $zabbix::params::javagateway_listenip,
+ $listenport = $zabbix::params::javagateway_listenport,
+ $startpollers = $zabbix::params::javagateway_startpollers,
+ $timeout = $zabbix::params::javagateway_timeout,
) inherits zabbix::params {
# Fix for pid file. Is different in Zabbix (4, 5) and 6
$real_pidfile = $zabbix_version ? {
diff --git a/manifests/proxy.pp b/manifests/proxy.pp
index f01169989..1c2f28b6a 100755
--- a/manifests/proxy.pp
+++ b/manifests/proxy.pp
@@ -222,7 +222,7 @@
$database_name = $zabbix::params::proxy_database_name,
$database_schema = $zabbix::params::proxy_database_schema,
$database_user = $zabbix::params::proxy_database_user,
- $database_password = $zabbix::params::proxy_database_password,
+ Variant[Sensitive[String], String] $database_password = $zabbix::params::proxy_database_password,
$database_socket = $zabbix::params::proxy_database_socket,
$database_port = $zabbix::params::proxy_database_port,
$database_charset = $zabbix::params::server_database_charset,
@@ -269,7 +269,12 @@
$historyindexcachesize = $zabbix::params::proxy_historyindexcachesize,
$historytextcachesize = $zabbix::params::proxy_historytextcachesize,
$timeout = $zabbix::params::proxy_timeout,
- Optional[Variant[Array[Enum['unencrypted','psk','cert']],Enum['unencrypted','psk','cert']]] $tlsaccept = $zabbix::params::proxy_tlsaccept,
+ Optional[
+ Variant[
+ Array[Enum['unencrypted', 'psk', 'cert']],
+ Enum['unencrypted', 'psk', 'cert']
+ ]
+ ] $tlsaccept = $zabbix::params::proxy_tlsaccept,
$tlscafile = $zabbix::params::proxy_tlscafile,
$tlscertfile = $zabbix::params::proxy_tlscertfile,
$tlsconnect = $zabbix::params::proxy_tlsconnect,
@@ -306,6 +311,9 @@
Boolean $manage_selinux = $zabbix::params::manage_selinux,
Optional[Stdlib::Absolutepath] $socketdir = $zabbix::params::proxy_socketdir,
) inherits zabbix::params {
+ # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
+ $database_password_unsensitive = $database_password.unwrap
+
# check osfamily, Arch is currently not supported for web
if $facts['os']['family'] == 'Archlinux' {
fail('Archlinux is currently not supported for zabbix::proxy ')
@@ -481,6 +489,7 @@
}
# Configuring the zabbix-proxy configuration file
+ $content = template('zabbix/zabbix_proxy.conf.erb')
file { $proxy_configfile_path:
ensure => file,
owner => 'zabbix',
@@ -488,7 +497,11 @@
mode => '0644',
require => Package["zabbix-proxy-${db}"],
replace => true,
- content => template('zabbix/zabbix_proxy.conf.erb'),
+ content => if $database_password =~ Sensitive {
+ Sensitive($content)
+ } else {
+ $content
+ },
}
# Include dir for specific zabbix-proxy checks.
diff --git a/manifests/resources/agent.pp b/manifests/resources/agent.pp
index 8e2b4b433..d57896a0c 100644
--- a/manifests/resources/agent.pp
+++ b/manifests/resources/agent.pp
@@ -15,17 +15,17 @@
# @param tls_issuer Issuer of the certificate that is allowed to talk with the serve
# @param tls_subject Subject of the certificate that is allowed to talk with the server
class zabbix::resources::agent (
- $hostname = undef,
- $ipaddress = undef,
- $use_ip = undef,
- $port = undef,
- Array[String[1]] $groups = undef,
- $group_create = undef,
- $templates = undef,
- $macros = undef,
- $proxy = undef,
- $interfacetype = 1,
- Variant[Array, Hash] $interfacedetails = [],
+ $hostname = undef,
+ $ipaddress = undef,
+ $use_ip = undef,
+ $port = undef,
+ Array[String[1]] $groups = undef,
+ $group_create = undef,
+ $templates = undef,
+ $macros = undef,
+ $proxy = undef,
+ $interfacetype = 1,
+ Variant[Array, Hash] $interfacedetails = [],
Optional[Enum['unencrypted','psk','cert']] $tls_connect = undef,
Optional[Enum['unencrypted','psk','cert']] $tls_accept = undef,
Optional[String[1]] $tls_issuer = undef,
diff --git a/manifests/resources/web.pp b/manifests/resources/web.pp
index 8de4c2c97..b849c7ff7 100644
--- a/manifests/resources/web.pp
+++ b/manifests/resources/web.pp
@@ -6,7 +6,7 @@
class zabbix::resources::web (
String[1] $zabbix_url,
String[1] $zabbix_user,
- String[1] $zabbix_pass,
+ Variant[Sensitive[String[1]], String[1]] $zabbix_pass,
Boolean $apache_use_ssl,
) {
file { '/etc/zabbix/api.conf':
diff --git a/manifests/sender.pp b/manifests/sender.pp
index 57a61e71e..91f8b7ecc 100644
--- a/manifests/sender.pp
+++ b/manifests/sender.pp
@@ -3,9 +3,9 @@
# @param zabbix_package_state The state of the package that needs to be installed: present or latest.
# @param manage_repo When true, it will create repository for installing the agent.
class zabbix::sender (
- $zabbix_version = $zabbix::params::zabbix_version,
- $zabbix_package_state = $zabbix::params::zabbix_package_state,
- $manage_repo = $zabbix::params::manage_repo,
+ $zabbix_version = $zabbix::params::zabbix_version,
+ $zabbix_package_state = $zabbix::params::zabbix_package_state,
+ $manage_repo = $zabbix::params::manage_repo,
) inherits zabbix::params {
# Only include the repo class if it has not yet been included
unless defined(Class['Zabbix::Repo']) {
diff --git a/manifests/server.pp b/manifests/server.pp
index f6e71e618..4cae5e226 100755
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -195,7 +195,7 @@
$database_name = $zabbix::params::server_database_name,
$database_schema = $zabbix::params::server_database_schema,
$database_user = $zabbix::params::server_database_user,
- $database_password = $zabbix::params::server_database_password,
+ Variant[Sensitive[String], String] $database_password = $zabbix::params::server_database_password,
$database_socket = $zabbix::params::server_database_socket,
Optional[Stdlib::Port::Unprivileged] $database_port = $zabbix::params::server_database_port,
Optional[Enum['required', 'verify_ca', 'verify_full']] $database_tlsconnect = $zabbix::params::server_database_tlsconnect,
@@ -281,6 +281,9 @@
Optional[String[1]] $hanodename = $zabbix::params::server_hanodename,
Optional[String[1]] $nodeaddress = $zabbix::params::server_nodeaddress,
) inherits zabbix::params {
+ # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
+ $database_password_unsensitive = $database_password.unwrap
+
# zabbix server 5.2, 5.4 and 6.0 is not supported on RHEL 7.
# https://www.zabbix.com/documentation/current/manual/installation/install_from_packages/rhel_centos
if $facts['os']['family'] == 'RedHat' and versioncmp($zabbix_version, '5.2') >= 0 {
@@ -441,6 +444,7 @@
}
# Configuring the zabbix-server configuration file
+ $content = template('zabbix/zabbix_server.conf.erb')
file { $server_configfile_path:
ensure => file,
owner => $server_config_owner,
@@ -448,7 +452,11 @@
mode => '0640',
require => Package["zabbix-server-${db}"],
replace => true,
- content => template('zabbix/zabbix_server.conf.erb'),
+ content => if $database_password =~ Sensitive {
+ Sensitive($content)
+ } else {
+ $content
+ },
}
# Include dir for specific zabbix-server checks.
diff --git a/manifests/web.pp b/manifests/web.pp
index 533faaf93..124274729 100644
--- a/manifests/web.pp
+++ b/manifests/web.pp
@@ -114,14 +114,14 @@
Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport = $zabbix::params::apache_listenport,
Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport_ssl = $zabbix::params::apache_listenport_ssl,
$zabbix_api_user = $zabbix::params::server_api_user,
- $zabbix_api_pass = $zabbix::params::server_api_pass,
+ Variant[Sensitive[String], String] $zabbix_api_pass = $zabbix::params::server_api_pass,
Optional[Array[Stdlib::Host,1]] $zabbix_api_access = $zabbix::params::server_api_access,
$database_host = $zabbix::params::server_database_host,
$database_name = $zabbix::params::server_database_name,
$database_schema = $zabbix::params::server_database_schema,
Boolean $database_double_ieee754 = $zabbix::params::server_database_double_ieee754,
$database_user = $zabbix::params::server_database_user,
- $database_password = $zabbix::params::server_database_password,
+ Variant[Sensitive[String], String] $database_password = $zabbix::params::server_database_password,
$database_socket = $zabbix::params::server_database_socket,
$database_port = $zabbix::params::server_database_port,
$zabbix_server = $zabbix::params::zabbix_server,
@@ -146,6 +146,9 @@
Boolean $manage_selinux = $zabbix::params::manage_selinux,
Hash[String[1], Any] $apache_vhost_custom_params = {},
) inherits zabbix::params {
+ # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
+ $database_password_unsensitive = $database_password.unwrap
+
# check osfamily, Arch is currently not supported for web
if $facts['os']['family'] in ['Archlinux', 'Gentoo',] {
fail("${facts['os']['family']} is currently not supported for zabbix::web")
@@ -256,13 +259,18 @@
}
# Webinterface config file
+ $content = template('zabbix/web/zabbix.conf.php.erb')
file { '/etc/zabbix/web/zabbix.conf.php':
ensure => file,
owner => $web_config_owner,
group => $web_config_group,
mode => '0640',
replace => true,
- content => template('zabbix/web/zabbix.conf.php.erb'),
+ content => if $database_password =~ Sensitive {
+ Sensitive($content)
+ } else {
+ $content
+ },
}
# For API to work on Zabbix 5.x zabbix.conf.php needs to be in the root folder.
diff --git a/manifests/zabbixapi.pp b/manifests/zabbixapi.pp
index 76bde1f70..387dc02cc 100644
--- a/manifests/zabbixapi.pp
+++ b/manifests/zabbixapi.pp
@@ -4,7 +4,7 @@
# @param puppetgem Provider for the zabbixapi gem package.
class zabbix::zabbixapi (
$zabbix_version = $zabbix::params::zabbix_version,
- $puppetgem = $zabbix::params::puppetgem,
+ $puppetgem = $zabbix::params::puppetgem,
) inherits zabbix::params {
# Determine correct zabbixapi version.
case $zabbix_version {
diff --git a/templates/api.conf.epp b/templates/api.conf.epp
index 32679f37b..ed449ad2d 100644
--- a/templates/api.conf.epp
+++ b/templates/api.conf.epp
@@ -1,6 +1,6 @@
<%- | String[1] $zabbix_url,
String[1] $zabbix_user,
- String[1] $zabbix_pass,
+ Variant[Sensitive[String[1]], String[1]] $zabbix_pass,
Boolean $apache_use_ssl,
| -%>
# MANAGED BY PUPPET
diff --git a/templates/web/zabbix.conf.php.erb b/templates/web/zabbix.conf.php.erb
index 930e4110e..4d19d41cf 100755
--- a/templates/web/zabbix.conf.php.erb
+++ b/templates/web/zabbix.conf.php.erb
@@ -13,7 +13,7 @@ $DB['PORT'] = '0';
<% end -%>
$DB['DATABASE'] = '<%= @database_name %>';
$DB['USER'] = '<%= @database_user %>';
-$DB['PASSWORD'] = '<%= @database_password %>';
+$DB['PASSWORD'] = '<%= @database_password_unsensitive %>';
// SCHEMA is relevant only for IBM_DB2 and PostgreSQL database
<% if @database_schema -%>
diff --git a/templates/zabbix_proxy.conf.erb b/templates/zabbix_proxy.conf.erb
index 03c044cb4..373346fe3 100755
--- a/templates/zabbix_proxy.conf.erb
+++ b/templates/zabbix_proxy.conf.erb
@@ -169,7 +169,7 @@ DBUser=<%= @database_user %>
# Comment this line if no password is used.
#
# Mandatory: no
-DBPassword=<%= @database_password %>
+DBPassword=<%= @database_password_unsensitive %>
### Option: DBSocket
# Path to MySQL socket.
@@ -894,7 +894,7 @@ LoadModulePath=<%= @loadmodulepath %>
<% if @zabbix_version.to_f >= 7.0 %>
### Option: VaultPrefix
# Custom prefix for Vault path or query depending on the Vault.
-# Most suitable defaults will be used if not specified.
+# Most suitable defaults will be used if not specified.
# Note that 'data' is automatically appended after mountpoint for HashiCorp if VaultPrefix is not specified.
# Example prefix for HashiCorp:
# /v1/secret/data/
@@ -969,4 +969,4 @@ LoadModulePath=<%= @loadmodulepath %>
# Default:
# StartBrowserPollers=1
-<% end %>
\ No newline at end of file
+<% end %>
diff --git a/templates/zabbix_server.conf.erb b/templates/zabbix_server.conf.erb
index 9aaba7fd3..008e3c7dc 100755
--- a/templates/zabbix_server.conf.erb
+++ b/templates/zabbix_server.conf.erb
@@ -106,7 +106,7 @@ DBUser=<%= @database_user %>
# Comment this line if no password is used.
#
# Mandatory: no
-DBPassword=<%= @database_password %>
+DBPassword=<%= @database_password_unsensitive %>
### Option: DBSocket
# Path to MySQL socket.
@@ -849,7 +849,7 @@ LoadModulePath=<%= @loadmodulepath %>
<% if @zabbix_version.to_f >= 7.0 %>
### Option: VaultPrefix
# Custom prefix for Vault path or query depending on the Vault.
-# Most suitable defaults will be used if not specified.
+# Most suitable defaults will be used if not specified.
# Note that 'data' is automatically appended after mountpoint for HashiCorp if VaultPrefix is not specified.
# Example prefix for HashiCorp:
# /v1/secret/data/
@@ -946,7 +946,7 @@ LoadModulePath=<%= @loadmodulepath %>
# EnableGlobalScripts=1
# Option: AllowSoftwareUpdateCheck
-# Allow Zabbix UI to receive information about software updates from zabbix.com
+# Allow Zabbix UI to receive information about software updates from zabbix.com
# 0 - disable software update checks
# 1 - enable software update checks
#
@@ -1017,4 +1017,4 @@ LoadModulePath=<%= @loadmodulepath %>
# Default:
# StartBrowserPollers=1
-<% end %>
\ No newline at end of file
+<% end %>