Puppet Function: complyadm::config

Defined in:

functions/config.pp

Function type:

Puppet Language

Overview

complyadm::config() ⇒ Complyadm::Config

Creates a fully populated config object that contains both user data from hiera, and hard coded application config data.

To avoid this object becoming monstrious, it should only contain values that are shared across multiple plans and manifest code.

Returns:

• (Complyadm::Config)

# File 'functions/config.pp', line 6

function complyadm::config() >> Complyadm::Config {
  $hiera_config = lookup('complyadm::config', Complyadm::Hiera_config, 'deep', undef)
  $user_assessor_version = $hiera_config['user_assessor_version']

  # Determine Comply Version
  $comply_version = lookup('complyadm::dev.version', String, undef, 'v3.0.0')
  log::debug("Comply Version: ${comply_version}")

  # Determine Assessor Version
  $assessor_versions = ['4.41.0', '4.40.0', '4.39.0']
  if $user_assessor_version == 'latest' {
    $assessor_version = $assessor_versions[0]
  } else {
    $assessor_version = $user_assessor_version
  }

  $runtime = complyadm::default_for_value($hiera_config['runtime'], 'docker')
  $install_runtime = complyadm::default_for_value($hiera_config['install_runtime'], 'true')
  $hostname = complyadm::default_for_value($hiera_config['resolvable_hostname'], 'localhost')
  $backup_dir = complyadm::default_for_value($hiera_config['backup_dir'], '/var/lib/puppetlabs/comply/backups')

  $pe = complyadm::default_for_value($hiera_config['pe'], '')

  # database
  $comply_db_username = complyadm::default_for_value($hiera_config['comply_db_username'], 'comply')
  $identity_db_username = complyadm::default_for_value($hiera_config['identity_db_username'], 'keycloak')
  $admin_db_password = complyadm::default_for_value($hiera_config['admin_db_password'], 'postgres').unwrap
  $comply_db_password = complyadm::default_for_value($hiera_config['comply_db_password'], 'comply').unwrap
  $identity_db_password = complyadm::default_for_value($hiera_config['identity_db_password'], 'keycloak').unwrap

  # Keycloak
  $identity_admin_user = $hiera_config['identity_admin_user']
  $identity_admin_password = $hiera_config['identity_admin_password']

  # hasura
  $comply_db_password_escaped = complyadm::encode($comply_db_password)
  $hasura_admin_secret = complyadm::default_for_value($hiera_config['hasura_admin_secret'], 'comply').unwrap

  # secrets
  $redis_password = $hiera_config['redis_password']
  $db_encryption_key = $hiera_config['db_encryption_key']

  # pe related certs
  $ca_crt = $hiera_config['ca_crt']
  $tls_crt = $hiera_config['tls_crt']
  $tls_key = $hiera_config['tls_key']

  # comply related certs
  $cert_chain = $hiera_config['cert_chain']
  $private_key = $hiera_config['private_key']
  $crl = $hiera_config['crl']

  # async threads configuration.
  $data_retention_period = complyadm::default_for_value($hiera_config['data_retention_period'], '0')
  $assessor_update_check_interval = complyadm::default_for_value($hiera_config['assessor_update_interval'], '1h')
  $fact_update_check_interval = complyadm::default_for_value($hiera_config['fact_update_check_interval'], '24h')

  # feature flags
  $features = lookup('complyadm::dev.features', Array[String], undef, ['nolicense,cem_up_sell'])
  log::debug("Features: ${features}")

  # log level
  $log_level = $hiera_config['log_level']

  if 'insecure' in $features {
    $pe_cert_checks_disabled = true
  } else {
    $pe_cert_checks_disabled = false
  }

  $images = lookup('complyadm::images')

  # docker config
  $docker_network = 'comply'
  $docker_logging = '--log-driver=journald --log-opt tag=comply'

  # Remap any log levels
  # redis logging, allowed: debug, verbose, notice, warning, nothing
  # postgres logging, allowed: DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO
  #                            NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC
  case $log_level {
    'warn': {
      $postgres_log_level = 'warning'
      $redis_log_level = $log_level
    }
    'info': {
      $redis_log_level = 'notice'
      $postgres_log_level = $log_level
    }
    'debug': {
      $postgres_log_level = 'debug1'
      $redis_log_level = $log_level
    }
    default: {
      $redis_log_level = $log_level
      $postgres_log_level = $log_level
    }
  }

  $container_defaults = {
    comply_graphql => {
      log_level => $log_level,
      extra_parameters => $docker_logging,
      extra_systemd_parameters => { 'Service' => { 'WatchdogSec' => 20, 'NotifyAccess' => 'all' } },
      healthcheck => 'timeout 3 curl --fail --connect-timeout 3 -s localhost:8080/healthz',
    },
    comply_graphql_init => {
      log_level => $log_level,
      after => ['comply_postgres', 'comply_scarpy_init', 'comply_graphql'],
      extra_parameters => $docker_logging,
      extra_systemd_parameters => { 'Service' => { 'Type' => 'simple', 'RemainAfterExit' => 'yes' } },
    },
    comply_scarpy => {
      log_level => $log_level,
      after => ['comply_scarpy_init', 'comply_redis'],
      extra_parameters => $docker_logging,
    },
    comply_scarpy_init => {
      log_level => $log_level,
      after => ['comply_postgres', 'comply_scarpy_assessor_init'],
      extra_parameters => $docker_logging,
      extra_systemd_parameters => { 'Service' => { 'Type' => 'simple', 'RemainAfterExit' => 'yes' } },
    },
    comply_assessor_upgrade => {
      log_level => $log_level,
      after => ['comply_scarpy_assessor_init', 'comply_scarpy_init', 'comply_graphql_init'],
      extra_parameters => $docker_logging,
      extra_systemd_parameters => { 'Service' => { 'Type' => 'simple', 'RemainAfterExit' => 'yes' } },
    },
    comply_scarpy_assessor_init => {
      log_level => $log_level,
      extra_parameters => $docker_logging,
      extra_systemd_parameters => { 'Service' => { 'Type' => 'simple', 'RemainAfterExit' => 'yes' } },
    },
    comply_ui_assessor_init => {
      log_level => $log_level,
      extra_parameters => $docker_logging,
      extra_systemd_parameters => { 'Service' => { 'Type' => 'simple', 'RemainAfterExit' => 'yes' } },
    },
    comply_redis => {
      log_level => $redis_log_level,
      extra_parameters => $docker_logging,
      extra_systemd_parameters => { 'Service' => { 'WatchdogSec' => 20, 'NotifyAccess' => 'all' } },
      healthcheck => "bash -c 'timeout 3 redis-cli -a \$REDIS_PASSWORD ping | grep PONG'",
    },
    comply_ui => {
      log_level => $log_level,
      extra_parameters => $docker_logging,
    },
    comply_identity => {
      log_level => $log_level,
      after => ['comply_postgres'],
      extra_parameters => $docker_logging,
      extra_systemd_parameters => { 'Service' => { 'WatchdogSec' => 20, 'NotifyAccess' => 'all' } },
      healthcheck => 'timeout 3 curl --fail -LI --connect-timeout 3 -s localhost:8080/auth/health/live',
    },
    comply_mtls_proxy => {
      log_level => $log_level,
      after => ['comply_ui'],
      extra_parameters => $docker_logging,
      extra_systemd_parameters => { 'Service' => { 'WatchdogSec' => 20, 'NotifyAccess' => 'all' } },
      healthcheck => 'timeout 3 /health/nginx_healthcheck.sh',
    },
    comply_gatekeeper => {
      log_level => $log_level,
      after => ['comply_identity'],
      extra_parameters => $docker_logging,
    },
    comply_postgres => {
      log_level => $postgres_log_level,
      extra_parameters => $docker_logging,
      extra_systemd_parameters => { 'Service' => { 'WatchdogSignal' => 'SIGINT', 'WatchdogSec' => 20, 'NotifyAccess' => 'all' } },
      healthcheck => "timeout 3 pg_isready -U ${comply_db_username} -d comply -h 127.0.0.1 -p 5432",
    },
    comply_frontdoor => {
      log_level => 'info',
      extra_parameters => $docker_logging,
      extra_systemd_parameters => { 'Service' => { 'WatchdogSec' => 20, 'NotifyAccess' => 'all' } },
      healthcheck => 'timeout 3 /health/nginx_healthcheck.sh',
    },
  }

  $containers = $container_defaults + complyadm::default_for_value($hiera_config['containers'], {})

  $comply_graphql_service = Complyadm::Config::Comply_graphql.new({
      container => Complyadm::Container.new({
          runtime => $runtime,
          install_runtime => $install_runtime,
          name => 'comply_graphql',
          image => $images['comply_graphql'],
          net => $docker_network,
          #ports => ['8087:8080'],
          after => $containers['comply_graphql']['after'],
          extra_parameters => $containers['comply_graphql']['extra_parameters'],
          extra_systemd_parameters => $containers['comply_graphql']['extra_systemd_parameters'],
          healthcheck => $containers['comply_graphql']['healthcheck'],
          env_vars => {
            'HASURA_GRAPHQL_DATABASE_URL' => "postgres://${comply_db_username}:${comply_db_password_escaped}@comply_postgres:5432/comply",
            'HASURA_SCARP_API_URL' => 'http://comply_scarpy:8088/api',
            'HASURA_GRAPHQL_ENABLE_CONSOLE' => 'true',
            'HASURA_GRAPHQL_ENABLE_TELEMETRY' => 'false',
            'HASURA_GRAPHQL_V1_BOOLEAN_NULL_COLLAPSE' => 'true',
            'HASURA_GRAPHQL_ADMIN_SECRET' => $hasura_admin_secret,
            'HASURA_GRAPHQL_AUTH_HOOK' => 'http://comply_scarpy:8088/api/hasura/auth',
            'HASURA_GRAPHQL_LOG_LEVEL' => $containers['comply_graphql']['log_level'],
          },
      }),
  })

  $comply_scarpy_service = Complyadm::Config::Comply_scarpy.new({
      container => Complyadm::Container.new({
          runtime => $runtime,
          install_runtime => $install_runtime,
          name => 'comply_scarpy',
          image => $images['comply_scarpy'],
          net => $docker_network,
          #ports => ['8088:8088'],
          after => $containers['comply_scarpy']['after'],
          extra_parameters => $containers['comply_scarpy']['extra_parameters'],
          env_vars => {
            'SCARP_DEBUG_LEVEL' => $containers['comply_scarpy']['log_level'],
            'POSTGRES_HOSTNAME' => 'comply_postgres',
            'COMPLY_SERVER' => $hostname,
            'QUERY_API' => 'http://comply_graphql:8080/v1',
            'WS_REPORT_PROCESSOR_URL' => "redis://:${redis_password}@comply_redis:6379/",
            'DESIRED_SCAN_ENDPOINT' => 'http://comply_scarpy:8088/api/v3/pe/task/ciscatscan/runScheduledScan',
            'FEATURES' => join($features, ','),
            'ASSESSOR_VERSION' => $assessor_version,
            'DB_USER' => $comply_db_username,
            'DB_PASSWORD' => $comply_db_password,
            'DB_ENCRYPTION_KEY' => $db_encryption_key,
            'HASURA_ADMIN_SECRET' => $hasura_admin_secret,
            'WS_PE_UPDATE_FACTS_POLLER_INTERVAL' => $fact_update_check_interval,
            'WS_PE_ASSESSOR_OUT_OF_DATE_POLLER_INTERVAL' => $assessor_update_check_interval,
            'DATA_RETENTION_PERIOD' => $data_retention_period,
            'OIDC_ISSUER_URL' => 'http://comply_identity:8080/auth/realms/Puppet',
          },
      }),
      ca_crt => $ca_crt,
  })

  $comply_ui_service = Complyadm::Config::Comply_ui.new({
      container => Complyadm::Container.new({
          runtime => $runtime,
          install_runtime => $install_runtime,
          name => 'comply_ui',
          image => $images['comply_ui'],
          net => $docker_network,
          after => $containers['comply_ui']['after'],
          extra_parameters => $containers['comply_ui']['extra_parameters'],
          env_vars => {
            'COMPLY_VERSION' => regsubst($comply_version, '^v', ''),
            'ASSESSOR_VERSION' => $assessor_version,
            'QUERY_API' => "https://${hostname}/v1/graphql",
            'SCARP_API' => "https://${hostname}/api/",
            'HOST_FQDN' => $hostname,
            'HTTPS_PORT' => '443',
            'AUTH_PORT' => '443',
            'LOGGING' => $containers['comply_ui']['log_level'],
            'FEATURES' => join($features, ','),
            'CHECK_UPDATES' => 'false',
          },
      }),
  })

  $comply_identity_service = Complyadm::Config::Comply_identity.new({
      container => Complyadm::Container.new({
          runtime => $runtime,
          install_runtime => $install_runtime,
          name => 'comply_identity',
          image => $images['comply_identity'],
          net => $docker_network,
          #ports => ['8443:8443'],
          after => $containers['comply_identity']['after'],
          extra_parameters => $containers['comply_identity']['extra_parameters'],
          extra_systemd_parameters => $containers['comply_identity']['extra_systemd_parameters'],
          healthcheck => $containers['comply_identity']['healthcheck'],
          env_vars => {
            'DB_ENCRYPTION_KEY' => $db_encryption_key,
            'KC_DB' => 'postgres',
            'KC_DB_URL_HOST' => 'comply_postgres',
            'KC_DB_PASSWORD' => $identity_db_password,
            'KC_DB_USERNAME' => $identity_db_username,
            'COMPLY_DB_CONNECTION' => 'jdbc:postgresql://comply_postgres/comply?ssl=false',
            'COMPLY_DB_USER' => $comply_db_username,
            'COMPLY_DB_PASSWORD' => $comply_db_password,
            'KEYCLOAK_ADMIN' => $identity_admin_user,
            'KEYCLOAK_ADMIN_PASSWORD' => $identity_admin_password,
            'KC_LOG_LEVEL' => $containers['comply_identity']['log_level'],
            'PROXY_ADDRESS_FORWARDING' => 'true',
            'JDBC_PARAMS' => 'ssl=false',
            'KC_HEALTH_ENABLED' => 'true',
            'KC_HTTP_ENABLED' => 'true',
            'KC_HOSTNAME_STRICT' => 'false',
            'KC_PROXY' => 'edge',
            'KC_HTTP_RELATIVE_PATH' => '/auth',
            'KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI' => 'true',
            'KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN' => 'true',
            'JAVA_OPTS' => '-Xms64m -Xmx512m',
            'FEATURES' => join($features, ','),
          },
      }),
      client_secret                   => $hiera_config['client_secret'],
      identity_account                => $hiera_config['identity_account'],
      identity_account_console        => $hiera_config['identity_account_console'],
      identity_admin_cli              => $hiera_config['identity_admin_cli'],
      identity_broker                 => $hiera_config['identity_broker'],
      identity_realm_management       => $hiera_config['identity_realm_management'],
      identity_security_admin_console => $hiera_config['identity_security_admin_console'],
      hostname                        => $hostname,
      ca_crt                          => $ca_crt,
  })

  $comply_gatekeeper_service = Complyadm::Config::Comply_gatekeeper.new({
      container => Complyadm::Container.new({
          runtime => $runtime,
          install_runtime => $install_runtime,
          name => 'comply_gatekeeper',
          image => $images['comply_gatekeeper'],
          net => $docker_network,
          #ports => ['3001:3001'],
          after => $containers['comply_gatekeeper']['after'],
          cmd => '--config=/run/secrets/oauth2_proxy.cfg',
          extra_parameters => $containers['comply_gatekeeper']['extra_parameters'],
          env_vars => {},
      }),
      client_secret => $hiera_config['client_secret'],
      cookie_secret => $hiera_config['cookie_secret'],
      hostname => $hostname,
      scarpy => 'comply_scarpy',
      graphql => 'comply_graphql',
      ui => 'comply_ui',
  })

  $comply_postgres_service = Complyadm::Config::Comply_postgres.new({
      container => Complyadm::Container.new({
          runtime => $runtime,
          install_runtime => $install_runtime,
          name => 'comply_postgres',
          image => $images['comply_postgres'],
          net => $docker_network,
          #ports => ['5432:5432'],
          extra_parameters => $containers['comply_postgres']['extra_parameters'],
          extra_systemd_parameters => $containers['comply_postgres']['extra_systemd_parameters'],
          healthcheck => $containers['comply_postgres']['healthcheck'],
          env_vars => {
            'POSTGRES_PASSWORD' => $admin_db_password,
          },
      }),
      log_level => $containers['comply_postgres']['log_level'],
      comply_db_username => $comply_db_username,
      comply_db_password => $comply_db_password,
      identity_db_username => $identity_db_username,
      identity_db_password => $identity_db_password,
      admin_db_username => 'postgres',
  })

  $comply_frontdoor_service = Complyadm::Config::Comply_frontdoor.new({
      container => Complyadm::Container.new({
          runtime => $runtime,
          install_runtime => $install_runtime,
          name => 'comply_frontdoor',
          image => $images['comply_frontdoor'],
          net => $docker_network,
          ports => ['443:8443', '80:8080'],
          extra_parameters => $containers['comply_frontdoor']['extra_parameters'],
          extra_systemd_parameters => $containers['comply_frontdoor']['extra_systemd_parameters'],
          env_vars => {},
          healthcheck => $containers['comply_frontdoor']['healthcheck'],
      }),
      cert_chain => $cert_chain,
      private_key => $private_key,
      crl => $crl,
  })

  $comply_mtls_proxy_service = Complyadm::Config::Comply_mtls_proxy.new({
      container => Complyadm::Container.new({
          runtime => $runtime,
          install_runtime => $install_runtime,
          name => 'comply_mtls_proxy',
          image => $images['comply_mtls_proxy'],
          net => $docker_network,
          ports => ['30303:8080'],
          extra_parameters => $containers['comply_mtls_proxy']['extra_parameters'],
          extra_systemd_parameters => $containers['comply_mtls_proxy']['extra_systemd_parameters'],
          env_vars => {},
          healthcheck => $containers['comply_mtls_proxy']['healthcheck'],
      }),
      pe_cert_checks_disabled => $pe_cert_checks_disabled,
      tls_crt => $tls_crt,
      tls_key => $tls_key,
  })

  $comply_graphql_init_service = Complyadm::Config::Comply_graphql_init.new({
      container => Complyadm::Container.new({
          runtime => $runtime,
          install_runtime => $install_runtime,
          name => 'comply_graphql_init',
          image => $images['comply_graphql_init'],
          net => $docker_network,
          after => $containers['comply_graphql_init']['after'],
          extra_parameters => $containers['comply_graphql_init']['extra_parameters'],
          extra_systemd_parameters => $containers['comply_graphql_init']['extra_systemd_parameters'],
          env_vars => {
            'HASURA_ENDPOINT' => 'http://comply_graphql:8080',
            'POSTGRES_HOSTNAME' => 'comply_postgres',
            'SCARP_DEBUG_LEVEL' => $containers['comply_graphql_init']['log_level'],
            'DB_USER' => $comply_db_username,
            'DB_PASSWORD' => $comply_db_password,
            'HASURA_ADMIN_SECRET' => $hasura_admin_secret,
            'QUERY_API' => 'http://comply_graphql:8080/v1',
            'DESIRED_SCAN_ENDPOINT' => 'http://comply_scarpy:8088/api/v3/pe/task/ciscatscan/runScheduledScan',
          },
      }),
  })

  $comply_scarpy_assessor_init_service = Complyadm::Config::Comply_scarpy_assessor_init.new({
      container => Complyadm::Container.new({
          runtime => $runtime,
          install_runtime => $install_runtime,
          name => 'comply_scarpy_assessor_init',
          image => $images['comply_scarpy_assessor_init'],
          net => $docker_network,
          extra_parameters => $containers['comply_scarpy_assessor_init']['extra_parameters'],
          extra_systemd_parameters => $containers['comply_scarpy_assessor_init']['extra_systemd_parameters'],
          env_vars => {
            'ASSESSOR_VERSION' => $assessor_version,
          },
          #cmd => "rm -rf /Assessor-CLI/benchmarks && unzip -jo /files/Assessor-CLI-windows-v${assessor_version}.zip 'Assessor-CLI/benchmarks/*xccdf*' -d benchmarks",
          cmd => "sh -c \"rm -rf /Assessor-CLI/benchmarks;unzip -jo /files/Assessor-CLI-windows-v${assessor_version}.zip 'Assessor-CLI/benchmarks/*xccdf*' -d benchmarks\"",
      }),
  })

  $comply_ui_assessor_init_service = Complyadm::Config::Comply_ui_assessor_init.new({
      container => Complyadm::Container.new({
          runtime => $runtime,
          install_runtime => $install_runtime,
          name => 'comply_ui_assessor_init',
          image => $images['comply_ui_assessor_init'],
          net => $docker_network,
          extra_parameters => $containers['comply_ui_assessor_init']['extra_parameters'],
          extra_systemd_parameters => $containers['comply_ui_assessor_init']['extra_systemd_parameters'],
          env_vars => {
            'ASSESSOR_VERSION' => $assessor_version,
          },
      }),
  })

  $comply_scarpy_init_service = Complyadm::Config::Comply_scarpy_init.new({
      container => Complyadm::Container.new({
          runtime => $runtime,
          install_runtime => $install_runtime,
          name => 'comply_scarpy_init',
          image => $images['comply_scarpy_init'],
          net => $docker_network,
          after => $containers['comply_scarpy_init']['after'],
          extra_parameters => $containers['comply_scarpy_init']['extra_parameters'],
          extra_systemd_parameters => $containers['comply_scarpy_init']['extra_systemd_parameters'],
          env_vars => {
            'ASSESSOR_VERSION' => $assessor_version,
            'POSTGRES_HOSTNAME' => 'comply_postgres',
            'SCARP_DEBUG_LEVEL' => $containers['comply_scarpy_init']['log_level'],
            'DB_USER' => $comply_db_username,
            'DB_PASSWORD' => $comply_db_password,
            'DB_ENCRYPTION_KEY' => $db_encryption_key,
          },
          cmd => 'scarp init /Assessor-CLI/benchmarks',
      }),
  })

  $comply_assessor_upgrade_service = Complyadm::Config::Comply_assessor_upgrade.new({
      container => Complyadm::Container.new({
          runtime => $runtime,
          install_runtime => $install_runtime,
          name => 'comply_assessor_upgrade',
          image => $images['comply_assessor_upgrade'],
          net => $docker_network,
          after => $containers['comply_assessor_upgrade']['after'],
          extra_parameters => $containers['comply_assessor_upgrade']['extra_parameters'],
          extra_systemd_parameters => $containers['comply_assessor_upgrade']['extra_systemd_parameters'],
          env_vars => {
            'SCARP_DEBUG_LEVEL' => $containers['comply_assessor_upgrade']['log_level'],
            'POSTGRES_HOSTNAME' => 'comply_postgres',
            'QUERY_API' => 'http://comply_graphql:8080/v1',
            'MAX_IDLE_CONNS' => '40',
            'MAX_OPEN_CONNS' => '80',
            'IDLE_CONNS_LTS' => '1',
            'UPGRADE_PE_AGENT_RUN' => 'false',
            'DB_PASSWORD' => $comply_db_password,
            'DB_USER' => $comply_db_username,
            'ASSESSOR_VERSION' => $assessor_version,
            'DB_ENCRYPTION_KEY' => $db_encryption_key,
          },
          cmd => 'scarp upgrade-assessor',
      }),
  })

  $comply_redis_service = Complyadm::Config::Comply_redis.new({
      container => Complyadm::Container.new({
          runtime => $runtime,
          install_runtime => $install_runtime,
          name => 'comply_redis',
          image => $images['comply_redis'],
          net => $docker_network,
          #ports => ['6379:6379'],
          extra_parameters => $containers['comply_redis']['extra_parameters'],
          extra_systemd_parameters => $containers['comply_redis']['extra_systemd_parameters'],
          env_vars => {
            'REDIS_PASSWORD' => $redis_password,
          },
          healthcheck => $containers['comply_redis']['healthcheck'],
      }),
  })

  Complyadm::Config.new({
      all_targets => get_targets($hiera_config['targets'].values.flatten.unique),
      images => $images,
      roles => Complyadm::Roles.new({
          ui => {
            services => {
              comply_ui => $comply_ui_service,
              comply_ui_assessor_init => $comply_ui_assessor_init_service,
            },
            targets => get_targets($hiera_config['targets']['ui']),
          },
          backend => {
            services => {
              comply_graphql => $comply_graphql_service,
              comply_scarpy => $comply_scarpy_service,
              comply_redis => $comply_redis_service,
              comply_identity => $comply_identity_service,
              comply_gatekeeper => $comply_gatekeeper_service,
              comply_frontdoor => $comply_frontdoor_service,
              comply_mtls_proxy => $comply_mtls_proxy_service,
              comply_graphql_init => $comply_graphql_init_service,
              comply_scarpy_assessor_init => $comply_scarpy_assessor_init_service,
              comply_scarpy_init => $comply_scarpy_init_service,
              comply_assessor_upgrade => $comply_assessor_upgrade_service,
            },
            targets => get_targets($hiera_config['targets']['backend']),
          },
          database => {
            services => {
              comply_postgres => $comply_postgres_service,
            },
            targets => get_targets($hiera_config['targets']['database']),
          },
      }),
      runtime => $runtime,
      install_runtime => $install_runtime,
      backup_dir => $backup_dir,
      dump_filename => "comply-postgres-${Timestamp.new.strftime('%Y-%m-%d')}.dump",
      ssl => {
        cert_chain => $hiera_config['ssl_cert_chain'],
        crl => $hiera_config['ssl_crl'],
        private_key => Sensitive($hiera_config['ssl_private_key']),
      },
      resolvable_hostname => $hostname,
      assessor_version => $assessor_version,
      pe => $hiera_config['pe'],
      ca_crt => $ca_crt,
      tls_crt => $tls_crt,
      tls_key => $tls_key,
  })
}