Puppet Plan: complyadm::generate_config

Defined in:
plans/generate_config.pp

Summary

Generates a hiera data file for use when calling complyadm::install

Overview

Populates a Complyadm::Hiera_config object with user supplied information, falling back to defaults if not specified. The only defaults that should be specified in this plan is default data that is required by the install. For instance, the secret key should be generated for users and saved to their config if it isn’t provided. However, default logging config should not be written to the customer’s config.

Other defaults should live in complyadm::config()

All sensitive data will be encrypted with hiera-eyaml

Parameters:

  • inventory_aio_target (String)

    The target to install Comply on

  • resolvable_hostname (String)

    The hostname users will be able to access the Comply console at

  • admin_db_password (Optional[Sensitive[String]]) (defaults to: Sensitive(complyadm::secure_random(32)))

    Used by the admin/superuser of the Postgres instance. It’s only used in setup.

  • comply_db_username (Optional[String]) (defaults to: comply)

    Overrides the default database user which is used by the backend service.

  • comply_db_password (Optional[Sensitive[String]]) (defaults to: Sensitive(complyadm::secure_random(32)))

    Password of the database used by the backend service.

  • identity_db_username (Optional[String]) (defaults to: undef)

    Overrides the default database user used by the query service.

  • identity_db_password (Optional[Sensitive[String]]) (defaults to: Sensitive(complyadm::secure_random(32)))

    Password of the database used by the query service.

  • secret_key (Optional[Sensitive[String]]) (defaults to: Sensitive(complyadm::secure_random(16)))

    Used to encrypt secret data stored in the backend database.

  • runtime (Optional[Complyadm::Runtime]) (defaults to: 'docker')

    determines which container runtime should be used for the installation.

  • hiera_config_file_path (Optional[String]) (defaults to: 'hiera.yaml')

    Determines where the Hiera config file is written.

  • hiera_data_file_path (Optional[String]) (defaults to: 'data/common.yaml')

    Determines where the Comply config is written.

  • pkcs7_private_key_path (Optional[String]) (defaults to: 'keys/private_key.pkcs7.pem')

    Path to the private key used to decrypt Hiera data encrypted with eyaml.

  • pkcs7_public_key_path (Optional[String]) (defaults to: 'keys/public_key.pkcs7.pem')

    Path to the public key used to encrypt Hiera data with eyaml.

  • pe_target (Optional[String]) (defaults to: '')
  • identity_account (Optional[Sensitive[String]]) (defaults to: Sensitive(random_uuid()))
  • identity_account_console (Optional[Sensitive[String]]) (defaults to: Sensitive(random_uuid()))
  • identity_admin_cli (Optional[Sensitive[String]]) (defaults to: Sensitive(random_uuid()))
  • identity_admin_user (Optional[Sensitive[String]]) (defaults to: Sensitive(random_uuid()))
  • identity_admin_password (Optional[Sensitive[String]]) (defaults to: Sensitive(random_uuid()))
  • identity_broker (Optional[Sensitive[String]]) (defaults to: Sensitive(random_uuid()))
  • identity_realm_management (Optional[Sensitive[String]]) (defaults to: Sensitive(random_uuid()))
  • identity_security_admin_console (Optional[Sensitive[String]]) (defaults to: Sensitive(random_uuid()))
  • client_secret (Optional[Sensitive[String]]) (defaults to: Sensitive(random_uuid()))
  • cookie_secret (Optional[Sensitive[String]]) (defaults to: Sensitive(random_string()))
  • db_encryption_key (Optional[Sensitive[String]]) (defaults to: Sensitive(complyadm::secure_random(8)))
  • redis_password (Optional[Sensitive[String]]) (defaults to: Sensitive(random_uuid()))
  • assessor_update_check_interval (Optional[String]) (defaults to: '1h')
  • data_retention_period (Optional[String]) (defaults to: '0')
  • fact_update_check_interval (Optional[String]) (defaults to: '24h')
  • install_runtime (Optional[Boolean]) (defaults to: true)
  • assessor_version (Optional[String]) (defaults to: 'latest')
  • hasura_admin_secret (Optional[Sensitive[String]]) (defaults to: Sensitive(random_string()))
  • log_level (Optional[String]) (defaults to: 'info') 


29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
 
# File 'plans/generate_config.pp', line 29

plan complyadm::generate_config(
  String $inventory_aio_target,
  String $resolvable_hostname,
  Optional[String] $pe_target = '',
  Optional[Sensitive[String]] $admin_db_password = Sensitive(complyadm::secure_random(32)),
  Optional[String] $comply_db_username = comply,
  Optional[Sensitive[String]] $comply_db_password = Sensitive(complyadm::secure_random(32)),
  Optional[String] $identity_db_username = undef,
  Optional[Sensitive[String]] $identity_db_password = Sensitive(complyadm::secure_random(32)),
  Optional[Sensitive[String]] $secret_key = Sensitive(complyadm::secure_random(16)),
  Optional[Sensitive[String]] $identity_account = Sensitive(random_uuid()),
  Optional[Sensitive[String]] $identity_account_console = Sensitive(random_uuid()),
  Optional[Sensitive[String]] $identity_admin_cli = Sensitive(random_uuid()),
  Optional[Sensitive[String]] $identity_admin_user = Sensitive(random_uuid()),
  Optional[Sensitive[String]] $identity_admin_password = Sensitive(random_uuid()),
  Optional[Sensitive[String]] $identity_broker = Sensitive(random_uuid()),
  Optional[Sensitive[String]] $identity_realm_management = Sensitive(random_uuid()),
  Optional[Sensitive[String]] $identity_security_admin_console = Sensitive(random_uuid()),
  Optional[Sensitive[String]] $client_secret = Sensitive(random_uuid()),
  Optional[Sensitive[String]] $cookie_secret = Sensitive(random_string()),
  Optional[Sensitive[String]] $db_encryption_key = Sensitive(complyadm::secure_random(8)),
  Optional[Sensitive[String]] $redis_password = Sensitive(random_uuid()),
  Optional[String] $assessor_update_check_interval = '1h' ,
  Optional[String] $data_retention_period = '0',
  Optional[String] $fact_update_check_interval = '24h',
  Optional[Complyadm::Runtime] $runtime = 'docker',
  Optional[Boolean] $install_runtime = true,
  Optional[String] $hiera_config_file_path = 'hiera.yaml',
  Optional[String] $hiera_data_file_path = 'data/common.yaml',
  Optional[String] $pkcs7_private_key_path = 'keys/private_key.pkcs7.pem',
  Optional[String] $pkcs7_public_key_path = 'keys/public_key.pkcs7.pem',
  Optional[String] $assessor_version = 'latest',
  Optional[Sensitive[String]] $hasura_admin_secret = Sensitive(random_string()),
  Optional[String] $log_level = 'info',
) {
  out::message('Checking if keys exist for encrypting sensitive data')
  if file::exists(file::join(complyadm::bolt_project_dir(), $pkcs7_public_key_path)) {
    out::message('Found existing PKCS7 public key, skipping creation of new key pair')
  } else {
    out::message('Secret keys do not exist yet, creating')
    run_task('pkcs7::secret_createkeys', 'localhost', {
        public_key  => file::join(complyadm::bolt_project_dir(), $pkcs7_public_key_path),
        private_key => file::join(complyadm::bolt_project_dir(), $pkcs7_private_key_path)
    })
  }

  $basic_config = {
    targets             => {
      backend  => [$inventory_aio_target],
      database => [$inventory_aio_target],
      ui       => [$inventory_aio_target],
    },
    admin_db_password               => regsubst(complyadm::encrypt($admin_db_password, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    comply_db_password              => regsubst(complyadm::encrypt($comply_db_password, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    comply_db_username              => $comply_db_username,
    db_encryption_key               => regsubst(complyadm::encrypt($db_encryption_key, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    identity_db_password            => regsubst(complyadm::encrypt($identity_db_password, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    identity_db_username            => $identity_db_username,
    resolvable_hostname             => $resolvable_hostname,
    runtime                         => $runtime,
    install_runtime                 => $install_runtime,
    secret_key                      => regsubst(complyadm::encrypt($secret_key, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    identity_account                => regsubst(complyadm::encrypt($identity_account, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    identity_account_console        => regsubst(complyadm::encrypt($identity_account_console, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    identity_admin_user             => regsubst(complyadm::encrypt($identity_admin_user, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    identity_admin_password         => regsubst(complyadm::encrypt($identity_admin_password, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    identity_admin_cli              => regsubst(complyadm::encrypt($identity_admin_cli, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    identity_broker                 => regsubst(complyadm::encrypt($identity_broker, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    identity_realm_management       => regsubst(complyadm::encrypt($identity_realm_management, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    identity_security_admin_console => regsubst(complyadm::encrypt($identity_security_admin_console, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    client_secret                   => regsubst(complyadm::encrypt($client_secret, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    cookie_secret                   => regsubst(complyadm::encrypt($cookie_secret, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    redis_password                  => regsubst(complyadm::encrypt($redis_password, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    user_assessor_version           => $assessor_version,
    hasura_admin_secret             => regsubst(complyadm::encrypt($hasura_admin_secret, $pkcs7_public_key_path), '\n', ' ', 'MG'),
    pe                              => $pe_target,
    assessor_update_check_interval  => $assessor_update_check_interval,
    data_retention_period           => $data_retention_period,
    fact_update_check_interval      => $fact_update_check_interval,
    log_level                       => $log_level,
    ca_crt                          => '',
    tls_crt                         => '',
    tls_key                         => '',
    cert_chain                      => '',
    private_key                     => '',
    crl                             => '',
  }

  $hiera_data = {
    'complyadm::config' => Complyadm::Hiera_config.new($basic_config),
  }

  $hiera_data_path = complyadm::save_yaml_file($hiera_data, $hiera_data_file_path)
  out::message("Saved Hiera data file to ${hiera_data_path}")

  out::message('Checking if hiera.yaml config exists for Bolt project')
  if file::exists(file::join(complyadm::bolt_project_dir(), $hiera_config_file_path)) {
    out::message('Found existing hiera.yaml file, skipping creation')
  } else {
    $hiera_config = {
      'version'   => 5,
      'defaults'  => {
        'datadir'   => complyadm::file_dirname($hiera_data_file_path),
        'data_hash' => 'yaml_data',
      },
      'hierarchy' => [{
          'name'       => 'common',
          'lookup_key' => 'eyaml_lookup_key',
          'options'    => {
            'pkcs7_private_key' => $pkcs7_private_key_path,
            'pkcs7_public_key'  => $pkcs7_public_key_path,
          },
          'paths'      => [
            'common.yaml',
          ],
      }],
    }

    $hiera_config_path = complyadm::save_yaml_file($hiera_config, $hiera_config_file_path)
    out::message("Saved Hiera config file to ${hiera_config_path}")
  }
}