Puppet Plan: complyadm::support_bundle::config

Defined in:
plans/support_bundle/config.pp

Overview

This plan takes a Comply config, redacts all sensitive data, and writes it to a file in the support bundle on localhost.

Parameters:

  • config (Complyadm::Config)

    The Comply config

  • support_bundle_dir (String[1])

    The absolute path to the support bundle directory



7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
 
# File 'plans/support_bundle/config.pp', line 7

plan complyadm::support_bundle::config(
  Complyadm::Config $config,
  String[1] $support_bundle_dir,
) {
  # redact the values of sensitive environment variables
  $redacted_message = '[*** REDACTED ***]'
  $redacted_config = deep_merge($config,
    {
      'roles' => {
        'backend' => {
          'services' => {
            'comply_assessor_upgrade' => {
              'container' => {
                'env_vars' => {
                  'DB_PASSWORD' => $redacted_message,
                  'DB_ENCRYPTION_KEY' => $redacted_message,
                },
              },
            },
            'comply_gatekeeper' => {
              'client_secret' => $redacted_message,
              'cookie_secret' => $redacted_message,
            },
            'comply_graphql' => {
              'container' => {
                'env_vars' => {
                  'HASURA_GRAPHQL_ADMIN_SECRET' => $redacted_message,
                  'HASURA_GRAPHQL_DATABASE_URL' => $redacted_message,
                },
              },
            },
            'comply_graphql_init' => {
              'container' => {
                'env_vars' => {
                  'DB_PASSWORD' => $redacted_message,
                  'HASURA_ADMIN_SECRET' => $redacted_message,
                },
              },
            },
            'comply_identity' => {
              'client_secret' => $redacted_message,
              'container' => {
                'env_vars' => {
                  'COMPLY_DB_PASSWORD' => $redacted_message,
                  'KC_DB_PASSWORD' => $redacted_message,
                  'KEYCLOAK_ADMIN_PASSWORD' => $redacted_message,
                  'DB_ENCRYPTION_KEY' => $redacted_message,
                },
              },
            },
            'comply_scarpy' => {
              'container' => {
                'env_vars' => {
                  'DB_PASSWORD' => $redacted_message,
                  'HASURA_ADMIN_SECRET' => $redacted_message,
                  'DB_ENCRYPTION_KEY' => $redacted_message,
                },
              },
            },
            'comply_scarpy_init' => {
              'container' => {
                'env_vars' => {
                  'DB_PASSWORD' => $redacted_message,
                  'DB_ENCRYPTION_KEY' => $redacted_message,
                },
              },
            },
          },
        },
        'database' => {
          'services' => {
            'comply_postgres' => {
              'comply_db_password' => $redacted_message,
              'identity_db_password' => $redacted_message,
              'container' => {
                'env_vars' => {
                  'POSTGRES_PASSWORD' => $redacted_message,
                },
              },
            },
          },
        },
      }
    }
  )

  # write the redacted config to ${support_bundle_dir}/config/config.json
  $support_bundle_config_dir = file::join($support_bundle_dir, 'config')
  run_command("mkdir ${support_bundle_config_dir}", 'localhost')
  $config_file = file::join($support_bundle_config_dir, 'config.json')
  file::write($config_file, stdlib::to_json_pretty($redacted_config))
}