Lookup function not working through hiera about tragiccode-azure_key_vault HOT 9 CLOSED

Hey,

I will attempt to reproduce this locally today and get back with you.

from tragiccode-azure_key_vault.

Hi @TraGicCode, thank you for your fast reply, for some reason, your comment is not here.

Hey @karolina1819 ,
Are you able to share what is being logged in your puppet server logs? This module does extra logging that will show if something is erroring out there.

Puppet is logging a lot and in different files, can you tell me in which file this module is writing the output and if there is some key word to filter out the logs?

from tragiccode-azure_key_vault.

Hey @karolina1819 ,

sorry for responding late. The puppet server logs are the puppet logs on the puppet master/server. This is where the lookup function is executed and the logs there will indicate if any errors occurs ( the code for this module does some level of logging )

https://www.puppet.com/docs/pe/2019.8/log-locations-reference.html

var/log/puppetlabs/puppetserver/puppetserver.log

from tragiccode-azure_key_vault.

Hi @TraGicCode,

No problem at all. I checked that, but I did not find anything related to this module, unfortunately. Any suggestion how to increase level of logging coming from this module?

from tragiccode-azure_key_vault.

Hey @karolina1819 ,

If something blows up there should be something in the logs. Can you try adding Sensitive[String] to the puppet code to see if that makes a difference?

class infra::akv (
  Sensitive[String] $password,
)
{

file { '/opt/akv':
    ensure => 'directory',
}

file { '/opt/akv/testpass':
  content => $password,
  ensure    => file,
}
}

from tragiccode-azure_key_vault.

Hey @karolina1819 ,

If something blows up there should be something in the logs.

Well, nothing blows up regarding code execution, so there are no errors in log. Only results of using lookup function in manifest and through hiera are different

Can you try adding Sensitive[String] to the puppet code to see if that makes a difference?

class infra::akv (
  Sensitive[String] $password,
)
{

file { '/opt/akv':
    ensure => 'directory',
}

file { '/opt/akv/testpass':
  content => $password,
  ensure    => file,
}
}

Yes, we did try that. With that there is an error:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, Class[Infra::Akv]: parameter 'password' expects a Sensitive[String] value, got String (file: /etc/puppetlabs/code/environments/infra_qa/site/role/manifests/base.pp, line: 16, column: 3) on node puppetserver-01.qa.hub

It's seems like lookup function is returning string "Sensitive [value redacted]" instead of true value of the secret just masked in Sensitive type, as it does used in manifest.

from tragiccode-azure_key_vault.

Hey @karolina1819 ,

It appears the documentation is incorrect which is what is causing you an issue. When performing interpolation inside your a hiera data file you must use the alias function instead of the lookup function. Make the following change, as shown below, and everything should work as expected.

before

infra::akv::password: "%{lookup('azure-secret-password')}"

after

infra::akv::password: "%{alias('azure-secret-password')}"

I have created a PR ( #102 ) which will fix this and cut a new release of the module.

from tragiccode-azure_key_vault.

Please reopen this if you still have issues

from tragiccode-azure_key_vault.

I've tested this, all works as expected, thank you for your help and clarification.

from tragiccode-azure_key_vault.