Use Sensitive for Secrets

To not reveal Secrets, accept Datatype Sensitive.  Render
Templates as sensitive Content, if Secrets were given as Sensitive.

REFERENCE.md

@@ -539,7 +539,7 @@ Default value: `$zabbix::params::server_api_user`
 
 ##### <a name="-zabbix--zabbix_api_pass"></a>`zabbix_api_pass`
 
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
 
 Password of the user which connects to the api. Default: zabbix
 
@@ -653,7 +653,7 @@ Default value: `$zabbix::params::server_database_user`
 
 ##### <a name="-zabbix--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
 
 Database password. ignored for sqlite.
 
@@ -2290,7 +2290,7 @@ Default value: `$zabbix::params::server_database_user`
 
 ##### <a name="-zabbix--database--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
 
 The password of the database_user.
 
@@ -2898,7 +2898,7 @@ Default value: `$zabbix::params::proxy_database_user`
 
 ##### <a name="-zabbix--proxy--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
 
 Database password. ignored for sqlite.
 
@@ -3860,7 +3860,7 @@ API username.
 
 ##### <a name="-zabbix--resources--web--zabbix_pass"></a>`zabbix_pass`
 
-Data type: `String[1]`
+Data type: `Variant[Sensitive[String[1]], String[1]]`
 
 API password.
 
@@ -4269,7 +4269,7 @@ Default value: `$zabbix::params::server_database_user`
 
 ##### <a name="-zabbix--server--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
 
 Database password. ignored for sqlite.
 
@@ -5254,7 +5254,7 @@ Default value: `$zabbix::params::server_api_user`
 
 ##### <a name="-zabbix--web--zabbix_api_pass"></a>`zabbix_api_pass`
 
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
 
 Password of the user which connects to the api. Default: zabbix
 
@@ -5312,7 +5312,7 @@ Default value: `$zabbix::params::server_database_user`
 
 ##### <a name="-zabbix--web--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
 
 Database password. ignored for sqlite.
 

manifests/database.pp

@@ -76,7 +76,7 @@
   $database_schema_path            = $zabbix::params::database_schema_path,
   $database_name                   = $zabbix::params::server_database_name,
   $database_user                   = $zabbix::params::server_database_user,
-  $database_password               = $zabbix::params::server_database_password,
+  Variant[Sensitive[String], String] $database_password = $zabbix::params::server_database_password,
   $database_host                   = $zabbix::params::server_database_host,
   $database_host_ip                = $zabbix::params::server_database_host_ip,
   $database_charset                = $zabbix::params::server_database_charset,

manifests/database/mysql.pp

@@ -16,13 +16,15 @@
   $database_schema_path                               = '',
   $database_name                                      = '',
   $database_user                                      = '',
-  $database_password                                  = '',
+  Variant[Sensitive[String], String] $database_password = '',
   $database_host                                      = '',
   Optional[Stdlib::Port::Unprivileged] $database_port = undef,
   $database_path                                      = $zabbix::params::database_path,
 ) inherits zabbix::params {
   assert_private()
 
+  $database_password_unsensitive = $database_password.unwrap
+
   if ($database_schema_path == false) or ($database_schema_path == '') {
     if versioncmp($zabbix_version, '6.0') >= 0 {
       $schema_path = '/usr/share/zabbix-sql-scripts/mysql/'
@@ -43,14 +45,14 @@
   case $zabbix_type {
     'proxy': {
       $zabbix_proxy_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? {
-        true  => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done",
-        false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done"
+        true  => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done",
+        false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done"
       }
     }
     default: {
       $zabbix_server_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? {
-        true  => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done",
-        false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done"
+        true  => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done",
+        false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done"
       }
     }
   }
@@ -59,7 +61,11 @@
   case $zabbix_type {
     'proxy'  : {
       exec { 'zabbix_proxy_create.sql':
-        command  => $zabbix_proxy_create_sql,
+        command => if $database_password =~ Sensitive {
+          Sensitive($zabbix_proxy_create_sql)
+        } else {
+          $zabbix_proxy_create_sql
+        },
         path     => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}",
         unless   => 'test -f /etc/zabbix/.schema.done',
         provider => 'shell',

manifests/database/postgresql.pp

@@ -16,13 +16,16 @@
   $database_schema_path                               = '',
   $database_name                                      = '',
   $database_user                                      = '',
-  $database_password                                  = '',
+  Variant[Sensitive[String], String] $database_password = '',
   $database_host                                      = '',
   Stdlib::Port::Unprivileged $database_port           = 5432,
   $database_path                                      = $zabbix::params::database_path,
 ) inherits zabbix::params {
   assert_private()
 
+  # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
+  $database_password_unsensitive = $database_password.unwrap
+
   if $database_schema_path != false and $database_schema_path != '' {
     $schema_path = $database_schema_path
   } elsif versioncmp($zabbix_version, '6.0') >= 0 {
@@ -56,7 +59,7 @@
     "PGHOST=${database_host}",
     "PGPORT=${database_port}",
     "PGUSER=${database_user}",
-    "PGPASSWORD=${database_password}",
+    "PGPASSWORD=${database_password_unsensitive}",
     "PGDATABASE=${database_name}",
   ]
 

manifests/init.pp

@@ -251,7 +251,7 @@
   Optional[Stdlib::Absolutepath] $ldap_clientkey                              = $zabbix::params::ldap_clientkey,
   Optional[Enum['never', 'allow', 'try', 'demand', 'hard']] $ldap_reqcert     = $zabbix::params::ldap_reqcert,
   $zabbix_api_user                                                            = $zabbix::params::server_api_user,
-  $zabbix_api_pass                                                            = $zabbix::params::server_api_pass,
+  Variant[Sensitive[String], String] $zabbix_api_pass                         = $zabbix::params::server_api_pass,
   Optional[Array[Stdlib::Host,1]] $zabbix_api_access                          = $zabbix::params::server_api_access,
   $listenport                                                                 = $zabbix::params::server_listenport,
   $sourceip                                                                   = $zabbix::params::server_sourceip,
@@ -265,7 +265,7 @@
   $database_schema                                                            = $zabbix::params::server_database_schema,
   Boolean $database_double_ieee754                                            = $zabbix::params::server_database_double_ieee754,
   $database_user                                                              = $zabbix::params::server_database_user,
-  $database_password                                                          = $zabbix::params::server_database_password,
+  Variant[Sensitive[String], String] $database_password                       = $zabbix::params::server_database_password,
   $database_socket                                                            = $zabbix::params::server_database_socket,
   $database_port                                                              = $zabbix::params::server_database_port,
   $database_charset                                                           = $zabbix::params::server_database_charset,

manifests/proxy.pp

@@ -222,7 +222,7 @@
   $database_name                                                              = $zabbix::params::proxy_database_name,
   $database_schema                                                            = $zabbix::params::proxy_database_schema,
   $database_user                                                              = $zabbix::params::proxy_database_user,
-  $database_password                                                          = $zabbix::params::proxy_database_password,
+  Variant[Sensitive[String], String] $database_password                       = $zabbix::params::proxy_database_password,
   $database_socket                                                            = $zabbix::params::proxy_database_socket,
   $database_port                                                              = $zabbix::params::proxy_database_port,
   $database_charset                                                           = $zabbix::params::server_database_charset,
@@ -306,6 +306,9 @@
   Boolean $manage_selinux                                                     = $zabbix::params::manage_selinux,
   Optional[Stdlib::Absolutepath] $socketdir                                   = $zabbix::params::proxy_socketdir,
 ) inherits zabbix::params {
+  # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
+  $database_password_unsensitive = $database_password.unwrap
+
   # check osfamily, Arch is currently not supported for web
   if $facts['os']['family'] == 'Archlinux' {
     fail('Archlinux is currently not supported for zabbix::proxy ')

manifests/resources/web.pp

@@ -6,7 +6,7 @@
 class zabbix::resources::web (
   String[1] $zabbix_url,
   String[1] $zabbix_user,
-  String[1] $zabbix_pass,
+  Variant[Sensitive[String[1]], String[1]] $zabbix_pass,
   Boolean   $apache_use_ssl,
 ) {
   file { '/etc/zabbix/api.conf':

manifests/server.pp

@@ -195,7 +195,7 @@
   $database_name                                                              = $zabbix::params::server_database_name,
   $database_schema                                                            = $zabbix::params::server_database_schema,
   $database_user                                                              = $zabbix::params::server_database_user,
-  $database_password                                                          = $zabbix::params::server_database_password,
+  Variant[Sensitive[String], String] $database_password                       = $zabbix::params::server_database_password,
   $database_socket                                                            = $zabbix::params::server_database_socket,
   Optional[Stdlib::Port::Unprivileged] $database_port                         = $zabbix::params::server_database_port,
   Optional[Enum['required', 'verify_ca', 'verify_full']] $database_tlsconnect = $zabbix::params::server_database_tlsconnect,
@@ -281,6 +281,9 @@
   Optional[String[1]] $hanodename                                             = $zabbix::params::server_hanodename,
   Optional[String[1]] $nodeaddress                                            = $zabbix::params::server_nodeaddress,
 ) inherits zabbix::params {
+  # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
+  $database_password_unsensitive = $database_password.unwrap
+
   # zabbix server 5.2, 5.4 and 6.0 is not supported on RHEL 7.
   # https://www.zabbix.com/documentation/current/manual/installation/install_from_packages/rhel_centos
   if $facts['os']['family'] == 'RedHat' and versioncmp($zabbix_version, '5.2') >= 0 {

manifests/web.pp

@@ -114,14 +114,14 @@
   Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport       = $zabbix::params::apache_listenport,
   Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport_ssl   = $zabbix::params::apache_listenport_ssl,
   $zabbix_api_user                                                    = $zabbix::params::server_api_user,
-  $zabbix_api_pass                                                    = $zabbix::params::server_api_pass,
+  Variant[Sensitive[String], String] $zabbix_api_pass                 = $zabbix::params::server_api_pass,
   Optional[Array[Stdlib::Host,1]] $zabbix_api_access                  = $zabbix::params::server_api_access,
   $database_host                                                      = $zabbix::params::server_database_host,
   $database_name                                                      = $zabbix::params::server_database_name,
   $database_schema                                                    = $zabbix::params::server_database_schema,
   Boolean $database_double_ieee754                                    = $zabbix::params::server_database_double_ieee754,
   $database_user                                                      = $zabbix::params::server_database_user,
-  $database_password                                                  = $zabbix::params::server_database_password,
+  Variant[Sensitive[String], String] $database_password               = $zabbix::params::server_database_password,
   $database_socket                                                    = $zabbix::params::server_database_socket,
   $database_port                                                      = $zabbix::params::server_database_port,
   $zabbix_server                                                      = $zabbix::params::zabbix_server,
@@ -146,6 +146,9 @@
   Boolean $manage_selinux                                             = $zabbix::params::manage_selinux,
   Hash[String[1], Any] $apache_vhost_custom_params                    = {},
 ) inherits zabbix::params {
+  # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
+  $database_password_unsensitive = $database_password.unwrap
+
   # check osfamily, Arch is currently not supported for web
   if $facts['os']['family'] in ['Archlinux', 'Gentoo',] {
     fail("${facts['os']['family']} is currently not supported for zabbix::web")
@@ -262,7 +265,11 @@
     group   => $web_config_group,
     mode    => '0640',
     replace => true,
-    content => template('zabbix/web/zabbix.conf.php.erb'),
+    content => if $database_password =~ Sensitive {
+      Sensitive(template('zabbix/web/zabbix.conf.php.erb'))
+    } else {
+      template('zabbix/web/zabbix.conf.php.erb')
+    },
   }
 
   # For API to work on Zabbix 5.x zabbix.conf.php needs to be in the root folder.

templates/api.conf.epp

@@ -1,6 +1,6 @@
 <%- | String[1] $zabbix_url,
       String[1] $zabbix_user,
-      String[1] $zabbix_pass,
+      Variant[Sensitive[String[1]], String[1]] $zabbix_pass,
       Boolean   $apache_use_ssl,
 | -%>
 # MANAGED BY PUPPET

templates/web/zabbix.conf.php.erb

@@ -13,7 +13,7 @@ $DB['PORT']     = '0';
 <% end -%>
 $DB['DATABASE'] = '<%= @database_name %>';
 $DB['USER']     = '<%= @database_user %>';
-$DB['PASSWORD'] = '<%= @database_password %>';
+$DB['PASSWORD'] = '<%= @database_password_unsensitive %>';
 
 // SCHEMA is relevant only for IBM_DB2 and PostgreSQL database
 <% if @database_schema -%>

templates/zabbix_proxy.conf.erb

@@ -169,7 +169,7 @@ DBUser=<%= @database_user %>
 #	Comment this line if no password is used.
 #
 # Mandatory: no
-DBPassword=<%= @database_password %>
+DBPassword=<%= @database_password_unsensitive %>
 
 ### Option: DBSocket
 #	Path to MySQL socket.
@@ -894,7 +894,7 @@ LoadModulePath=<%= @loadmodulepath %>
 <% if @zabbix_version.to_f >= 7.0 %>
 ### Option: VaultPrefix
 #	Custom prefix for Vault path or query depending on the Vault.
-#	Most suitable defaults will be used if not specified. 
+#	Most suitable defaults will be used if not specified.
 #	Note that 'data' is automatically appended after mountpoint for HashiCorp if VaultPrefix is not specified.
 #	Example prefix for HashiCorp:
 #		/v1/secret/data/
@@ -969,4 +969,4 @@ LoadModulePath=<%= @loadmodulepath %>
 # Default:
 # StartBrowserPollers=1
 
-<% end %>
+<% end %>

templates/zabbix_server.conf.erb

@@ -106,7 +106,7 @@ DBUser=<%= @database_user %>
 #	Comment this line if no password is used.
 #
 # Mandatory: no
-DBPassword=<%= @database_password %>
+DBPassword=<%= @database_password_unsensitive %>
 
 ### Option: DBSocket
 #	Path to MySQL socket.
@@ -849,7 +849,7 @@ LoadModulePath=<%= @loadmodulepath %>
 <% if @zabbix_version.to_f >= 7.0 %>
 ### Option: VaultPrefix
 #	Custom prefix for Vault path or query depending on the Vault.
-#	Most suitable defaults will be used if not specified. 
+#	Most suitable defaults will be used if not specified.
 #	Note that 'data' is automatically appended after mountpoint for HashiCorp if VaultPrefix is not specified.
 #	Example prefix for HashiCorp:
 #		/v1/secret/data/
@@ -946,7 +946,7 @@ LoadModulePath=<%= @loadmodulepath %>
 # EnableGlobalScripts=1
 
 # Option: AllowSoftwareUpdateCheck
-#       Allow Zabbix UI to receive information about software updates from zabbix.com 
+#       Allow Zabbix UI to receive information about software updates from zabbix.com
 #       0 - disable software update checks
 #       1 - enable software update checks
 #
@@ -1017,4 +1017,4 @@ LoadModulePath=<%= @loadmodulepath %>
 # Default:
 # StartBrowserPollers=1
 
-<% end %>
+<% end %>