From fcf379967bebbd41e3a4789d05280aa08f4e9dbe Mon Sep 17 00:00:00 2001
From: cocker-cc <github.com@cocker.cc>
Date: Tue, 9 Jul 2024 18:46:19 +0200
Subject: [PATCH 1/2] Use Sensitive for Secrets

To not reveal Secrets, accept Datatype Sensitive.  Render
Templates as sensitive Content, if Secrets were given as Sensitive.
---
 REFERENCE.md                      |  38 +++++--
 manifests/agent.pp                | 167 +++++++++++++++---------------
 manifests/database.pp             |  36 +++----
 manifests/database/mysql.pp       |  34 +++---
 manifests/database/postgresql.pp  |  23 ++--
 manifests/init.pp                 |   4 +-
 manifests/javagateway.pp          |  18 ++--
 manifests/proxy.pp                |  12 ++-
 manifests/resources/agent.pp      |  22 ++--
 manifests/resources/web.pp        |   2 +-
 manifests/sender.pp               |   6 +-
 manifests/server.pp               |   5 +-
 manifests/web.pp                  |  13 ++-
 manifests/zabbixapi.pp            |   2 +-
 templates/api.conf.epp            |   2 +-
 templates/web/zabbix.conf.php.erb |   2 +-
 templates/zabbix_proxy.conf.erb   |   6 +-
 templates/zabbix_server.conf.erb  |   8 +-
 18 files changed, 225 insertions(+), 175 deletions(-)

diff --git a/REFERENCE.md b/REFERENCE.md
index 92e260d75..8a1fb71f7 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -539,7 +539,7 @@ Default value: `$zabbix::params::server_api_user`
 
 ##### <a name="-zabbix--zabbix_api_pass"></a>`zabbix_api_pass`
 
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
 
 Password of the user which connects to the api. Default: zabbix
 
@@ -653,7 +653,7 @@ Default value: `$zabbix::params::server_database_user`
 
 ##### <a name="-zabbix--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
 
 Database password. ignored for sqlite.
 
@@ -1860,7 +1860,16 @@ Default value: `$zabbix::params::agent_timeout`
 
 ##### <a name="-zabbix--agent--tlsaccept"></a>`tlsaccept`
 
-Data type: `Optional[Variant[Array[Enum['unencrypted','psk','cert']],Enum['unencrypted','psk','cert']]]`
+Data type:
+
+```puppet
+Optional[
+    Variant[
+      Array[Enum['unencrypted','psk','cert']],
+      Enum['unencrypted','psk','cert']
+    ]
+  ]
+```
 
 What incoming connections to accept from Zabbix server. Used for a passive proxy, ignored on an active proxy.
 
@@ -2290,7 +2299,7 @@ Default value: `$zabbix::params::server_database_user`
 
 ##### <a name="-zabbix--database--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
 
 The password of the database_user.
 
@@ -2898,7 +2907,7 @@ Default value: `$zabbix::params::proxy_database_user`
 
 ##### <a name="-zabbix--proxy--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
 
 Database password. ignored for sqlite.
 
@@ -3279,7 +3288,16 @@ Default value: `$zabbix::params::proxy_timeout`
 
 ##### <a name="-zabbix--proxy--tlsaccept"></a>`tlsaccept`
 
-Data type: `Optional[Variant[Array[Enum['unencrypted','psk','cert']],Enum['unencrypted','psk','cert']]]`
+Data type:
+
+```puppet
+Optional[
+    Variant[
+      Array[Enum['unencrypted', 'psk', 'cert']],
+      Enum['unencrypted', 'psk', 'cert']
+    ]
+  ]
+```
 
 What incoming connections to accept from Zabbix server. Used for a passive proxy, ignored on an active proxy.
 
@@ -3860,7 +3878,7 @@ API username.
 
 ##### <a name="-zabbix--resources--web--zabbix_pass"></a>`zabbix_pass`
 
-Data type: `String[1]`
+Data type: `Variant[Sensitive[String[1]], String[1]]`
 
 API password.
 
@@ -4269,7 +4287,7 @@ Default value: `$zabbix::params::server_database_user`
 
 ##### <a name="-zabbix--server--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
 
 Database password. ignored for sqlite.
 
@@ -5254,7 +5272,7 @@ Default value: `$zabbix::params::server_api_user`
 
 ##### <a name="-zabbix--web--zabbix_api_pass"></a>`zabbix_api_pass`
 
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
 
 Password of the user which connects to the api. Default: zabbix
 
@@ -5312,7 +5330,7 @@ Default value: `$zabbix::params::server_database_user`
 
 ##### <a name="-zabbix--web--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Variant[Sensitive[String], String]`
 
 Database password. ignored for sqlite.
 
diff --git a/manifests/agent.pp b/manifests/agent.pp
index 9db33a8ea..b8c20d30c 100644
--- a/manifests/agent.pp
+++ b/manifests/agent.pp
@@ -147,88 +147,93 @@
 #
 # @author Werner Dijkerman ikben@werner-dijkerman.nl
 class zabbix::agent (
-  $zabbix_version                                      = $zabbix::params::zabbix_version,
-  $zabbix_package_state                                = $zabbix::params::zabbix_package_state,
-  $zabbix_package_agent                                = $zabbix::params::zabbix_package_agent,
-  Optional[String[1]] $zabbix_package_provider         = $zabbix::params::zabbix_package_provider,
-  Optional[Stdlib::Windowspath] $zabbix_package_source = undef,
-  Boolean $manage_choco                                = $zabbix::params::manage_choco,
-  Boolean $manage_firewall                             = $zabbix::params::manage_firewall,
-  Boolean $manage_repo                                 = $zabbix::params::manage_repo,
-  Boolean $manage_resources                            = $zabbix::params::manage_resources,
-  $monitored_by_proxy                                  = $zabbix::params::monitored_by_proxy,
-  $agent_use_ip                                        = $zabbix::params::agent_use_ip,
-  Variant[String[1],Array[String[1]]] $zbx_groups      = $zabbix::params::agent_zbx_groups,
-  $zbx_group_create                                    = $zabbix::params::agent_zbx_group_create,
-  $zbx_templates                                       = $zabbix::params::agent_zbx_templates,
-  Array[Hash] $zbx_macros                              = [],
-  Integer[1,4] $zbx_interface_type                     = 1,
-  Variant[Array, Hash] $zbx_interface_details          = [],
-  $agent_configfile_path                               = $zabbix::params::agent_configfile_path,
-  $pidfile                                             = $zabbix::params::agent_pidfile,
-  $servicename                                         = $zabbix::params::agent_servicename,
-  Enum['console', 'file', 'system'] $logtype           = $zabbix::params::agent_logtype,
-  Optional[Stdlib::Absolutepath] $logfile              = $zabbix::params::agent_logfile,
-  $logfilesize                                         = $zabbix::params::agent_logfilesize,
-  $debuglevel                                          = $zabbix::params::agent_debuglevel,
-  $sourceip                                            = $zabbix::params::agent_sourceip,
-  Optional[String[1]] $allowkey                        = $zabbix::params::agent_allowkey,
-  Optional[String[1]] $denykey                         = $zabbix::params::agent_denykey,
-  $enableremotecommands                                = $zabbix::params::agent_enableremotecommands,
-  $logremotecommands                                   = $zabbix::params::agent_logremotecommands,
-  $server                                              = $zabbix::params::agent_server,
-  $listenport                                          = $zabbix::params::agent_listenport,
-  $listenip                                            = $zabbix::params::agent_listenip,
-  $startagents                                         = $zabbix::params::agent_startagents,
-  $serveractive                                        = $zabbix::params::agent_serveractive,
-  Stdlib::Ensure::Service $service_ensure              = $zabbix::params::agent_service_ensure,
-  Boolean $service_enable                              = $zabbix::params::agent_service_enable,
-  $hostname                                            = $zabbix::params::agent_hostname,
-  $hostnameitem                                        = $zabbix::params::agent_hostnameitem,
-  $hostmetadata                                        = $zabbix::params::agent_hostmetadata,
-  $hostmetadataitem                                    = $zabbix::params::agent_hostmetadataitem,
-  Optional[Stdlib::Fqdn] $hostinterface                = $zabbix::params::agent_hostinterface,
-  Optional[Stdlib::Fqdn] $hostinterfaceitem            = $zabbix::params::agent_hostinterfaceitem,
-  $refreshactivechecks                                 = $zabbix::params::agent_refreshactivechecks,
-  $buffersend                                          = $zabbix::params::agent_buffersend,
-  $buffersize                                          = $zabbix::params::agent_buffersize,
-  $maxlinespersecond                                   = $zabbix::params::agent_maxlinespersecond,
-  Optional[Array] $zabbix_alias                        = $zabbix::params::agent_zabbix_alias,
-  $timeout                                             = $zabbix::params::agent_timeout,
-  $allowroot                                           = $zabbix::params::agent_allowroot,
-  Optional[String[1]] $zabbix_user                     = $zabbix::params::agent_zabbix_user,
-  $include_dir                                         = $zabbix::params::agent_include,
-  $include_dir_purge                                   = $zabbix::params::agent_include_purge,
-  $unsafeuserparameters                                = $zabbix::params::agent_unsafeuserparameters,
-  $userparameter                                       = $zabbix::params::agent_userparameter,
-  Optional[String[1]] $loadmodulepath                  = $zabbix::params::agent_loadmodulepath,
-  $loadmodule                                          = $zabbix::params::agent_loadmodule,
-  Optional[Variant[Array[Enum['unencrypted','psk','cert']],Enum['unencrypted','psk','cert']]] $tlsaccept = $zabbix::params::agent_tlsaccept,
-  $tlscafile                                           = $zabbix::params::agent_tlscafile,
-  $tlscertfile                                         = $zabbix::params::agent_tlscertfile,
-  Optional[String[1]] $tlscertissuer                   = undef,
-  Optional[String[1]] $tlscertsubject                  = undef,
-  Optional[String[1]] $tlscipherall                    = $zabbix::params::agent_tlscipherall,
-  Optional[String[1]] $tlscipherall13                  = $zabbix::params::agent_tlscipherall13,
-  Optional[String[1]] $tlsciphercert                   = $zabbix::params::agent_tlsciphercert,
-  Optional[String[1]] $tlsciphercert13                 = $zabbix::params::agent_tlsciphercert13,
-  Optional[String[1]] $tlscipherpsk                    = $zabbix::params::agent_tlscipherpsk,
-  Optional[String[1]] $tlscipherpsk13                  = $zabbix::params::agent_tlscipherpsk13,
+  $zabbix_version                                        = $zabbix::params::zabbix_version,
+  $zabbix_package_state                                  = $zabbix::params::zabbix_package_state,
+  $zabbix_package_agent                                  = $zabbix::params::zabbix_package_agent,
+  Optional[String[1]] $zabbix_package_provider           = $zabbix::params::zabbix_package_provider,
+  Optional[Stdlib::Windowspath] $zabbix_package_source   = undef,
+  Boolean $manage_choco                                  = $zabbix::params::manage_choco,
+  Boolean $manage_firewall                               = $zabbix::params::manage_firewall,
+  Boolean $manage_repo                                   = $zabbix::params::manage_repo,
+  Boolean $manage_resources                              = $zabbix::params::manage_resources,
+  $monitored_by_proxy                                    = $zabbix::params::monitored_by_proxy,
+  $agent_use_ip                                          = $zabbix::params::agent_use_ip,
+  Variant[String[1],Array[String[1]]] $zbx_groups        = $zabbix::params::agent_zbx_groups,
+  $zbx_group_create                                      = $zabbix::params::agent_zbx_group_create,
+  $zbx_templates                                         = $zabbix::params::agent_zbx_templates,
+  Array[Hash] $zbx_macros                                = [],
+  Integer[1,4] $zbx_interface_type                       = 1,
+  Variant[Array, Hash] $zbx_interface_details            = [],
+  $agent_configfile_path                                 = $zabbix::params::agent_configfile_path,
+  $pidfile                                               = $zabbix::params::agent_pidfile,
+  $servicename                                           = $zabbix::params::agent_servicename,
+  Enum['console', 'file', 'system'] $logtype             = $zabbix::params::agent_logtype,
+  Optional[Stdlib::Absolutepath] $logfile                = $zabbix::params::agent_logfile,
+  $logfilesize                                           = $zabbix::params::agent_logfilesize,
+  $debuglevel                                            = $zabbix::params::agent_debuglevel,
+  $sourceip                                              = $zabbix::params::agent_sourceip,
+  Optional[String[1]] $allowkey                          = $zabbix::params::agent_allowkey,
+  Optional[String[1]] $denykey                           = $zabbix::params::agent_denykey,
+  $enableremotecommands                                  = $zabbix::params::agent_enableremotecommands,
+  $logremotecommands                                     = $zabbix::params::agent_logremotecommands,
+  $server                                                = $zabbix::params::agent_server,
+  $listenport                                            = $zabbix::params::agent_listenport,
+  $listenip                                              = $zabbix::params::agent_listenip,
+  $startagents                                           = $zabbix::params::agent_startagents,
+  $serveractive                                          = $zabbix::params::agent_serveractive,
+  Stdlib::Ensure::Service $service_ensure                = $zabbix::params::agent_service_ensure,
+  Boolean $service_enable                                = $zabbix::params::agent_service_enable,
+  $hostname                                              = $zabbix::params::agent_hostname,
+  $hostnameitem                                          = $zabbix::params::agent_hostnameitem,
+  $hostmetadata                                          = $zabbix::params::agent_hostmetadata,
+  $hostmetadataitem                                      = $zabbix::params::agent_hostmetadataitem,
+  Optional[Stdlib::Fqdn] $hostinterface                  = $zabbix::params::agent_hostinterface,
+  Optional[Stdlib::Fqdn] $hostinterfaceitem              = $zabbix::params::agent_hostinterfaceitem,
+  $refreshactivechecks                                   = $zabbix::params::agent_refreshactivechecks,
+  $buffersend                                            = $zabbix::params::agent_buffersend,
+  $buffersize                                            = $zabbix::params::agent_buffersize,
+  $maxlinespersecond                                     = $zabbix::params::agent_maxlinespersecond,
+  Optional[Array] $zabbix_alias                          = $zabbix::params::agent_zabbix_alias,
+  $timeout                                               = $zabbix::params::agent_timeout,
+  $allowroot                                             = $zabbix::params::agent_allowroot,
+  Optional[String[1]] $zabbix_user                       = $zabbix::params::agent_zabbix_user,
+  $include_dir                                           = $zabbix::params::agent_include,
+  $include_dir_purge                                     = $zabbix::params::agent_include_purge,
+  $unsafeuserparameters                                  = $zabbix::params::agent_unsafeuserparameters,
+  $userparameter                                         = $zabbix::params::agent_userparameter,
+  Optional[String[1]] $loadmodulepath                    = $zabbix::params::agent_loadmodulepath,
+  $loadmodule                                            = $zabbix::params::agent_loadmodule,
+  Optional[
+    Variant[
+      Array[Enum['unencrypted','psk','cert']],
+      Enum['unencrypted','psk','cert']
+    ]
+  ] $tlsaccept                                           = $zabbix::params::agent_tlsaccept,
+  $tlscafile                                             = $zabbix::params::agent_tlscafile,
+  $tlscertfile                                           = $zabbix::params::agent_tlscertfile,
+  Optional[String[1]] $tlscertissuer                     = undef,
+  Optional[String[1]] $tlscertsubject                    = undef,
+  Optional[String[1]] $tlscipherall                      = $zabbix::params::agent_tlscipherall,
+  Optional[String[1]] $tlscipherall13                    = $zabbix::params::agent_tlscipherall13,
+  Optional[String[1]] $tlsciphercert                     = $zabbix::params::agent_tlsciphercert,
+  Optional[String[1]] $tlsciphercert13                   = $zabbix::params::agent_tlsciphercert13,
+  Optional[String[1]] $tlscipherpsk                      = $zabbix::params::agent_tlscipherpsk,
+  Optional[String[1]] $tlscipherpsk13                    = $zabbix::params::agent_tlscipherpsk13,
   Optional[Enum['unencrypted','psk','cert']] $tlsconnect = $zabbix::params::agent_tlsconnect,
-  $tlscrlfile                                          = $zabbix::params::agent_tlscrlfile,
-  $tlskeyfile                                          = $zabbix::params::agent_tlskeyfile,
-  $tlspskfile                                          = $zabbix::params::agent_tlspskfile,
-  $tlspskidentity                                      = $zabbix::params::agent_tlspskidentity,
-  $tlsservercertissuer                                 = $zabbix::params::agent_tlsservercertissuer,
-  $tlsservercertsubject                                = $zabbix::params::agent_tlsservercertsubject,
-  Optional[String[1]] $agent_config_owner              = $zabbix::params::agent_config_owner,
-  Optional[String[1]] $agent_config_group              = $zabbix::params::agent_config_group,
-  Boolean $manage_selinux                              = $zabbix::params::manage_selinux,
-  Array[String] $selinux_require                       = $zabbix::params::selinux_require,
-  Hash[String, Array] $selinux_rules                   = $zabbix::params::selinux_rules,
-  String $additional_service_params                    = $zabbix::params::additional_service_params,
-  String $service_type                                 = $zabbix::params::service_type,
-  Boolean $manage_startup_script                       = $zabbix::params::manage_startup_script,
+  $tlscrlfile                                            = $zabbix::params::agent_tlscrlfile,
+  $tlskeyfile                                            = $zabbix::params::agent_tlskeyfile,
+  $tlspskfile                                            = $zabbix::params::agent_tlspskfile,
+  $tlspskidentity                                        = $zabbix::params::agent_tlspskidentity,
+  $tlsservercertissuer                                   = $zabbix::params::agent_tlsservercertissuer,
+  $tlsservercertsubject                                  = $zabbix::params::agent_tlsservercertsubject,
+  Optional[String[1]] $agent_config_owner                = $zabbix::params::agent_config_owner,
+  Optional[String[1]] $agent_config_group                = $zabbix::params::agent_config_group,
+  Boolean $manage_selinux                                = $zabbix::params::manage_selinux,
+  Array[String] $selinux_require                         = $zabbix::params::selinux_require,
+  Hash[String, Array] $selinux_rules                     = $zabbix::params::selinux_rules,
+  String $additional_service_params                      = $zabbix::params::additional_service_params,
+  String $service_type                                   = $zabbix::params::service_type,
+  Boolean $manage_startup_script                         = $zabbix::params::manage_startup_script,
 ) inherits zabbix::params {
   $agent2 = $zabbix_package_agent == 'zabbix-agent2'
 
diff --git a/manifests/database.pp b/manifests/database.pp
index c78f266ee..bcd4c3308 100644
--- a/manifests/database.pp
+++ b/manifests/database.pp
@@ -64,24 +64,24 @@
 #   the zabbix_server and zabbix_web parameter.
 # @author Werner Dijkerman ikben@werner-dijkerman.nl
 class zabbix::database (
-  $zabbix_type                     = 'server',
-  $zabbix_web                      = $zabbix::params::zabbix_web,
-  $zabbix_web_ip                   = $zabbix::params::zabbix_web_ip,
-  $zabbix_server                   = $zabbix::params::zabbix_server,
-  $zabbix_server_ip                = $zabbix::params::zabbix_server_ip,
-  $zabbix_proxy                    = $zabbix::params::zabbix_proxy,
-  $zabbix_proxy_ip                 = $zabbix::params::zabbix_proxy_ip,
-  $manage_database                 = $zabbix::params::manage_database,
-  Zabbix::Databases $database_type = $zabbix::params::database_type,
-  $database_schema_path            = $zabbix::params::database_schema_path,
-  $database_name                   = $zabbix::params::server_database_name,
-  $database_user                   = $zabbix::params::server_database_user,
-  $database_password               = $zabbix::params::server_database_password,
-  $database_host                   = $zabbix::params::server_database_host,
-  $database_host_ip                = $zabbix::params::server_database_host_ip,
-  $database_charset                = $zabbix::params::server_database_charset,
-  $database_collate                = $zabbix::params::server_database_collate,
-  Optional[String[1]] $database_tablespace = $zabbix::params::server_database_tablespace,
+  $zabbix_type                                          = 'server',
+  $zabbix_web                                           = $zabbix::params::zabbix_web,
+  $zabbix_web_ip                                        = $zabbix::params::zabbix_web_ip,
+  $zabbix_server                                        = $zabbix::params::zabbix_server,
+  $zabbix_server_ip                                     = $zabbix::params::zabbix_server_ip,
+  $zabbix_proxy                                         = $zabbix::params::zabbix_proxy,
+  $zabbix_proxy_ip                                      = $zabbix::params::zabbix_proxy_ip,
+  $manage_database                                      = $zabbix::params::manage_database,
+  Zabbix::Databases $database_type                      = $zabbix::params::database_type,
+  $database_schema_path                                 = $zabbix::params::database_schema_path,
+  $database_name                                        = $zabbix::params::server_database_name,
+  $database_user                                        = $zabbix::params::server_database_user,
+  Variant[Sensitive[String], String] $database_password = $zabbix::params::server_database_password,
+  $database_host                                        = $zabbix::params::server_database_host,
+  $database_host_ip                                     = $zabbix::params::server_database_host_ip,
+  $database_charset                                     = $zabbix::params::server_database_charset,
+  $database_collate                                     = $zabbix::params::server_database_collate,
+  Optional[String[1]] $database_tablespace              = $zabbix::params::server_database_tablespace,
 ) inherits zabbix::params {
   # So lets create the databases and load all files. This can only be
   # happen when manage_database is set to true (Default).
diff --git a/manifests/database/mysql.pp b/manifests/database/mysql.pp
index 87cc1a547..e69748b91 100644
--- a/manifests/database/mysql.pp
+++ b/manifests/database/mysql.pp
@@ -11,18 +11,20 @@
 # @param database_path Path to the database executable
 # @author Werner Dijkerman <ikben@werner-dijkerman.nl>
 class zabbix::database::mysql (
-  $zabbix_type                                        = '',
-  $zabbix_version                                     = $zabbix::params::zabbix_version,
-  $database_schema_path                               = '',
-  $database_name                                      = '',
-  $database_user                                      = '',
-  $database_password                                  = '',
-  $database_host                                      = '',
-  Optional[Stdlib::Port::Unprivileged] $database_port = undef,
-  $database_path                                      = $zabbix::params::database_path,
+  $zabbix_type                                          = '',
+  $zabbix_version                                       = $zabbix::params::zabbix_version,
+  $database_schema_path                                 = '',
+  $database_name                                        = '',
+  $database_user                                        = '',
+  Variant[Sensitive[String], String] $database_password = '', # lint:ignore:params_empty_string_assignment
+  $database_host                                        = '',
+  Optional[Stdlib::Port::Unprivileged] $database_port   = undef,
+  $database_path                                        = $zabbix::params::database_path,
 ) inherits zabbix::params {
   assert_private()
 
+  $database_password_unsensitive = $database_password.unwrap
+
   if ($database_schema_path == false) or ($database_schema_path == '') {
     if versioncmp($zabbix_version, '6.0') >= 0 {
       $schema_path = '/usr/share/zabbix-sql-scripts/mysql/'
@@ -43,14 +45,14 @@
   case $zabbix_type {
     'proxy': {
       $zabbix_proxy_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? {
-        true  => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done",
-        false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done"
+        true  => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done",
+        false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done"
       }
     }
     default: {
       $zabbix_server_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? {
-        true  => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done",
-        false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done"
+        true  => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done",
+        false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done"
       }
     }
   }
@@ -59,7 +61,11 @@
   case $zabbix_type {
     'proxy'  : {
       exec { 'zabbix_proxy_create.sql':
-        command  => $zabbix_proxy_create_sql,
+        command  => if $database_password =~ Sensitive {
+          Sensitive($zabbix_proxy_create_sql)
+        } else {
+          $zabbix_proxy_create_sql
+        },
         path     => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}",
         unless   => 'test -f /etc/zabbix/.schema.done',
         provider => 'shell',
diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp
index 10df743f0..01f259b17 100644
--- a/manifests/database/postgresql.pp
+++ b/manifests/database/postgresql.pp
@@ -11,18 +11,21 @@
 # @param database_path Path to the database executable
 # @author Werner Dijkerman <ikben@werner-dijkerman.nl>
 class zabbix::database::postgresql (
-  $zabbix_type                                        = '',
-  $zabbix_version                                     = $zabbix::params::zabbix_version,
-  $database_schema_path                               = '',
-  $database_name                                      = '',
-  $database_user                                      = '',
-  $database_password                                  = '',
-  $database_host                                      = '',
-  Stdlib::Port::Unprivileged $database_port           = 5432,
-  $database_path                                      = $zabbix::params::database_path,
+  $zabbix_type                                          = '',
+  $zabbix_version                                       = $zabbix::params::zabbix_version,
+  $database_schema_path                                 = '',
+  $database_name                                        = '',
+  $database_user                                        = '',
+  Variant[Sensitive[String], String] $database_password = '', # lint:ignore:params_empty_string_assignment
+  $database_host                                        = '',
+  Stdlib::Port::Unprivileged $database_port             = 5432,
+  $database_path                                        = $zabbix::params::database_path,
 ) inherits zabbix::params {
   assert_private()
 
+  # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
+  $database_password_unsensitive = $database_password.unwrap
+
   if $database_schema_path != false and $database_schema_path != '' {
     $schema_path = $database_schema_path
   } elsif versioncmp($zabbix_version, '6.0') >= 0 {
@@ -56,7 +59,7 @@
     "PGHOST=${database_host}",
     "PGPORT=${database_port}",
     "PGUSER=${database_user}",
-    "PGPASSWORD=${database_password}",
+    "PGPASSWORD=${database_password_unsensitive}",
     "PGDATABASE=${database_name}",
   ]
 
diff --git a/manifests/init.pp b/manifests/init.pp
index 830218ccd..f85b653a7 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -251,7 +251,7 @@
   Optional[Stdlib::Absolutepath] $ldap_clientkey                              = $zabbix::params::ldap_clientkey,
   Optional[Enum['never', 'allow', 'try', 'demand', 'hard']] $ldap_reqcert     = $zabbix::params::ldap_reqcert,
   $zabbix_api_user                                                            = $zabbix::params::server_api_user,
-  $zabbix_api_pass                                                            = $zabbix::params::server_api_pass,
+  Variant[Sensitive[String], String] $zabbix_api_pass                         = $zabbix::params::server_api_pass,
   Optional[Array[Stdlib::Host,1]] $zabbix_api_access                          = $zabbix::params::server_api_access,
   $listenport                                                                 = $zabbix::params::server_listenport,
   $sourceip                                                                   = $zabbix::params::server_sourceip,
@@ -265,7 +265,7 @@
   $database_schema                                                            = $zabbix::params::server_database_schema,
   Boolean $database_double_ieee754                                            = $zabbix::params::server_database_double_ieee754,
   $database_user                                                              = $zabbix::params::server_database_user,
-  $database_password                                                          = $zabbix::params::server_database_password,
+  Variant[Sensitive[String], String] $database_password                       = $zabbix::params::server_database_password,
   $database_socket                                                            = $zabbix::params::server_database_socket,
   $database_port                                                              = $zabbix::params::server_database_port,
   $database_charset                                                           = $zabbix::params::server_database_charset,
diff --git a/manifests/javagateway.pp b/manifests/javagateway.pp
index 721af3520..623765935 100644
--- a/manifests/javagateway.pp
+++ b/manifests/javagateway.pp
@@ -14,15 +14,15 @@
 #  }
 # @author Werner Dijkerman ikben@werner-dijkerman.nl
 class zabbix::javagateway (
-  $zabbix_version           = $zabbix::params::zabbix_version,
-  $zabbix_package_state     = $zabbix::params::zabbix_package_state,
-  Boolean $manage_firewall  = $zabbix::params::manage_firewall,
-  Boolean $manage_repo      = $zabbix::params::manage_repo,
-  $pidfile                  = $zabbix::params::javagateway_pidfile,
-  $listenip                 = $zabbix::params::javagateway_listenip,
-  $listenport               = $zabbix::params::javagateway_listenport,
-  $startpollers             = $zabbix::params::javagateway_startpollers,
-  $timeout                  = $zabbix::params::javagateway_timeout,
+  $zabbix_version          = $zabbix::params::zabbix_version,
+  $zabbix_package_state    = $zabbix::params::zabbix_package_state,
+  Boolean $manage_firewall = $zabbix::params::manage_firewall,
+  Boolean $manage_repo     = $zabbix::params::manage_repo,
+  $pidfile                 = $zabbix::params::javagateway_pidfile,
+  $listenip                = $zabbix::params::javagateway_listenip,
+  $listenport              = $zabbix::params::javagateway_listenport,
+  $startpollers            = $zabbix::params::javagateway_startpollers,
+  $timeout                 = $zabbix::params::javagateway_timeout,
 ) inherits zabbix::params {
   # Fix for pid file. Is different in Zabbix (4, 5) and 6
   $real_pidfile = $zabbix_version ? {
diff --git a/manifests/proxy.pp b/manifests/proxy.pp
index f01169989..a1b14b7d9 100755
--- a/manifests/proxy.pp
+++ b/manifests/proxy.pp
@@ -222,7 +222,7 @@
   $database_name                                                              = $zabbix::params::proxy_database_name,
   $database_schema                                                            = $zabbix::params::proxy_database_schema,
   $database_user                                                              = $zabbix::params::proxy_database_user,
-  $database_password                                                          = $zabbix::params::proxy_database_password,
+  Variant[Sensitive[String], String] $database_password                       = $zabbix::params::proxy_database_password,
   $database_socket                                                            = $zabbix::params::proxy_database_socket,
   $database_port                                                              = $zabbix::params::proxy_database_port,
   $database_charset                                                           = $zabbix::params::server_database_charset,
@@ -269,7 +269,12 @@
   $historyindexcachesize                                                      = $zabbix::params::proxy_historyindexcachesize,
   $historytextcachesize                                                       = $zabbix::params::proxy_historytextcachesize,
   $timeout                                                                    = $zabbix::params::proxy_timeout,
-  Optional[Variant[Array[Enum['unencrypted','psk','cert']],Enum['unencrypted','psk','cert']]] $tlsaccept = $zabbix::params::proxy_tlsaccept,
+  Optional[
+    Variant[
+      Array[Enum['unencrypted', 'psk', 'cert']],
+      Enum['unencrypted', 'psk', 'cert']
+    ]
+  ] $tlsaccept                                                                = $zabbix::params::proxy_tlsaccept,
   $tlscafile                                                                  = $zabbix::params::proxy_tlscafile,
   $tlscertfile                                                                = $zabbix::params::proxy_tlscertfile,
   $tlsconnect                                                                 = $zabbix::params::proxy_tlsconnect,
@@ -306,6 +311,9 @@
   Boolean $manage_selinux                                                     = $zabbix::params::manage_selinux,
   Optional[Stdlib::Absolutepath] $socketdir                                   = $zabbix::params::proxy_socketdir,
 ) inherits zabbix::params {
+  # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
+  $database_password_unsensitive = $database_password.unwrap
+
   # check osfamily, Arch is currently not supported for web
   if $facts['os']['family'] == 'Archlinux' {
     fail('Archlinux is currently not supported for zabbix::proxy ')
diff --git a/manifests/resources/agent.pp b/manifests/resources/agent.pp
index 8e2b4b433..d57896a0c 100644
--- a/manifests/resources/agent.pp
+++ b/manifests/resources/agent.pp
@@ -15,17 +15,17 @@
 # @param tls_issuer Issuer of the certificate that is allowed to talk with the serve
 # @param tls_subject Subject of the certificate that is allowed to talk with the server
 class zabbix::resources::agent (
-  $hostname                           = undef,
-  $ipaddress                          = undef,
-  $use_ip                             = undef,
-  $port                               = undef,
-  Array[String[1]] $groups            = undef,
-  $group_create                       = undef,
-  $templates                          = undef,
-  $macros                             = undef,
-  $proxy                              = undef,
-  $interfacetype                      = 1,
-  Variant[Array, Hash] $interfacedetails = [],
+  $hostname                                               = undef,
+  $ipaddress                                              = undef,
+  $use_ip                                                 = undef,
+  $port                                                   = undef,
+  Array[String[1]] $groups                                = undef,
+  $group_create                                           = undef,
+  $templates                                              = undef,
+  $macros                                                 = undef,
+  $proxy                                                  = undef,
+  $interfacetype                                          = 1,
+  Variant[Array, Hash] $interfacedetails                  = [],
   Optional[Enum['unencrypted','psk','cert']] $tls_connect = undef,
   Optional[Enum['unencrypted','psk','cert']] $tls_accept  = undef,
   Optional[String[1]] $tls_issuer                         = undef,
diff --git a/manifests/resources/web.pp b/manifests/resources/web.pp
index 8de4c2c97..b849c7ff7 100644
--- a/manifests/resources/web.pp
+++ b/manifests/resources/web.pp
@@ -6,7 +6,7 @@
 class zabbix::resources::web (
   String[1] $zabbix_url,
   String[1] $zabbix_user,
-  String[1] $zabbix_pass,
+  Variant[Sensitive[String[1]], String[1]] $zabbix_pass,
   Boolean   $apache_use_ssl,
 ) {
   file { '/etc/zabbix/api.conf':
diff --git a/manifests/sender.pp b/manifests/sender.pp
index 57a61e71e..91f8b7ecc 100644
--- a/manifests/sender.pp
+++ b/manifests/sender.pp
@@ -3,9 +3,9 @@
 # @param zabbix_package_state The state of the package that needs to be installed: present or latest.
 # @param manage_repo When true, it will create repository for installing the agent.
 class zabbix::sender (
-  $zabbix_version        = $zabbix::params::zabbix_version,
-  $zabbix_package_state  = $zabbix::params::zabbix_package_state,
-  $manage_repo           = $zabbix::params::manage_repo,
+  $zabbix_version       = $zabbix::params::zabbix_version,
+  $zabbix_package_state = $zabbix::params::zabbix_package_state,
+  $manage_repo          = $zabbix::params::manage_repo,
 ) inherits zabbix::params {
   # Only include the repo class if it has not yet been included
   unless defined(Class['Zabbix::Repo']) {
diff --git a/manifests/server.pp b/manifests/server.pp
index f6e71e618..550b0ae2f 100755
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -195,7 +195,7 @@
   $database_name                                                              = $zabbix::params::server_database_name,
   $database_schema                                                            = $zabbix::params::server_database_schema,
   $database_user                                                              = $zabbix::params::server_database_user,
-  $database_password                                                          = $zabbix::params::server_database_password,
+  Variant[Sensitive[String], String] $database_password                       = $zabbix::params::server_database_password,
   $database_socket                                                            = $zabbix::params::server_database_socket,
   Optional[Stdlib::Port::Unprivileged] $database_port                         = $zabbix::params::server_database_port,
   Optional[Enum['required', 'verify_ca', 'verify_full']] $database_tlsconnect = $zabbix::params::server_database_tlsconnect,
@@ -281,6 +281,9 @@
   Optional[String[1]] $hanodename                                             = $zabbix::params::server_hanodename,
   Optional[String[1]] $nodeaddress                                            = $zabbix::params::server_nodeaddress,
 ) inherits zabbix::params {
+  # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
+  $database_password_unsensitive = $database_password.unwrap
+
   # zabbix server 5.2, 5.4 and 6.0 is not supported on RHEL 7.
   # https://www.zabbix.com/documentation/current/manual/installation/install_from_packages/rhel_centos
   if $facts['os']['family'] == 'RedHat' and versioncmp($zabbix_version, '5.2') >= 0 {
diff --git a/manifests/web.pp b/manifests/web.pp
index 533faaf93..a8a274028 100644
--- a/manifests/web.pp
+++ b/manifests/web.pp
@@ -114,14 +114,14 @@
   Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport       = $zabbix::params::apache_listenport,
   Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport_ssl   = $zabbix::params::apache_listenport_ssl,
   $zabbix_api_user                                                    = $zabbix::params::server_api_user,
-  $zabbix_api_pass                                                    = $zabbix::params::server_api_pass,
+  Variant[Sensitive[String], String] $zabbix_api_pass                 = $zabbix::params::server_api_pass,
   Optional[Array[Stdlib::Host,1]] $zabbix_api_access                  = $zabbix::params::server_api_access,
   $database_host                                                      = $zabbix::params::server_database_host,
   $database_name                                                      = $zabbix::params::server_database_name,
   $database_schema                                                    = $zabbix::params::server_database_schema,
   Boolean $database_double_ieee754                                    = $zabbix::params::server_database_double_ieee754,
   $database_user                                                      = $zabbix::params::server_database_user,
-  $database_password                                                  = $zabbix::params::server_database_password,
+  Variant[Sensitive[String], String] $database_password               = $zabbix::params::server_database_password,
   $database_socket                                                    = $zabbix::params::server_database_socket,
   $database_port                                                      = $zabbix::params::server_database_port,
   $zabbix_server                                                      = $zabbix::params::zabbix_server,
@@ -146,6 +146,9 @@
   Boolean $manage_selinux                                             = $zabbix::params::manage_selinux,
   Hash[String[1], Any] $apache_vhost_custom_params                    = {},
 ) inherits zabbix::params {
+  # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively
+  $database_password_unsensitive = $database_password.unwrap
+
   # check osfamily, Arch is currently not supported for web
   if $facts['os']['family'] in ['Archlinux', 'Gentoo',] {
     fail("${facts['os']['family']} is currently not supported for zabbix::web")
@@ -262,7 +265,11 @@
     group   => $web_config_group,
     mode    => '0640',
     replace => true,
-    content => template('zabbix/web/zabbix.conf.php.erb'),
+    content => if $database_password =~ Sensitive {
+      Sensitive(template('zabbix/web/zabbix.conf.php.erb'))
+    } else {
+      template('zabbix/web/zabbix.conf.php.erb')
+    },
   }
 
   # For API to work on Zabbix 5.x zabbix.conf.php needs to be in the root folder.
diff --git a/manifests/zabbixapi.pp b/manifests/zabbixapi.pp
index 76bde1f70..387dc02cc 100644
--- a/manifests/zabbixapi.pp
+++ b/manifests/zabbixapi.pp
@@ -4,7 +4,7 @@
 # @param puppetgem Provider for the zabbixapi gem package.
 class zabbix::zabbixapi (
   $zabbix_version = $zabbix::params::zabbix_version,
-  $puppetgem = $zabbix::params::puppetgem,
+  $puppetgem      = $zabbix::params::puppetgem,
 ) inherits zabbix::params {
   # Determine correct zabbixapi version.
   case $zabbix_version {
diff --git a/templates/api.conf.epp b/templates/api.conf.epp
index 32679f37b..ed449ad2d 100644
--- a/templates/api.conf.epp
+++ b/templates/api.conf.epp
@@ -1,6 +1,6 @@
 <%- | String[1] $zabbix_url,
       String[1] $zabbix_user,
-      String[1] $zabbix_pass,
+      Variant[Sensitive[String[1]], String[1]] $zabbix_pass,
       Boolean   $apache_use_ssl,
 | -%>
 # MANAGED BY PUPPET
diff --git a/templates/web/zabbix.conf.php.erb b/templates/web/zabbix.conf.php.erb
index 930e4110e..4d19d41cf 100755
--- a/templates/web/zabbix.conf.php.erb
+++ b/templates/web/zabbix.conf.php.erb
@@ -13,7 +13,7 @@ $DB['PORT']     = '0';
 <% end -%>
 $DB['DATABASE'] = '<%= @database_name %>';
 $DB['USER']     = '<%= @database_user %>';
-$DB['PASSWORD'] = '<%= @database_password %>';
+$DB['PASSWORD'] = '<%= @database_password_unsensitive %>';
 
 // SCHEMA is relevant only for IBM_DB2 and PostgreSQL database
 <% if @database_schema -%>
diff --git a/templates/zabbix_proxy.conf.erb b/templates/zabbix_proxy.conf.erb
index 03c044cb4..373346fe3 100755
--- a/templates/zabbix_proxy.conf.erb
+++ b/templates/zabbix_proxy.conf.erb
@@ -169,7 +169,7 @@ DBUser=<%= @database_user %>
 #	Comment this line if no password is used.
 #
 # Mandatory: no
-DBPassword=<%= @database_password %>
+DBPassword=<%= @database_password_unsensitive %>
 
 ### Option: DBSocket
 #	Path to MySQL socket.
@@ -894,7 +894,7 @@ LoadModulePath=<%= @loadmodulepath %>
 <% if @zabbix_version.to_f >= 7.0 %>
 ### Option: VaultPrefix
 #	Custom prefix for Vault path or query depending on the Vault.
-#	Most suitable defaults will be used if not specified. 
+#	Most suitable defaults will be used if not specified.
 #	Note that 'data' is automatically appended after mountpoint for HashiCorp if VaultPrefix is not specified.
 #	Example prefix for HashiCorp:
 #		/v1/secret/data/
@@ -969,4 +969,4 @@ LoadModulePath=<%= @loadmodulepath %>
 # Default:
 # StartBrowserPollers=1
 
-<% end %>
\ No newline at end of file
+<% end %>
diff --git a/templates/zabbix_server.conf.erb b/templates/zabbix_server.conf.erb
index 9aaba7fd3..008e3c7dc 100755
--- a/templates/zabbix_server.conf.erb
+++ b/templates/zabbix_server.conf.erb
@@ -106,7 +106,7 @@ DBUser=<%= @database_user %>
 #	Comment this line if no password is used.
 #
 # Mandatory: no
-DBPassword=<%= @database_password %>
+DBPassword=<%= @database_password_unsensitive %>
 
 ### Option: DBSocket
 #	Path to MySQL socket.
@@ -849,7 +849,7 @@ LoadModulePath=<%= @loadmodulepath %>
 <% if @zabbix_version.to_f >= 7.0 %>
 ### Option: VaultPrefix
 #	Custom prefix for Vault path or query depending on the Vault.
-#	Most suitable defaults will be used if not specified. 
+#	Most suitable defaults will be used if not specified.
 #	Note that 'data' is automatically appended after mountpoint for HashiCorp if VaultPrefix is not specified.
 #	Example prefix for HashiCorp:
 #		/v1/secret/data/
@@ -946,7 +946,7 @@ LoadModulePath=<%= @loadmodulepath %>
 # EnableGlobalScripts=1
 
 # Option: AllowSoftwareUpdateCheck
-#       Allow Zabbix UI to receive information about software updates from zabbix.com 
+#       Allow Zabbix UI to receive information about software updates from zabbix.com
 #       0 - disable software update checks
 #       1 - enable software update checks
 #
@@ -1017,4 +1017,4 @@ LoadModulePath=<%= @loadmodulepath %>
 # Default:
 # StartBrowserPollers=1
 
-<% end %>
\ No newline at end of file
+<% end %>

From 2f5fa957bc542f8efc2736f0142109226af20ce0 Mon Sep 17 00:00:00 2001
From: cocker-cc <github.com@cocker.cc>
Date: Wed, 10 Jul 2024 14:34:31 +0200
Subject: [PATCH 2/2] - take Care of the other sensitive rendered Templates
 also

---
 manifests/proxy.pp  | 7 ++++++-
 manifests/server.pp | 7 ++++++-
 manifests/web.pp    | 5 +++--
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/manifests/proxy.pp b/manifests/proxy.pp
index a1b14b7d9..1c2f28b6a 100755
--- a/manifests/proxy.pp
+++ b/manifests/proxy.pp
@@ -489,6 +489,7 @@
   }
 
   # Configuring the zabbix-proxy configuration file
+  $content = template('zabbix/zabbix_proxy.conf.erb')
   file { $proxy_configfile_path:
     ensure  => file,
     owner   => 'zabbix',
@@ -496,7 +497,11 @@
     mode    => '0644',
     require => Package["zabbix-proxy-${db}"],
     replace => true,
-    content => template('zabbix/zabbix_proxy.conf.erb'),
+    content => if $database_password =~ Sensitive {
+      Sensitive($content)
+    } else {
+      $content
+    },
   }
 
   # Include dir for specific zabbix-proxy checks.
diff --git a/manifests/server.pp b/manifests/server.pp
index 550b0ae2f..4cae5e226 100755
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -444,6 +444,7 @@
   }
 
   # Configuring the zabbix-server configuration file
+  $content = template('zabbix/zabbix_server.conf.erb')
   file { $server_configfile_path:
     ensure  => file,
     owner   => $server_config_owner,
@@ -451,7 +452,11 @@
     mode    => '0640',
     require => Package["zabbix-server-${db}"],
     replace => true,
-    content => template('zabbix/zabbix_server.conf.erb'),
+    content => if $database_password =~ Sensitive {
+      Sensitive($content)
+    } else {
+      $content
+    },
   }
 
   # Include dir for specific zabbix-server checks.
diff --git a/manifests/web.pp b/manifests/web.pp
index a8a274028..124274729 100644
--- a/manifests/web.pp
+++ b/manifests/web.pp
@@ -259,6 +259,7 @@
   }
 
   # Webinterface config file
+  $content = template('zabbix/web/zabbix.conf.php.erb')
   file { '/etc/zabbix/web/zabbix.conf.php':
     ensure  => file,
     owner   => $web_config_owner,
@@ -266,9 +267,9 @@
     mode    => '0640',
     replace => true,
     content => if $database_password =~ Sensitive {
-      Sensitive(template('zabbix/web/zabbix.conf.php.erb'))
+      Sensitive($content)
     } else {
-      template('zabbix/web/zabbix.conf.php.erb')
+      $content
     },
   }