From 05570197646887f919d1233f51e263be8af2187b Mon Sep 17 00:00:00 2001 From: Cody Herriges <193064+ody@users.noreply.github.com> Date: Thu, 20 Jun 2019 14:26:46 -0700 Subject: [PATCH] Implement new method for setting admin password This commit introduces a new set of parameters and classes that are used instead of the previous implementation of the "manage_password" parameter to set the initial admin password through the documented user-seed.conf method. The old method still exists but now logs a message indicating that it is no longer the preferred method. This is being done to align the module with Splunk's documentation, prevent Puppet from causing a correctional change on each run, and make it possible to reset the admin password from the Splunk console when desired. The new seed method was implemented in a class separate from Class[splunk::{enterprise,forwarder}::config] to enable it to be easily used external from Puppet, specifically with a Bolt Plan in mind so people can reset the seeded admin password easily without the need to temporarily change infrastructure data sets. The old direct management method was migrated to the same method just for consistency. Fixes #226 --- README.md | 493 +----- REFERENCE.md | 1658 +++++++++++++++++++++ manifests/enterprise.pp | 30 + manifests/enterprise/config.pp | 31 +- manifests/enterprise/password/manage.pp | 70 + manifests/enterprise/password/seed.pp | 83 ++ manifests/forwarder.pp | 30 + manifests/forwarder/config.pp | 31 +- manifests/forwarder/password/manage.pp | 70 + manifests/forwarder/password/seed.pp | 83 ++ manifests/params.pp | 17 +- spec/acceptance/splunk_enterprise_spec.rb | 35 +- templates/user-seed.conf.epp | 4 + 13 files changed, 2128 insertions(+), 507 deletions(-) create mode 100644 REFERENCE.md create mode 100644 manifests/enterprise/password/manage.pp create mode 100644 manifests/enterprise/password/seed.pp create mode 100644 manifests/forwarder/password/manage.pp create mode 100644 manifests/forwarder/password/seed.pp create mode 100644 templates/user-seed.conf.epp diff --git a/README.md b/README.md index 8324f96e..41ac427b 100644 --- a/README.md +++ b/README.md @@ -166,6 +166,19 @@ This virtual resource will get collected by the `::splunk::forwarder` class if it is tagged with `splunk_forwarder` and will add the appropriate setting to the inputs.conf file and refresh the service. +### Setting the `admin` user's password + +The module has the facility to set Splunk Enterprise's `admin` password at installation time by leveraging the [user-seed.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/User-seedconf) method described as a best practice in the Splunk docs. The way Splunk implements this prevents Puppet from managing the password in an idempotent way but makes resetting the password through the web console possible. You can also use Puppet to do a one time reset too by setting the appropriate parameters on `splunk::enterprise` but leaving these parameters set to `true` will cause corrective change on each run of the Puppet Agent. + +```puppet +class { 'splunk::enterprise': + seed_password => true, + password_hash => '$6$jxSX7ra2SNzeJbYE$J95eTTMJjFr/lBoGYvuJUSNKvR7befnBwZUOvr/ky86QGqDXwEwdbgPMfCxW1/PuB/IkC94QLNravkABBkVkV1', +} +``` + +Alternatively the the `splunk::enterprise::password::seed` class can be used independently of the Puppet Agent through a [Bolt Plan apply block](https://puppet.com/docs/bolt/latest/applying_manifest_blocks.html). + ### Upgrade splunk and splunkforwarder packages This module has the ability to install *and* upgrade the splunk and splunkforwarder packages. All you have to do is declare `package_ensure => 'latest'` when calling the `::splunk` or `::splunk::forwarder` classes. @@ -203,485 +216,7 @@ class { '::splunk::forwarder': ``` ## Reference -### Types - -* `splunk_config`: This is a meta resource used to configure defaults for all the - splunkforwarder and splunk types. This type should not be declared directly as - it is declared in `splunk::params` and used internally by the types and providers. - -* `splunk_authentication`: Used to manage ini settings in [authentication.conf][authentication.conf-docs] -* `splunk_authorize`: Used to manage ini settings in [authorize.conf][authorize.conf-docs] -* `splunk_deploymentclient`: Used to manage ini settings in [deploymentclient.conf][deploymentclient.conf-docs] -* `splunk_distsearch`: Used to manage ini settings in [distsearch.conf][distsearch.conf-docs] -* `splunk_indexes`: Used to manage ini settings in [indexes.conf][indexes.conf-docs] -* `splunk_input`: Used to manage ini settings in [inputs.conf][inputs.conf-docs] -* `splunk_limits`: Used to mange ini settings in [limits.conf][limits.conf-docs] -* `splunk_metadata`: Used to manage ini settings in [default.meta][default.meta-docs] -* `splunk_output`: Used to manage ini settings in [outputs.conf][outputs.conf-docs] -* `splunk_props`: Used to manage ini settings in [props.conf][props.conf-docs] -* `splunk_server`: Used to manage ini settings in [server.conf][server.conf-docs] -* `splunk_serverclass`: Used to manage ini settings in [serverclass.conf][serverclass.conf-docs] -* `splunk_transforms`: Used to manage ini settings in [transforms.conf][transforms.conf-docs] -* `splunk_web`: Used to manage ini settings in [web.conf][web.conf-docs] - -* `splunkforwarder_deploymentclient`: Used to manage ini settings in [deploymentclient.conf][deploymentclient.conf-docs] -* `splunkforwarder_input`: Used to manage ini settings in [inputs.conf][inputs.conf-docs] -* `splunkforwarder_output`:Used to manage ini settings in [outputs.conf][outputs.conf-docs] -* `splunkforwarder_props`: Used to manage ini settings in [props.conf][props.conf-docs] -* `splunkforwarder_transforms`: Used to manage ini settings in [transforms.conf][transforms.conf-docs] -* `splunkforwarder_web`: Used to manage ini settings in [web.conf][web.conf-docs] -* `splunkforwarder_limits`: Used to manage ini settings in [limits.conf][limits.conf-docs] -* `splunkforwarder_server`: Used to manage ini settings in [server.conf][server.conf-docs] - -All of the above types use `puppetlabs/ini_file` as a parent and are declared in -an identical way, and accept the following parameters: - -* `section`: The name of the section in the configuration file -* `setting`: The setting to be managed -* `value`: The value of the setting - -Both section and setting are namevars for the types. Specifying a single string -as the title without a forward slash implies that the title is the section to be -managed (if the section attribute is not defined). You can also specify the -resource title as `section/setting` and ommit both `section` and `setting` params -for a more shortform way of declaring the resource. Eg: - -```puppet -splunkforwarder_output { 'useless title': - section => 'default', - setting => 'defaultGroup', - value => 'splunk_9777', -} - -splunkforwarder_output { 'default': - setting => 'defaultGroup', - value => 'splunk_9777', -} - -splunkforwarder_output { 'default/defaultGroup': - value => 'splunk_9777', -} -``` - -The above resource declarations will all configure the following entry in `outputs.conf` - -``` -[default] -defaultGroup=splunk_9997 -``` - -Note: if the section contains forward slashes you should not use it as the resource -title and should explicitly declare it with the `section` attribute. - -## Parameters - -### Class: ::splunk::params - -#### `version` - -*Optional* Specifies the version of Splunk Enterprise and Splunk Forwarder that -the module should install. - -#### `build` - -*Optional* Specifies the build of Splunk Enterprise that the module should use. - -#### `src_root` - -*Optional* The root path that the staging module will use to find packages for -splunk and splunk::forwarder. - -#### `splunkd_port` - -*Optional* The splunkd port. Used as a default for both splunk and splunk::forwarder. - -#### `logging_port` - -*Optional* The port on which to send and listen for logs. Used as a default for -both splunk and splunk::forwarder. - -#### `server` - -*Optional* The fqdn or IP address of the Splunk server. Used for setting up the -default TCP output and input. - -#### `forwarder_installdir` - -*Optional* Directory in which to install and manage Splunk Forwarder - -#### `enterprise_installdir` - -*Optional* Directory in which to install and mange Splunk Enterprise - -#### `boot_start` - -*Optional* Enable splunk boot-start mode. Provision a service file. - -### Class: ::splunk::enterprise Parameters - -#### `version` - -Specifies the version of Splunk Enterprise the module should install and -manage. Defaults to the value set in splunk::params. - -#### `package_name` - -The name of the package(s) Puppet will use to install Splunk. - -#### `package_ensure` - -Ensure parameter which will get passed to the Splunk package resource. -Defaults to the value in splunk::params. - -#### `staging_dir` - -Root of the archive path to host the Splunk package. Defaults to the value in -splunk::params. - -#### `enterprise_package_src` - -The source URL for the splunk installation media (typically an RPM, MSI, -etc). If a `$src_root` parameter is set in splunk::params, this will be -automatically supplied. Otherwise it is required. The URL can be of any -protocol supported by the nanliu/staging module. On Windows, this can be -a UNC path to the MSI. Defaults to the value in splunk::params. - -#### `package_provider` - -The package management system used to host the Splunk packages. Defaults to the -value in splunk::params. - -#### `manage_package_source` - -Whether or not to use the supplied `enterprise_package_src` param. Defaults to -true. - -#### `package_source` - -*Optional* The source URL for the splunk installation media (typically an RPM, -MSI, etc). If `enterprise_package_src` parameter is set in splunk::params and -`manage_package_source` is true, this will be automatically supplied. Otherwise -it is required. The URL can be of any protocol supported by the nanliu/staging -module. On Windows, this can be a UNC path to the MSI. Defaults to undef. - -#### `install_options` - -This variable is passed to the package resources' *install_options* parameter. -Defaults to the value in ::splunk::params. - -#### `splunk_user` - -The user to run Splunk as. Defaults to the value set in splunk::params. - -#### `enterprise_homedir` - -Specifies the Splunk Enterprise home directory. Defaults to the value set in -splunk::params. - -#### `enterprise_confdir` - -Specifies the Splunk Enterprise configuration directory. Defaults to the value -set in splunk::params. - -#### `service_name` - -The name of the Splunk Enterprise service. Defaults to the value set in -splunk::params. - -#### `service_file` - -The path to the Splunk Enterprise service file. Defaults to the value set in -splunk::params. - -#### `boot_start` - -Whether or not to enable splunk boot-start, which generates a service file to -manage the Splunk Enterprise service. Defaults to the value set in -splunk::params. - -#### `use_default_config` - -Whether or not the module should manage a default set of Splunk Enterprise -configuration parameters. Defaults to true. - -#### `input_default_host` - -Part of the default config. Sets the `splunk_input` default host. Defaults to -`facts['fqdn']`. - -#### `input_connection_host` - -Part of the default config. Sets the `splunk_input` connection host. Defaults -to dns. - -#### `splunkd_listen` - -The address on which splunkd should listen. Defaults to 127.0.0.1. - -#### `logging_port` - -The port to receive TCP logs on. Defaults to the port specified in -splunk::params. - -#### `splunkd_port` - -The management port for Splunk. Defaults to the value set in splunk::params. - -#### `web_port` - -The port on which to service the Splunk Web interface. Defaults to 8000. - -#### `purge_inputs` - -If set to true, inputs.conf will be purged of configuration that is -no longer managed by the `splunk_input` type. Defaults to false. - -#### `purge_outputs` - -If set to true, outputs.conf will be purged of configuration that is -no longer managed by the `splunk_output` type. Defaults to false. - -#### `purge_authentication` - -If set to true, authentication.conf will be purged of configuration -that is no longer managed by the `splunk_authentication` type. Defaults to false. - -#### `purge_authorize` - -If set to true, authorize.conf will be purged of configuration that -is no longer managed by the `splunk_authorize` type. Defaults to false. - -#### `purge_distsearch` - -If set to true, distsearch.conf will be purged of configuration that -is no longer managed by the `splunk_distsearch` type. Defaults to false. - -#### `purge_indexes` - -If set to true, indexes.conf will be purged of configuration that is -no longer managed by the `splunk_indexes` type. Defaults to false. - -#### `purge_limits` - -If set to true, limits.conf will be purged of configuration that is -no longer managed by the `splunk_limits` type. Defaults to false. - -#### `purge_props` - -If set to true, props.conf will be purged of configuration that is -no longer managed by the `splunk_props` type. Defaults to false. - -#### `purge_server` - -If set to true, server.conf will be purged of configuration that is -no longer managed by the `splunk_server` type. Defaults to false. - -#### `purge_transforms` - -If set to true, transforms.conf will be purged of configuration that -is no longer managed by the `splunk_transforms` type. Defaults to false. - -#### `purge_web` - -If set to true, web.conf will be purged of configuration that is no -longer managed by the `splunk_web type`. Defaults to false. - -#### `manage_password` - -If set to true, Manage the contents of splunk.secret and passwd. Defaults to -the value set in splunk::params. - -#### `password_config_file` - -Which file to put the password in i.e. in linux it would be -/opt/splunk/etc/passwd. Defaults to the value set in splunk::params. - -#### `password_content` - -The hashed password username/details for the user. Defaults to the value set -in splunk::params. - -#### `secret_file` - -Which file we should put the secret in. Defaults to the value set in -splunk::params. - -#### `secret` - -The secret used to salt the splunk password. Defaults to the value set in -splunk::params. - -### Class ::splunk::forwarder Parameters - -#### `server` - -The fqdn or IP address of the Splunk server. Defaults to the value in ::splunk::params. - -#### `version` - -Specifies the version of Splunk Forwarder the module should install and -manage. Defaults to the value set in splunk::params. - -#### `package_name` - -The name of the package(s) Puppet will use to install Splunk Forwarder. -Defaults to the value set in splunk::params. - -#### `package_ensure` - -Ensure parameter which will get passed to the Splunk package resource. -Defaults to the value in ::splunk::params. - -#### `staging_subdir` - -Root of the archive path to host the Splunk package. Defaults to the value in -splunk::params. - -#### `path_delimiter` - -The path separator used in the archived path of the Splunk package. Defaults to -the value in splunk::params. - -#### `forwarder_package_src` - -The source URL for the splunk installation media (typically an RPM, MSI, -etc). If a `$src_root` parameter is set in splunk::params, this will be -automatically supplied. Otherwise it is required. The URL can be of any -protocol supported by the nanliu/staging module. On Windows, this can be -a UNC path to the MSI. Defaults to the value in splunk::params. - -#### `package_provider` - -The package management system used to host the Splunk packages. Defaults to the -value in splunk::params. - -#### `manage_package_source` - -Whether or not to use the supplied `forwarder_package_src` param. Defaults to -true. - -#### `package_source` - -*Optional* The source URL for the splunk installation media (typically an RPM, -MSI, etc). If `enterprise_package_src` parameter is set in splunk::params and -`manage_package_source` is true, this will be automatically supplied. Otherwise -it is required. The URL can be of any protocol supported by the nanliu/staging -module. On Windows, this can be a UNC path to the MSI. Defaults to undef. - -#### `install_options` - -This variable is passed to the package resources' *install_options* parameter. -Defaults to the value in ::splunk::params. - -#### `splunk_user` - -The user to run Splunk as. Defaults to the value set in splunk::params. - -#### `forwarder_homedir` - -Specifies the Splunk Forwarder home directory. Defaults to the value set in -splunk::params. - -#### `forwarder_confdir` - -Specifies the Splunk Forwarder configuration directory. Defaults to the value -set in splunk::params. - -#### `service_name` - -The name of the Splunk Forwarder service. Defaults to the value set in -splunk::params. - -#### `service_file` - -The path to the Splunk Forwarder service file. Defaults to the value set in -splunk::params. - -#### `boot_start` - -Whether or not to enable splunk boot-start, which generates a service file to -manage the Splunk Forwarder service. Defaults to the value set in -splunk::params. - -#### `use_default_config` - -Whether or not the module should manage a default set of Splunk Forwarder -configuration parameters. Defaults to true. - -#### `splunkd_listen` - -The address on which splunkd should listen. Defaults to 127.0.0.1. - -#### `splunkd_port` - -The management port for Splunk. Defaults to the value set in splunk::params. - -#### `logging_port` - -The port on which to send and listen for logs. Defaults to the value -in splunk::params. - -#### `purge_inputs` - -*Optional* If set to true, inputs.conf will be purged of configuration that is -no longer managed by the `splunkforwarder_input` type. Defaults to false. - -#### `purge_outputs` - -*Optional* If set to true, outputs.conf will be purged of configuration that is -no longer managed by the `splunk_output` type. Defaults to false. - -#### `purge_props` - -*Optional* If set to true, props.conf will be purged of configuration that is -no longer managed by the `splunk_props` type. Defaults to false. - -#### `purge_transforms` - -*Optional* If set to true, transforms.conf will be purged of configuration that is -no longer managed by the `splunk_transforms` type. Defaults to false. - -#### `purge_web` - -*Optional* If set to true, web.conf will be purged of configuration that is -no longer managed by the `splunk_web` type. Defaults to false. - -#### `forwarder_input` - -Used to override the default `forwarder_input` type defined in splunk::params. - -#### `forwarder_output` - -Used to override the default `forwarder_output` type defined in splunk::params. - -#### `manage_password` - -If set to true, Manage the contents of splunk.secret and passwd. Defaults to -the value set in splunk::params. - -#### `password_config_file` - -Which file to put the password in i.e. in linux it would be -/opt/splunkforwarder/etc/passwd. Defaults to the value set in splunk::params. - -#### `password_content` - -The hashed password username/details for the user. Defaults to the value set -in splunk::params. - -#### `secret_file` - -Which file we should put the secret in. Defaults to the value set in -splunk::params. - -#### `secret` - -The secret used to salt the splunk password. Defaults to the value set in -splunk::params. - -#### `addons` - -Manage splunk addons, see `splunk::addons`. Defaults to an empty Hash. +See in file [REFERENCE.md](REFERENCE.md). ## Limitations diff --git a/REFERENCE.md b/REFERENCE.md new file mode 100644 index 00000000..930d462f --- /dev/null +++ b/REFERENCE.md @@ -0,0 +1,1658 @@ +# Reference + + +## Table of Contents + +**Classes** + +* [`splunk`](#splunk): This class is unused and doesn't do anything but make default data +accessible +* [`splunk::enterprise`](#splunkenterprise): Install and configure an instance of Splunk Enterprise +* [`splunk::enterprise::config`](#splunkenterpriseconfig): Private class declared by Class[splunk::enterprise] to contain all the +configuration needed for a base install of Splunk Enterprise +* [`splunk::enterprise::install`](#splunkenterpriseinstall): Private class declared by Class[splunk::enterprise] to contain or define +through additional platform specific sub-class, the required steps +for successfully installing Splunk Enterprise +* [`splunk::enterprise::install::nix`](#splunkenterpriseinstallnix): Private class declared by Class[splunk::enterprise::install] to provide +platform specific installation steps on Linux or Unix type systems. +* [`splunk::enterprise::password::manage`](#splunkenterprisepasswordmanage): Implements the direct management of the Splunk Enterprise admin password +so it can be used outside of regular management of the whole stack to +facilitate admin password resets through Bolt Plans. + +Note: Entirely done to make this implementation consistent with the method +used to manage admin password seeding. +* [`splunk::enterprise::password::seed`](#splunkenterprisepasswordseed): Implements the seeding and reseeding of the Splunk Enterprise admin password +so it can be used outside of regular management of the whole stack to +facilitate admin password resets through Bolt Plans +* [`splunk::enterprise::service`](#splunkenterpriseservice): Private class declared by Class[splunk::enterprise] to define a service +as its understood by Puppet using a dynamic set of data or platform specific +sub-classes +* [`splunk::enterprise::service::nix`](#splunkenterpriseservicenix): Private class declared by Class[splunk::enterprise::service] to provide +platform specific service management on Linux or Unix type systems. +* [`splunk::forwarder`](#splunkforwarder): Install and configure an instance of Splunk Universal Forwarder +* [`splunk::forwarder::config`](#splunkforwarderconfig): Private class declared by Class[splunk::forwarder] to contain all the +configuration needed for a base install of the Splunk Universal +Forwarder +* [`splunk::forwarder::install`](#splunkforwarderinstall): Private class declared by Class[splunk::forwarder] to contain or define +through additional platform specific sub-class, the required steps +for successfully installing the Splunk Universal Forwarder +* [`splunk::forwarder::password::manage`](#splunkforwarderpasswordmanage): Implements the direct management of the Splunk Forwarder admin password +so it can be used outside of regular management of the whole stack to +facilitate admin password resets through Bolt Plans. + +Note: Entirely done to make this implementation consistent with the method +used to manage admin password seeding. +* [`splunk::forwarder::password::seed`](#splunkforwarderpasswordseed): Implements the seeding and reseeding of the Splunk Forwarder admin password +so it can be used outside of regular management of the whole stack to +facilitate admin password resets through Bolt Plans +* [`splunk::forwarder::service`](#splunkforwarderservice): Private class declared by Class[splunk::forwarder] to define a service as +its understood by Puppet using a dynamic set of data or platform specific +sub-classes +* [`splunk::forwarder::service::nix`](#splunkforwarderservicenix): Private class declared by Class[splunk::forwarder::service] to provide +platform specific service management on Linux or Unix type systems. +* [`splunk::params`](#splunkparams): This class takes a small number of arguments (can be set through Hiera) and +generates sane default values installation media names and locations. +Default ports can also be specified here. This is a parameters class, and +contributes no resources to the graph. Rather, it only sets values for +parameters to be consumed by child classes. + +**Defined types** + +* [`splunk::addon`](#splunkaddon): Defined type for deploying Splunk Add-ons and Apps from either OS packages +or via splunkbase compatible archives + +**Resource types** + +* [`splunk_alert_actions`](#splunk_alert_actions): Manage splunk alert_actions settings in alert_actions.conf +* [`splunk_authentication`](#splunk_authentication): Manage splunk authentication settings in authentication.conf +* [`splunk_authorize`](#splunk_authorize): Manage splunk authorize settings in authorize.conf +* [`splunk_config`](#splunk_config): splunk config +* [`splunk_deploymentclient`](#splunk_deploymentclient): Manage splunk deploymentclient entries in deploymentclient.conf +* [`splunk_distsearch`](#splunk_distsearch): Manage distsearch entries in distsearch.conf +* [`splunk_indexes`](#splunk_indexes): Manage splunk index settings in indexes.conf +* [`splunk_input`](#splunk_input): Manage splunk input settings in inputs.conf +* [`splunk_limits`](#splunk_limits): Manage splunk limits settings in limits.conf +* [`splunk_metadata`](#splunk_metadata): Manage metadata entries in {default,local}.meta +* [`splunk_output`](#splunk_output): Manage splunk output settings in outputs.conf +* [`splunk_props`](#splunk_props): Manage splunk prop settings in props.conf +* [`splunk_server`](#splunk_server): Manage splunk server settings in server.conf +* [`splunk_serverclass`](#splunk_serverclass): Manage splunk serverclass entries in serverclass.conf +* [`splunk_transforms`](#splunk_transforms): Manage splunk transforms settings in transforms.conf +* [`splunk_uiprefs`](#splunk_uiprefs): Manage splunk web ui settings in ui-prefs.conf +* [`splunk_web`](#splunk_web): Manage splunk web settings in web.conf +* [`splunkforwarder_deploymentclient`](#splunkforwarder_deploymentclient): Manage splunkforwarder deploymentclient entries in deploymentclient.conf +* [`splunkforwarder_input`](#splunkforwarder_input): Manage splunkforwarder input settings in inputs.conf +* [`splunkforwarder_limits`](#splunkforwarder_limits): Manage splunkforwarder limit settings in limits.conf +* [`splunkforwarder_output`](#splunkforwarder_output): Manage splunkforwarder output settings in outputs.conf +* [`splunkforwarder_props`](#splunkforwarder_props): Manage splunkforwarder props settings in props.conf +* [`splunkforwarder_server`](#splunkforwarder_server): Manage splunkforwarder server settings in server.conf +* [`splunkforwarder_transforms`](#splunkforwarder_transforms): Manage splunkforwarder transforms settings in transforms.conf +* [`splunkforwarder_web`](#splunkforwarder_web): Manage splunkforwarder web settings in web.conf + +## Classes + +### splunk + +This class is unused and doesn't do anything but make default data +accessible + +* **Note** If you were expecting this class to setup an instance of Splunk +Enterprise then please look to Class[splunk::enterprise]. + +### splunk::enterprise + +Install and configure an instance of Splunk Enterprise + +#### Examples + +##### Basic usage + +```puppet +include splunk::enterprise +``` + +##### Install specific version and build with admin passord management + +```puppet +class { 'splunk::params': + version => '7.2.5', + build => '088f49762779', +} +class { 'splunk::enterprise': + package_ensure => latest, + manage_password => true, +} +``` + +#### Parameters + +The following parameters are available in the `splunk::enterprise` class. + +##### `version` + +Data type: `String[1]` + +Specifies the version of Splunk Enterprise the module should install and +manage. + +Default value: $splunk::params::version + +##### `package_name` + +Data type: `String[1]` + +The name of the package(s) Puppet will use to install Splunk. + +Default value: $splunk::params::enterprise_package_name + +##### `package_ensure` + +Data type: `String[1]` + +Ensure parameter which will get passed to the Splunk package resource. + +Default value: $splunk::params::enterprise_package_ensure + +##### `staging_dir` + +Data type: `String[1]` + +Root of the archive path to host the Splunk package. + +Default value: $splunk::params::staging_dir + +##### `path_delimiter` + +Data type: `String[1]` + +The path separator used in the archived path of the Splunk package. + +Default value: $splunk::params::path_delimiter + +##### `enterprise_package_src` + +Data type: `String[1]` + +The source URL for the splunk installation media (typically an RPM, MSI, +etc). If a `$src_root` parameter is set in splunk::params, this will be +automatically supplied. Otherwise it is required. The URL can be of any +protocol supported by the pupept/archive module. On Windows, this can be +a UNC path to the MSI. + +Default value: $splunk::params::enterprise_package_src + +##### `package_provider` + +Data type: `Optional[String[1]]` + +The package management system used to host the Splunk packages. + +Default value: $splunk::params::package_provider + +##### `manage_package_source` + +Data type: `Boolean` + +Whether or not to use the supplied `enterprise_package_src` param. + +Default value: `true` + +##### `package_source` + +Data type: `Optional[String[1]]` + +*Optional* The source URL for the splunk installation media (typically an RPM, +MSI, etc). If `enterprise_package_src` parameter is set in splunk::params and +`manage_package_source` is true, this will be automatically supplied. Otherwise +it is required. The URL can be of any protocol supported by the puppet/archive +module. On Windows, this can be a UNC path to the MSI. + +Default value: `undef` + +##### `install_options` + +Data type: `Splunk::Entinstalloptions` + +This variable is passed to the package resources' *install_options* parameter. + +Default value: $splunk::params::enterprise_install_options + +##### `splunk_user` + +Data type: `String[1]` + +The user to run Splunk as. + +Default value: $splunk::params::splunk_user + +##### `enterprise_homedir` + +Data type: `Stdlib::Absolutepath` + +Specifies the Splunk Enterprise home directory. + +Default value: $splunk::params::enterprise_homedir + +##### `enterprise_confdir` + +Data type: `Stdlib::Absolutepath` + +Specifies the Splunk Enterprise configuration directory. + +Default value: $splunk::params::enterprise_confdir + +##### `service_name` + +Data type: `String[1]` + +The name of the Splunk Enterprise service. + +Default value: $splunk::params::enterprise_service + +##### `service_file` + +Data type: `Stdlib::Absolutepath` + +The path to the Splunk Enterprise service file. + +Default value: $splunk::params::enterprise_service_file + +##### `boot_start` + +Data type: `Boolean` + +Whether or not to enable splunk boot-start, which generates a service file to +manage the Splunk Enterprise service. + +Default value: $splunk::params::boot_start + +##### `use_default_config` + +Data type: `Boolean` + +Whether or not the module should manage a default set of Splunk Enterprise +configuration parameters. + +Default value: `true` + +##### `input_default_host` + +Data type: `String[1]` + +Part of the default config. Sets the `splunk_input` default host. + +Default value: $facts['fqdn'] + +##### `input_connection_host` + +Data type: `String[1]` + +Part of the default config. Sets the `splunk_input` connection host. + +Default value: 'dns' + +##### `splunkd_listen` + +Data type: `Stdlib::IP::Address` + +The address on which splunkd should listen. + +Default value: '127.0.0.1' + +##### `logging_port` + +Data type: `Stdlib::Port` + +The port to receive TCP logs on. + +Default value: $splunk::params::logging_port + +##### `splunkd_port` + +Data type: `Stdlib::Port` + +The management port for Splunk. + +Default value: $splunk::params::splunkd_port + +##### `web_port` + +The port on which to service the Splunk Web interface. + +##### `purge_inputs` + +Data type: `Boolean` + +If set to true, inputs.conf will be purged of configuration that is +no longer managed by the `splunk_input` type. + +Default value: `false` + +##### `purge_outputs` + +Data type: `Boolean` + +If set to true, outputs.conf will be purged of configuration that is +no longer managed by the `splunk_output` type. + +Default value: `false` + +##### `purge_authentication` + +Data type: `Boolean` + +If set to true, authentication.conf will be purged of configuration +that is no longer managed by the `splunk_authentication` type. + +Default value: `false` + +##### `purge_authorize` + +Data type: `Boolean` + +If set to true, authorize.conf will be purged of configuration that +is no longer managed by the `splunk_authorize` type. + +Default value: `false` + +##### `purge_distsearch` + +Data type: `Boolean` + +If set to true, distsearch.conf will be purged of configuration that +is no longer managed by the `splunk_distsearch` type. + +Default value: `false` + +##### `purge_indexes` + +Data type: `Boolean` + +If set to true, indexes.conf will be purged of configuration that is +no longer managed by the `splunk_indexes` type. + +Default value: `false` + +##### `purge_limits` + +Data type: `Boolean` + +If set to true, limits.conf will be purged of configuration that is +no longer managed by the `splunk_limits` type. + +Default value: `false` + +##### `purge_props` + +Data type: `Boolean` + +If set to true, props.conf will be purged of configuration that is +no longer managed by the `splunk_props` type. + +Default value: `false` + +##### `purge_server` + +Data type: `Boolean` + +If set to true, server.conf will be purged of configuration that is +no longer managed by the `splunk_server` type. + +Default value: `false` + +##### `purge_transforms` + +Data type: `Boolean` + +If set to true, transforms.conf will be purged of configuration that +is no longer managed by the `splunk_transforms` type. + +Default value: `false` + +##### `purge_web` + +Data type: `Boolean` + +If set to true, web.conf will be purged of configuration that is no +longer managed by the `splunk_web type`. + +Default value: `false` + +##### `manage_password` + +Data type: `Boolean` + +If set to true, Manage the contents of splunk.secret and passwd. + +Default value: $splunk::params::manage_password + +##### `seed_password` + +Data type: `Boolean` + +If set to true, Manage the contents of splunk.secret and user-seed.conf. + +Default value: $splunk::params::seed_password + +##### `reset_seed_password` + +If set to true, deletes `password_config_file` to trigger Splunk's password +import process on restart of the Splunk services. + +##### `password_config_file` + +Data type: `Stdlib::Absolutepath` + +Which file to put the password in i.e. in linux it would be +`/opt/splunk/etc/passwd`. + +Default value: $splunk::params::enterprise_password_config_file + +##### `seed_config_file` + +Data type: `Stdlib::Absolutepath` + +Which file to place the admin password hash in so its imported by Splunk on +restart. + +Default value: $splunk::params::enterprise_seed_config_file + +##### `password_content` + +Data type: `String[1]` + +The hashed password username/details for the user. + +Default value: $splunk::params::password_content + +##### `password_hash` + +Data type: `String[1]` + +The hashed password for the admin user. + +Default value: $splunk::params::password_hash + +##### `secret_file` + +Data type: `Stdlib::Absolutepath` + +Which file we should put the secret in. + +Default value: $splunk::params::enterprise_secret_file + +##### `secret` + +Data type: `String[1]` + +The secret used to salt the splunk password. + +Default value: $splunk::params::secret + +##### `web_httpport` + +Data type: `Stdlib::Port` + + + +Default value: 8000 + +##### `purge_alert_actions` + +Data type: `Boolean` + + + +Default value: `false` + +##### `purge_deploymentclient` + +Data type: `Boolean` + + + +Default value: `false` + +##### `purge_serverclass` + +Data type: `Boolean` + + + +Default value: `false` + +##### `purge_uiprefs` + +Data type: `Boolean` + + + +Default value: `false` + +##### `reset_seeded_password` + +Data type: `Boolean` + + + +Default value: $splunk::params::reset_seeded_password + +### splunk::enterprise::config + +Private class declared by Class[splunk::enterprise] to contain all the +configuration needed for a base install of Splunk Enterprise + +### splunk::enterprise::install + +Private class declared by Class[splunk::enterprise] to contain or define +through additional platform specific sub-class, the required steps +for successfully installing Splunk Enterprise + +### splunk::enterprise::install::nix + +Private class declared by Class[splunk::enterprise::install] to provide +platform specific installation steps on Linux or Unix type systems. + +### splunk::enterprise::password::manage + +Implements the direct management of the Splunk Enterprise admin password +so it can be used outside of regular management of the whole stack to +facilitate admin password resets through Bolt Plans. + +Note: Entirely done to make this implementation consistent with the method +used to manage admin password seeding. + +#### Parameters + +The following parameters are available in the `splunk::enterprise::password::manage` class. + +##### `manage_password` + +Data type: `Boolean` + +If set to true, Manage the contents of splunk.secret and passwd. + +Default value: $splunk::params::manage_password + +##### `password_config_file` + +Data type: `Stdlib::Absolutepath` + +Which file to put the password in i.e. in linux it would be +`/opt/splunk/etc/passwd`. + +Default value: $splunk::params::forwarder_password_config_file + +##### `password_content` + +Data type: `String[1]` + +The hashed password username/details for the user. + +Default value: $splunk::params::password_content + +##### `secret_file` + +Data type: `Stdlib::Absolutepath` + +Which file we should put the secret in. + +Default value: $splunk::params::forwarder_secret_file + +##### `secret` + +Data type: `String[1]` + +The secret used to salt the splunk password. + +Default value: $splunk::params::secret + +##### `splunk_user` + +Data type: `String[1]` + + + +Default value: $splunk::params::splunk_user + +##### `service` + +Data type: `String[1]` + + + +Default value: $splunk::params::enterprise_service + +##### `mode` + +Data type: `Enum['agent', 'bolt']` + + + +Default value: 'bolt' + +### splunk::enterprise::password::seed + +Implements the seeding and reseeding of the Splunk Enterprise admin password +so it can be used outside of regular management of the whole stack to +facilitate admin password resets through Bolt Plans + +#### Parameters + +The following parameters are available in the `splunk::enterprise::password::seed` class. + +##### `seed_password` + +If set to true, Manage the contents of splunk.secret and user-seed.conf. + +##### `reset_seed_password` + +If set to true, deletes `password_config_file` to trigger Splunk's password +import process on restart of the Splunk services. + +##### `password_config_file` + +Data type: `Stdlib::Absolutepath` + +Which file to put the password in i.e. in linux it would be +`/opt/splunk/etc/passwd`. + +Default value: $splunk::params::enterprise_password_config_file + +##### `seed_config_file` + +Data type: `Stdlib::Absolutepath` + +Which file to place the admin password hash in so its imported by Splunk on +restart. + +Default value: $splunk::params::enterprise_seed_config_file + +##### `password_hash` + +Data type: `String[1]` + +The hashed password for the admin user. + +Default value: $splunk::params::password_hash + +##### `secret_file` + +Data type: `Stdlib::Absolutepath` + +Which file we should put the secret in. + +Default value: $splunk::params::enterprise_secret_file + +##### `secret` + +Data type: `String[1]` + +The secret used to salt the splunk password. + +Default value: $splunk::params::secret + +##### `reset_seeded_password` + +Data type: `Boolean` + + + +Default value: $splunk::params::reset_seeded_password + +##### `splunk_user` + +Data type: `String[1]` + + + +Default value: $splunk::params::splunk_user + +##### `service` + +Data type: `String[1]` + + + +Default value: $splunk::params::enterprise_service + +##### `mode` + +Data type: `Enum['agent', 'bolt']` + + + +Default value: 'bolt' + +### splunk::enterprise::service + +Private class declared by Class[splunk::enterprise] to define a service +as its understood by Puppet using a dynamic set of data or platform specific +sub-classes + +### splunk::enterprise::service::nix + +Private class declared by Class[splunk::enterprise::service] to provide +platform specific service management on Linux or Unix type systems. + +### splunk::forwarder + +Install and configure an instance of Splunk Universal Forwarder + +#### Examples + +##### Basic usage + +```puppet +include splunk::forwarder +``` + +##### Install specific version and build with admin passord management + +```puppet +class { 'splunk::params': + version => '7.2.5', + build => '088f49762779', +} +class { 'splunk::forwarder': + package_ensure => latest, + manage_password => true, +} +``` + +#### Parameters + +The following parameters are available in the `splunk::forwarder` class. + +##### `server` + +Data type: `String[1]` + +The fqdn or IP address of the Splunk server. + +Default value: $splunk::params::server + +##### `version`` + +Specifies the version of Splunk Forwarder the module should install and +manage. + +##### `package_name` + +Data type: `String[1]` + +The name of the package(s) Puppet will use to install Splunk Forwarder. + +Default value: $splunk::params::forwarder_package_name + +##### `package_ensure` + +Data type: `String[1]` + +Ensure parameter which will get passed to the Splunk package resource. + +Default value: $splunk::params::forwarder_package_ensure + +##### `staging_dir` + +Data type: `String[1]` + +Root of the archive path to host the Splunk package. + +Default value: $splunk::params::staging_dir + +##### `path_delimiter` + +Data type: `String[1]` + +The path separator used in the archived path of the Splunk package. + +Default value: $splunk::params::path_delimiter + +##### `forwarder_package_src` + +Data type: `String[1]` + +The source URL for the splunk installation media (typically an RPM, MSI, +etc). If a `$src_root` parameter is set in splunk::params, this will be +automatically supplied. Otherwise it is required. The URL can be of any +protocol supported by the puppet/archive module. On Windows, this can be +a UNC path to the MSI. + +Default value: $splunk::params::forwarder_package_src + +##### `package_provider` + +Data type: `Optional[String[1]]` + +The package management system used to host the Splunk packages. + +Default value: $splunk::params::package_provider + +##### `manage_package_source` + +Data type: `Boolean` + +Whether or not to use the supplied `forwarder_package_src` param. + +Default value: `true` + +##### `package_source` + +Data type: `Optional[String[1]]` + +*Optional* The source URL for the splunk installation media (typically an RPM, +MSI, etc). If `enterprise_package_src` parameter is set in splunk::params and +`manage_package_source` is true, this will be automatically supplied. Otherwise +it is required. The URL can be of any protocol supported by the puppet/archive +module. On Windows, this can be a UNC path to the MSI. + +Default value: `undef` + +##### `install_options` + +Data type: `Splunk::Fwdinstalloptions` + +This variable is passed to the package resources' *install_options* parameter. + +Default value: $splunk::params::forwarder_install_options + +##### `splunk_user` + +Data type: `String[1]` + +The user to run Splunk as. + +Default value: $splunk::params::splunk_user + +##### `forwarder_homedir` + +Data type: `Stdlib::Absolutepath` + +Specifies the Splunk Forwarder home directory. + +Default value: $splunk::params::forwarder_homedir + +##### `forwarder_confdir` + +Data type: `Stdlib::Absolutepath` + +Specifies the Splunk Forwarder configuration directory. + +Default value: $splunk::params::forwarder_confdir + +##### `service_name` + +Data type: `String[1]` + +The name of the Splunk Forwarder service. + +Default value: $splunk::params::forwarder_service + +##### `service_file` + +Data type: `Stdlib::Absolutepath` + +The path to the Splunk Forwarder service file. + +Default value: $splunk::params::forwarder_service_file + +##### `boot_start` + +Data type: `Boolean` + +Whether or not to enable splunk boot-start, which generates a service file to +manage the Splunk Forwarder service. + +Default value: $splunk::params::boot_start + +##### `use_default_config` + +Data type: `Boolean` + +Whether or not the module should manage a default set of Splunk Forwarder +configuration parameters. + +Default value: `true` + +##### `splunkd_listen` + +Data type: `Stdlib::IP::Address` + +The address on which splunkd should listen. + +Default value: '127.0.0.1' + +##### `splunkd_port` + +Data type: `Stdlib::Port` + +The management port for Splunk. + +Default value: $splunk::params::splunkd_port + +##### `logging_port` + +Data type: `Stdlib::Port` + +The port on which to send and listen for logs. + +Default value: $splunk::params::logging_port + +##### `purge_inputs` + +Data type: `Boolean` + +*Optional* If set to true, inputs.conf will be purged of configuration that is +no longer managed by the `splunkforwarder_input` type. + +Default value: `false` + +##### `purge_outputs` + +Data type: `Boolean` + +*Optional* If set to true, outputs.conf will be purged of configuration that is +no longer managed by the `splunk_output` type. + +Default value: `false` + +##### `purge_props` + +Data type: `Boolean` + +*Optional* If set to true, props.conf will be purged of configuration that is +no longer managed by the `splunk_props` type. + +Default value: `false` + +##### `purge_transforms` + +Data type: `Boolean` + +*Optional* If set to true, transforms.conf will be purged of configuration that is +no longer managed by the `splunk_transforms` type. + +Default value: `false` + +##### `purge_web` + +Data type: `Boolean` + +*Optional* If set to true, web.conf will be purged of configuration that is +no longer managed by the `splunk_web` type. + +Default value: `false` + +##### `forwarder_input` + +Data type: `Hash` + +Used to override the default `forwarder_input` type defined in splunk::params. + +Default value: $splunk::params::forwarder_input + +##### `forwarder_output` + +Data type: `Hash` + +Used to override the default `forwarder_output` type defined in splunk::params. + +Default value: $splunk::params::forwarder_output + +##### `manage_password` + +Data type: `Boolean` + +If set to true, Manage the contents of splunk.secret and passwd. + +Default value: $splunk::params::manage_password + +##### `seed_password` + +Data type: `Boolean` + +If set to true, Manage the contents of splunk.secret and user-seed.conf. + +Default value: $splunk::params::seed_password + +##### `reset_seed_password` + +If set to true, deletes `password_config_file` to trigger Splunk's password +import process on restart of the Splunk services. + +##### `password_config_file` + +Data type: `Stdlib::Absolutepath` + +Which file to put the password in i.e. in linux it would be +`/opt/splunkforwarder/etc/passwd`. + +Default value: $splunk::params::forwarder_password_config_file + +##### `seed_config_file` + +Data type: `Stdlib::Absolutepath` + +Which file to place the admin password hash in so its imported by Splunk on +restart. + +Default value: $splunk::params::forwarder_seed_config_file + +##### `password_content` + +Data type: `String[1]` + +The hashed password username/details for the user. + +Default value: $splunk::params::password_content + +##### `password_hash` + +Data type: `String[1]` + +The hashed password for the admin user. + +Default value: $splunk::params::password_hash + +##### `secret_file` + +Data type: `Stdlib::Absolutepath` + +Which file we should put the secret in. + +Default value: $splunk::params::forwarder_secret_file + +##### `secret` + +Data type: `String[1]` + +The secret used to salt the splunk password. + +Default value: $splunk::params::secret + +##### `addons` + +Data type: `Hash` + +Manage a splunk addons, see `splunk::addons`. + +Default value: {} + +##### `version` + +Data type: `String[1]` + + + +Default value: $splunk::params::version + +##### `purge_deploymentclient` + +Data type: `Boolean` + + + +Default value: `false` + +##### `reset_seeded_password` + +Data type: `Boolean` + + + +Default value: $splunk::params::reset_seeded_password + +### splunk::forwarder::config + +Private class declared by Class[splunk::forwarder] to contain all the +configuration needed for a base install of the Splunk Universal +Forwarder + +### splunk::forwarder::install + +Private class declared by Class[splunk::forwarder] to contain or define +through additional platform specific sub-class, the required steps +for successfully installing the Splunk Universal Forwarder + +### splunk::forwarder::password::manage + +Implements the direct management of the Splunk Forwarder admin password +so it can be used outside of regular management of the whole stack to +facilitate admin password resets through Bolt Plans. + +Note: Entirely done to make this implementation consistent with the method +used to manage admin password seeding. + +#### Parameters + +The following parameters are available in the `splunk::forwarder::password::manage` class. + +##### `manage_password` + +Data type: `Boolean` + +If set to true, Manage the contents of splunk.secret and passwd. + +Default value: $splunk::params::manage_password + +##### `password_config_file` + +Data type: `Stdlib::Absolutepath` + +Which file to put the password in i.e. in linux it would be +`/opt/splunkforwarder/etc/passwd`. + +Default value: $splunk::params::enterprise_password_config_file + +##### `password_content` + +Data type: `String[1]` + +The hashed password username/details for the user. + +Default value: $splunk::params::password_content + +##### `secret_file` + +Data type: `Stdlib::Absolutepath` + +Which file we should put the secret in. + +Default value: $splunk::params::enterprise_secret_file + +##### `secret` + +Data type: `String[1]` + +The secret used to salt the splunk password. + +Default value: $splunk::params::secret + +##### `splunk_user` + +Data type: `String[1]` + + + +Default value: $splunk::params::splunk_user + +##### `service` + +Data type: `String[1]` + + + +Default value: $splunk::params::forwarder_service + +##### `mode` + +Data type: `Enum['agent', 'bolt']` + + + +Default value: 'bolt' + +### splunk::forwarder::password::seed + +Implements the seeding and reseeding of the Splunk Forwarder admin password +so it can be used outside of regular management of the whole stack to +facilitate admin password resets through Bolt Plans + +#### Parameters + +The following parameters are available in the `splunk::forwarder::password::seed` class. + +##### `seed_password` + +If set to true, Manage the contents of splunk.secret and user-seed.conf. + +##### `reset_seed_password` + +If set to true, deletes `password_config_file` to trigger Splunk's password +import process on restart of the Splunk services. + +##### `password_config_file` + +Data type: `Stdlib::Absolutepath` + +Which file to put the password in i.e. in linux it would be +`/opt/splunkforwarder/etc/passwd`. + +Default value: $splunk::params::forwarder_password_config_file + +##### `seed_config_file` + +Data type: `Stdlib::Absolutepath` + +Which file to place the admin password hash in so its imported by Splunk on +restart. + +Default value: $splunk::params::forwarder_seed_config_file + +##### `password_hash` + +Data type: `String[1]` + +The hashed password for the admin user. + +Default value: $splunk::params::password_hash + +##### `secret_file` + +Data type: `Stdlib::Absolutepath` + +Which file we should put the secret in. + +Default value: $splunk::params::forwarder_secret_file + +##### `secret` + +Data type: `String[1]` + +The secret used to salt the splunk password. + +Default value: $splunk::params::secret + +##### `reset_seeded_password` + +Data type: `Boolean` + + + +Default value: $splunk::params::reset_seeded_password + +##### `splunk_user` + +Data type: `String[1]` + + + +Default value: $splunk::params::splunk_user + +##### `service` + +Data type: `String[1]` + + + +Default value: $splunk::params::forwarder_service + +##### `mode` + +Data type: `Enum['agent', 'bolt']` + + + +Default value: 'bolt' + +### splunk::forwarder::service + +Private class declared by Class[splunk::forwarder] to define a service as +its understood by Puppet using a dynamic set of data or platform specific +sub-classes + +### splunk::forwarder::service::nix + +Private class declared by Class[splunk::forwarder::service] to provide +platform specific service management on Linux or Unix type systems. + +### splunk::params + +This class takes a small number of arguments (can be set through Hiera) and +generates sane default values installation media names and locations. +Default ports can also be specified here. This is a parameters class, and +contributes no resources to the graph. Rather, it only sets values for +parameters to be consumed by child classes. + +#### Parameters + +The following parameters are available in the `splunk::params` class. + +##### `version` + +Data type: `String[1]` + +The version of Splunk to install. This will be in the form x.y.z; e.g. +"4.3.2". + +Default value: '7.2.4.2' + +##### `build` + +Data type: `String[1]` + +Splunk packages are typically named based on the platform, architecture, +version, and build. Puppet can determine the platform information +automatically but a build number must be supplied in order to correctly +construct the path to the packages. A build number will be six digits; +e.g. "123586". + +Default value: 'fb30470262e3' + +##### `splunkd_port` + +Data type: `Stdlib::Port` + +The splunkd port. + +Default value: 8089 + +##### `logging_port` + +Data type: `Stdlib::Port` + +The port on which to send logs, and listen for logs. + +Default value: 9997 + +##### `server` + +Data type: `String[1]` + +Optional fqdn or IP of the Splunk Enterprise server. Used for setting up +the default TCP output and input. + +Default value: 'splunk' + +##### `splunk_user` + +Data type: `String[1]` + +The user that splunk runs as. + +Default value: $facts['os']['family'] + +##### `src_root` + +Data type: `String[1]` + +The root URL at which to find the splunk packages. The sane-default logic +assumes that the packages are located under this URL in the same way that +they are placed on download.splunk.com. The URL can be any protocol that +the puppet/archive module supports. This includes both puppet:// and +http://. + +The expected directory structure is: + +``` +$root_url/ +└── products/ + ├── universalforwarder/ + │ └── releases/ + | └── $version/ + | └── $platform/ + | └── splunkforwarder-${version}-${build}-${additl} + └── splunk/ + └── releases/ + └── $version/ + └── $platform/ + └── splunk-${version}-${build}-${additl} +``` + +A semi-populated example of `src_root` contains: + +``` +$root_url/ +└── products/ + ├── universalforwarder/ + │ └── releases/ + | └── 7.2.4.2/ + | ├── linux/ + | | ├── splunkforwarder-7.2.4.2-fb30470262e3-linux-2.6-amd64.deb + | | ├── splunkforwarder-7.2.4.2-fb30470262e3-linux-2.6-intel.deb + | | └── splunkforwarder-7.2.4.2-fb30470262e3-linux-2.6-x86_64.rpm + | ├── solaris/ + | └── windows/ + | └── splunkforwarder-7.2.4.2-fb30470262e3-x64-release.msi + └── splunk/ + └── releases/ + └── 7.2.4.2/ + └── linux/ + ├── splunk-7.2.4.2-fb30470262e3-linux-2.6-amd64.deb + ├── splunk-7.2.4.2-fb30470262e3-linux-2.6-intel.deb + └── splunk-7.2.4.2-fb30470262e3-linux-2.6-x86_64.rpm +``` + +Default value: 'https://download.splunk.com' + +##### `boot_start` + +Data type: `Boolean` + +Enable Splunk to start at boot, create a system service file. + +WARNING: Toggling `boot_start` from `false` to `true` will cause a restart of +Splunk Enterprise and Forwarder services. + +Default value: `true` + +##### `forwarder_installdir` + +Data type: `Optional[String[1]]` + +Optional directory in which to install and manage Splunk Forwarder + +Default value: `undef` + +##### `enterprise_installdir` + +Data type: `Optional[String[1]]` + +Optional directory in which to install and manage Splunk Enterprise + +Default value: `undef` + +## Defined types + +### splunk::addon + +Defined type for deploying Splunk Add-ons and Apps from either OS packages +or via splunkbase compatible archives + +* **See also** +https://docs.splunk.com/Documentation/AddOns/released/Overview/AboutSplunkadd-ons + +#### Examples + +##### Basic usage + +```puppet +splunk::addon { 'Splunk_TA_nix': + splunkbase_source => 'puppet:///modules/splunk_qd/addons/splunk-add-on-for-unix-and-linux_602.tgz', + inputs => { + 'monitor:///var/log' => { + 'whitelist' => '(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)', + 'blacklist' => '(lastlog|anaconda\.syslog)', + 'disabled' => 'false' + }, + 'script://./bin/uptime.sh' => { + 'disabled' => 'false', + 'interval' => '86400', + 'source' => 'Unix:Uptime', + 'sourcetype' => 'Unix:Uptime' + } + } +} +``` + +#### Parameters + +The following parameters are available in the `splunk::addon` defined type. + +##### `splunk_home` + +Data type: `Optional[Stdlib::Absolutepath]` + +Overrides the default Splunk installation target values from Class[splunk::params] + +Default value: `undef` + +##### `package_manage` + +Data type: `Boolean` + +If a package should be installed as part of declaring a new instance of Splunk::Addon + +Default value: `true` + +##### `splunkbase_source` + +Data type: `Optional[String[1]]` + +When set the add-on will be installed from a splunkbase compatible archive instead of OS packages + +Default value: `undef` + +##### `package_name` + +Data type: `Optional[String[1]]` + +The OS package to install if you are not installing via splunk compatible archive + +Default value: `undef` + +##### `owner` + +Data type: `String[1]` + +The user that files are owned by when they are created as part of add-on installation + +Default value: 'splunk' + +##### `inputs` + +Data type: `Hash` + +A hash of inputs to be configured as part of add-on installation, alterntively you can also define splunk_input or splunkforwarder_input resouces seperately + +Default value: {} + +## Resource types + +### splunk_alert_actions + +Manage splunk alert_actions settings in alert_actions.conf + +### splunk_authentication + +Manage splunk authentication settings in authentication.conf + +### splunk_authorize + +Manage splunk authorize settings in authorize.conf + +### splunk_config + +splunk config + +#### Parameters + +The following parameters are available in the `splunk_config` type. + +##### `name` + +namevar + +splunk config + +##### `forwarder_installdir` + + + +##### `forwarder_confdir` + + + +##### `server_installdir` + + + +##### `server_confdir` + + + +### splunk_deploymentclient + +Manage splunk deploymentclient entries in deploymentclient.conf + +### splunk_distsearch + +Manage distsearch entries in distsearch.conf + +### splunk_indexes + +Manage splunk index settings in indexes.conf + +### splunk_input + +Manage splunk input settings in inputs.conf + +### splunk_limits + +Manage splunk limits settings in limits.conf + +### splunk_metadata + +Manage metadata entries in {default,local}.meta + +### splunk_output + +Manage splunk output settings in outputs.conf + +### splunk_props + +Manage splunk prop settings in props.conf + +### splunk_server + +Manage splunk server settings in server.conf + +### splunk_serverclass + +Manage splunk serverclass entries in serverclass.conf + +### splunk_transforms + +Manage splunk transforms settings in transforms.conf + +### splunk_uiprefs + +Manage splunk web ui settings in ui-prefs.conf + +### splunk_web + +Manage splunk web settings in web.conf + +### splunkforwarder_deploymentclient + +Manage splunkforwarder deploymentclient entries in deploymentclient.conf + +### splunkforwarder_input + +Manage splunkforwarder input settings in inputs.conf + +### splunkforwarder_limits + +Manage splunkforwarder limit settings in limits.conf + +### splunkforwarder_output + +Manage splunkforwarder output settings in outputs.conf + +### splunkforwarder_props + +Manage splunkforwarder props settings in props.conf + +### splunkforwarder_server + +Manage splunkforwarder server settings in server.conf + +### splunkforwarder_transforms + +Manage splunkforwarder transforms settings in transforms.conf + +### splunkforwarder_web + +Manage splunkforwarder web settings in web.conf + diff --git a/manifests/enterprise.pp b/manifests/enterprise.pp index 4738afcc..74d21ebc 100644 --- a/manifests/enterprise.pp +++ b/manifests/enterprise.pp @@ -141,13 +141,27 @@ # @param manage_password # If set to true, Manage the contents of splunk.secret and passwd. # +# @param seed_password +# If set to true, Manage the contents of splunk.secret and user-seed.conf. +# +# @param reset_seed_password +# If set to true, deletes `password_config_file` to trigger Splunk's password +# import process on restart of the Splunk services. +# # @param password_config_file # Which file to put the password in i.e. in linux it would be # `/opt/splunk/etc/passwd`. # +# @param seed_config_file +# Which file to place the admin password hash in so its imported by Splunk on +# restart. +# # @param password_content # The hashed password username/details for the user. # +# @param password_hash +# The hashed password for the admin user. +# # @param secret_file # Which file we should put the secret in. # @@ -194,8 +208,12 @@ Boolean $purge_uiprefs = false, Boolean $purge_web = false, Boolean $manage_password = $splunk::params::manage_password, + Boolean $seed_password = $splunk::params::seed_password, + Boolean $reset_seeded_password = $splunk::params::reset_seeded_password, Stdlib::Absolutepath $password_config_file = $splunk::params::enterprise_password_config_file, + Stdlib::Absolutepath $seed_config_file = $splunk::params::enterprise_seed_config_file, String[1] $password_content = $splunk::params::password_content, + String[1] $password_hash = $splunk::params::password_hash, Stdlib::Absolutepath $secret_file = $splunk::params::enterprise_secret_file, String[1] $secret = $splunk::params::secret, ) inherits splunk { @@ -209,6 +227,18 @@ fail('This module does not currently support continuously upgrading Splunk Enterprise on Windows. Please do not set "package_ensure" to "latest" on Windows.') } + if $manage_password and $seed_password { + fail('The setting "manage_password" and "seed_password" are in conflict with one another; they are two ways of accomplishing the same goal, "seed_password" is preferred according to Splunk documentation. If you need to reset the admin user password after initially installation then set "reset_seeded_password" temporarily.') + } + + if $manage_password { + info("The setting \"manage_password\" will manage the contents of ${password_config_file} which Splunk changes on restart, this results in Puppet initiating a corrective change event on every run and will trigger a resart of all Splunk services") + } + + if $reset_seeded_password { + info("The setting \"reset_seeded_password\" will delete ${password_config_file} on each run of Puppet and generate a corrective change event, the file must be absent for Splunk's admin password seeding process to be triggered so this setting should only be used temporarily as it'll also cause a resart of the Splunk service") + } + contain 'splunk::enterprise::install' contain 'splunk::enterprise::config' contain 'splunk::enterprise::service' diff --git a/manifests/enterprise/config.pp b/manifests/enterprise/config.pp index 19e46fd6..715fb368 100644 --- a/manifests/enterprise/config.pp +++ b/manifests/enterprise/config.pp @@ -4,19 +4,28 @@ # class splunk::enterprise::config() { - if $splunk::enterprise::manage_password { - file { $splunk::enterprise::password_config_file: - ensure => file, - owner => $splunk::enterprise::splunk_user, - group => $splunk::enterprise::splunk_user, - content => $splunk::enterprise::password_content, + if $splunk::enterprise::seed_password { + class { 'splunk::enterprise::password::seed': + reset_seeded_password => $splunk::enterprise::reset_seeded_password, + password_config_file => $splunk::enterprise::password_config_file, + seed_config_file => $splunk::enterprise::seed_config_file, + password_hash => $splunk::enterprise::password_hash, + secret_file => $splunk::enterprise::secret_file, + secret => $splunk::enterprise::secret, + splunk_user => $splunk::enterprise::splunk_user, + mode => 'agent', } + } - file { $splunk::enterprise::secret_file: - ensure => file, - owner => $splunk::enterprise::splunk_user, - group => $splunk::enterprise::splunk_user, - content => $splunk::enterprise::secret, + if $splunk::enterprise::manage_password { + class { 'splunk::enterprise::password::manage': + manage_password => $splunk::enterprise::manage_password, + password_config_file => $splunk::enterprise::password_config_file, + password_content => $splunk::enterprise::password_content, + secret_file => $splunk::enterprise::secret_file, + secret => $splunk::enterprise::secret, + splunk_user => $splunk::enterprise::splunk_user, + mode => 'agent', } } diff --git a/manifests/enterprise/password/manage.pp b/manifests/enterprise/password/manage.pp new file mode 100644 index 00000000..4faf4fd4 --- /dev/null +++ b/manifests/enterprise/password/manage.pp @@ -0,0 +1,70 @@ +# @summary +# Implements the direct management of the Splunk Enterprise admin password +# so it can be used outside of regular management of the whole stack to +# facilitate admin password resets through Bolt Plans. +# +# Note: Entirely done to make this implementation consistent with the method +# used to manage admin password seeding. +# +# @param manage_password +# If set to true, Manage the contents of splunk.secret and passwd. +# +# @param password_config_file +# Which file to put the password in i.e. in linux it would be +# `/opt/splunk/etc/passwd`. +# +# @param password_content +# The hashed password username/details for the user. +# @param secret_file +# Which file we should put the secret in. +# +# @param secret +# The secret used to salt the splunk password. +# +# @params service +# Name of the Splunk Enterprise service that needs to be restarted after files +# are updated, not applicable when running in agent mode. +# +# @params mode +# The class is designed to work in two ways, as a helper that is called by +# Class[splunk::enterprise::config] or leveraged independently from with in a +# Bolt Plan. The value defaults to "bolt" implicitly assuming that anytime it +# is used outside of Class[splunk::enterprise::config], it is being used by +# Bolt +# +class splunk::enterprise::password::manage( + Boolean $manage_password = $splunk::params::manage_password, + Stdlib::Absolutepath $password_config_file = $splunk::params::forwarder_password_config_file, + String[1] $password_content = $splunk::params::password_content, + Stdlib::Absolutepath $secret_file = $splunk::params::forwarder_secret_file, + String[1] $secret = $splunk::params::secret, + String[1] $splunk_user = $splunk::params::splunk_user, + String[1] $service = $splunk::params::enterprise_service, + Enum['agent', 'bolt'] $mode = 'bolt', +) inherits splunk::params { + + file { $secret_file: + ensure => file, + owner => $splunk_user, + group => $splunk_user, + content => $secret, + } + + file { $password_config_file: + ensure => file, + owner => $splunk_user, + group => $splunk_user, + content => $password_content, + require => File[$secret_file], + } + + if $mode == 'bolt' { + service { $service: + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + subscribe => File[$password_config_file], + } + } +} diff --git a/manifests/enterprise/password/seed.pp b/manifests/enterprise/password/seed.pp new file mode 100644 index 00000000..6ff593e9 --- /dev/null +++ b/manifests/enterprise/password/seed.pp @@ -0,0 +1,83 @@ +# @summary +# Implements the seeding and reseeding of the Splunk Enterprise admin password +# so it can be used outside of regular management of the whole stack to +# facilitate admin password resets through Bolt Plans +# +# @param seed_password +# If set to true, Manage the contents of splunk.secret and user-seed.conf. +# +# @param reset_seed_password +# If set to true, deletes `password_config_file` to trigger Splunk's password +# import process on restart of the Splunk services. +# +# @param password_config_file +# Which file to put the password in i.e. in linux it would be +# `/opt/splunk/etc/passwd`. +# +# @param seed_config_file +# Which file to place the admin password hash in so its imported by Splunk on +# restart. +# +# @param password_hash +# The hashed password for the admin user. +# +# @param secret_file +# Which file we should put the secret in. +# +# @param secret +# The secret used to salt the splunk password. +# +# @params service +# Name of the Splunk Enterprise service that needs to be restarted after files +# are updated, not applicable when running in agent mode. +# +# @params mode +# The class is designed to work in two ways, as a helper that is called by +# Class[splunk::enterprise::config] or leveraged independently from with in a +# Bolt Plan. The value defaults to "bolt" implicitly assuming that anytime it +# is used outside of Class[splunk::enterprise::config], it is being used by +# Bolt +# +class splunk::enterprise::password::seed( + Boolean $reset_seeded_password = $splunk::params::reset_seeded_password, + Stdlib::Absolutepath $password_config_file = $splunk::params::enterprise_password_config_file, + Stdlib::Absolutepath $seed_config_file = $splunk::params::enterprise_seed_config_file, + String[1] $password_hash = $splunk::params::password_hash, + Stdlib::Absolutepath $secret_file = $splunk::params::enterprise_secret_file, + String[1] $secret = $splunk::params::secret, + String[1] $splunk_user = $splunk::params::splunk_user, + String[1] $service = $splunk::params::enterprise_service, + Enum['agent', 'bolt'] $mode = 'bolt', +) inherits splunk::params { + + file { $secret_file: + ensure => file, + owner => $splunk_user, + group => $splunk_user, + content => $secret, + } + + if $reset_seeded_password or $facts['splunk_version'].empty { + file { $password_config_file: + ensure => absent, + before => File[$seed_config_file], + } + file { $seed_config_file: + ensure => file, + owner => $splunk_user, + group => $splunk_user, + content => epp('splunk/user-seed.conf.epp', { 'hash' => $password_hash}), + require => File[$secret_file], + } + + if $mode == 'bolt' { + service { $service: + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + subscribe => File[$seed_config_file], + } + } + } +} diff --git a/manifests/forwarder.pp b/manifests/forwarder.pp index 6aa97eb5..af866300 100644 --- a/manifests/forwarder.pp +++ b/manifests/forwarder.pp @@ -117,13 +117,27 @@ # @param manage_password # If set to true, Manage the contents of splunk.secret and passwd. # +# @param seed_password +# If set to true, Manage the contents of splunk.secret and user-seed.conf. +# +# @param reset_seed_password +# If set to true, deletes `password_config_file` to trigger Splunk's password +# import process on restart of the Splunk services. +# # @param password_config_file # Which file to put the password in i.e. in linux it would be # `/opt/splunkforwarder/etc/passwd`. # +# @param seed_config_file +# Which file to place the admin password hash in so its imported by Splunk on +# restart. +# # @param password_content # The hashed password username/details for the user. # +# @param password_hash +# The hashed password for the admin user. +# # @param secret_file # Which file we should put the secret in. # @@ -164,8 +178,12 @@ Hash $forwarder_output = $splunk::params::forwarder_output, Hash $forwarder_input = $splunk::params::forwarder_input, Boolean $manage_password = $splunk::params::manage_password, + Boolean $seed_password = $splunk::params::seed_password, + Boolean $reset_seeded_password = $splunk::params::reset_seeded_password, Stdlib::Absolutepath $password_config_file = $splunk::params::forwarder_password_config_file, + Stdlib::Absolutepath $seed_config_file = $splunk::params::forwarder_seed_config_file, String[1] $password_content = $splunk::params::password_content, + String[1] $password_hash = $splunk::params::password_hash, Stdlib::Absolutepath $secret_file = $splunk::params::forwarder_secret_file, String[1] $secret = $splunk::params::secret, Hash $addons = {}, @@ -180,6 +198,18 @@ fail('This module does not currently support continuously upgrading the Splunk Universal Forwarder on Windows. Please do not set "package_ensure" to "latest" on Windows.') } + if $manage_password and $seed_password { + fail('The setting "manage_password" and "seed_password" are in conflict with one another; they are two ways of accomplishing the same goal, "seed_password" is preferred according to Splunk documentation. If you need to reset the admin user password after initially installation then set "reset_seeded_password" temporarily.') + } + + if $manage_password { + info("The setting \"manage_password\" will manage the contents of ${password_config_file} which Splunk changes on restart, this results in Puppet initiating a corrective change event on every run and will trigger a resart of all Splunk services") + } + + if $reset_seeded_password { + info("The setting \"reset_seeded_password\" will delete ${password_config_file} on each run of Puppet and generate a corrective change event, the file must be absent for Splunk's admin password seeding process to be triggered so this setting should only be used temporarily as it'll also cause a resart of the Splunk service") + } + contain 'splunk::forwarder::install' contain 'splunk::forwarder::config' contain 'splunk::forwarder::service' diff --git a/manifests/forwarder/config.pp b/manifests/forwarder/config.pp index 6e412501..1b742841 100644 --- a/manifests/forwarder/config.pp +++ b/manifests/forwarder/config.pp @@ -5,19 +5,28 @@ # class splunk::forwarder::config { - if $splunk::forwarder::manage_password { - file { $splunk::forwarder::password_config_file: - ensure => file, - owner => $splunk::forwarder::splunk_user, - group => $splunk::forwarder::splunk_user, - content => $splunk::forwarder::password_content, + if $splunk::forwarder::seed_password { + class { 'splunk::forwarder::password::seed': + reset_seeded_password => $splunk::forwarder::reset_seeded_password, + password_config_file => $splunk::forwarder::password_config_file, + seed_config_file => $splunk::forwarder::seed_config_file, + password_hash => $splunk::forwarder::password_hash, + secret_file => $splunk::forwarder::secret_file, + secret => $splunk::forwarder::secret, + splunk_user => $splunk::forwarder::splunk_user, + mode => 'agent', } + } - file { $splunk::forwarder::secret_file: - ensure => file, - owner => $splunk::forwarder::splunk_user, - group => $splunk::forwarder::splunk_user, - content => $splunk::forwarder::secret, + if $splunk::forwarder::manage_password { + class { 'splunk::forwarder::password::manage': + manage_password => $splunk::forwarder::manage_password, + password_config_file => $splunk::forwarder::password_config_file, + password_content => $splunk::forwarder::password_content, + secret_file => $splunk::forwarder::secret_file, + secret => $splunk::forwarder::secret, + splunk_user => $splunk::forwarder::splunk_user, + mode => 'agent', } } diff --git a/manifests/forwarder/password/manage.pp b/manifests/forwarder/password/manage.pp new file mode 100644 index 00000000..e62ef23c --- /dev/null +++ b/manifests/forwarder/password/manage.pp @@ -0,0 +1,70 @@ +# @summary +# Implements the direct management of the Splunk Forwarder admin password +# so it can be used outside of regular management of the whole stack to +# facilitate admin password resets through Bolt Plans. +# +# Note: Entirely done to make this implementation consistent with the method +# used to manage admin password seeding. +# +# @param manage_password +# If set to true, Manage the contents of splunk.secret and passwd. +# +# @param password_config_file +# Which file to put the password in i.e. in linux it would be +# `/opt/splunkforwarder/etc/passwd`. +# +# @param password_content +# The hashed password username/details for the user. +# @param secret_file +# Which file we should put the secret in. +# +# @param secret +# The secret used to salt the splunk password. +# +# @params service +# Name of the Splunk Enterprise service that needs to be restarted after files +# are updated, not applicable when running in agent mode. +# +# @params mode +# The class is designed to work in two ways, as a helper that is called by +# Class[splunk::forwarder::config] or leveraged independently from with in a +# Bolt Plan. The value defaults to "bolt" implicitly assuming that anytime it +# is used outside of Class[splunk::forwarder::config], it is being used by +# Bolt +# +class splunk::forwarder::password::manage( + Boolean $manage_password = $splunk::params::manage_password, + Stdlib::Absolutepath $password_config_file = $splunk::params::enterprise_password_config_file, + String[1] $password_content = $splunk::params::password_content, + Stdlib::Absolutepath $secret_file = $splunk::params::enterprise_secret_file, + String[1] $secret = $splunk::params::secret, + String[1] $splunk_user = $splunk::params::splunk_user, + String[1] $service = $splunk::params::forwarder_service, + Enum['agent', 'bolt'] $mode = 'bolt', +) inherits splunk::params { + + file { $secret_file: + ensure => file, + owner => $splunk_user, + group => $splunk_user, + content => $secret, + } + + file { $password_config_file: + ensure => file, + owner => $splunk_user, + group => $splunk_user, + content => $password_content, + require => File[$secret_file], + } + + if $mode == 'bolt' { + service { $service: + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + subscribe => File[$password_config_file], + } + } +} diff --git a/manifests/forwarder/password/seed.pp b/manifests/forwarder/password/seed.pp new file mode 100644 index 00000000..1aea8cc3 --- /dev/null +++ b/manifests/forwarder/password/seed.pp @@ -0,0 +1,83 @@ +# @summary +# Implements the seeding and reseeding of the Splunk Forwarder admin password +# so it can be used outside of regular management of the whole stack to +# facilitate admin password resets through Bolt Plans +# +# @param seed_password +# If set to true, Manage the contents of splunk.secret and user-seed.conf. +# +# @param reset_seed_password +# If set to true, deletes `password_config_file` to trigger Splunk's password +# import process on restart of the Splunk services. +# +# @param password_config_file +# Which file to put the password in i.e. in linux it would be +# `/opt/splunkforwarder/etc/passwd`. +# +# @param seed_config_file +# Which file to place the admin password hash in so its imported by Splunk on +# restart. +# +# @param password_hash +# The hashed password for the admin user. +# +# @param secret_file +# Which file we should put the secret in. +# +# @param secret +# The secret used to salt the splunk password. +# +# @params service +# Name of the Splunk Forwarder service that needs to be restarted after files +# are updated, not applicable when running in agent mode. +# +# @params mode +# The class is designed to work in two ways, as a helper that is called by +# Class[splunk::forwarder::config] or leveraged independently from with in a +# Bolt Plan. The value defaults to "bolt" implicitly assuming that anytime it +# is used outside of Class[splunk::forwarder::config], it is being used by +# Bolt +# +class splunk::forwarder::password::seed( + Boolean $reset_seeded_password = $splunk::params::reset_seeded_password, + Stdlib::Absolutepath $password_config_file = $splunk::params::forwarder_password_config_file, + Stdlib::Absolutepath $seed_config_file = $splunk::params::forwarder_seed_config_file, + String[1] $password_hash = $splunk::params::password_hash, + Stdlib::Absolutepath $secret_file = $splunk::params::forwarder_secret_file, + String[1] $secret = $splunk::params::secret, + String[1] $splunk_user = $splunk::params::splunk_user, + String[1] $service = $splunk::params::forwarder_service, + Enum['agent', 'bolt'] $mode = 'bolt', +) inherits splunk::params { + + file { $secret_file: + ensure => file, + owner => $splunk_user, + group => $splunk_user, + content => $secret, + } + + if $reset_seeded_password or $facts['splunk_version'].empty { + file { $password_config_file: + ensure => absent, + before => File[$seed_config_file], + } + file { $seed_config_file: + ensure => file, + owner => $splunk_user, + group => $splunk_user, + content => epp('splunk/user-seed.conf.epp', { 'hash' => $password_hash}), + require => File[$secret_file], + } + + if $mode == 'bolt' { + service { $service: + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + subscribe => File[$seed_config_file], + } + } + } +} diff --git a/manifests/params.pp b/manifests/params.pp index be9ff0d7..70d6c92c 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -112,9 +112,12 @@ # forwarder, then distribute the contents of the splunk.secret and passwd # files accross all nodes. # By default the parameters provided are for admin/changeme password. - $manage_password = false - $secret = 'hhy9DOGqli4.aZWCuGvz8stcqT2/OSJUZuyWHKc4wnJtQ6IZu2bfjeElgYmGHN9RWIT3zs5hRJcX1wGerpMNObWhFue78jZMALs3c3Mzc6CzM98/yGYdfcvWMo1HRdKn82LVeBJI5dNznlZWfzg6xdywWbeUVQZcOZtODi10hdxSJ4I3wmCv0nmkSWMVOEKHxti6QLgjfuj/MOoh8.2pM0/CqF5u6ORAzqFZ8Qf3c27uVEahy7ShxSv2K4K41z' - $password_content = ':admin:$6$pIE/xAyP9mvBaewv$4GYFxC0SqonT6/x8qGcZXVCRLUVKODj9drDjdu/JJQ/Iw0Gg.aTkFzCjNAbaK4zcCHbphFz1g1HK18Z2bI92M0::Administrator:admin:changeme@example.com::' + $manage_password = false + $seed_password = false + $reset_seeded_password = false + $secret = 'hhy9DOGqli4.aZWCuGvz8stcqT2/OSJUZuyWHKc4wnJtQ6IZu2bfjeElgYmGHN9RWIT3zs5hRJcX1wGerpMNObWhFue78jZMALs3c3Mzc6CzM98/yGYdfcvWMo1HRdKn82LVeBJI5dNznlZWfzg6xdywWbeUVQZcOZtODi10hdxSJ4I3wmCv0nmkSWMVOEKHxti6QLgjfuj/MOoh8.2pM0/CqF5u6ORAzqFZ8Qf3c27uVEahy7ShxSv2K4K41z' + $password_hash = '$6$pIE/xAyP9mvBaewv$4GYFxC0SqonT6/x8qGcZXVCRLUVKODj9drDjdu/JJQ/Iw0Gg.aTkFzCjNAbaK4zcCHbphFz1g1HK18Z2bI92M0' + $password_content = ":admin:${password_hash}::Administrator:admin:changeme@example.com::" if $facts['os']['family'] == 'windows' { $staging_dir = "${facts['archive_windir']}\\splunk" @@ -131,6 +134,8 @@ 'Linux': { $path_delimiter = '/' $forwarder_src_subdir = 'linux' + $forwarder_seed_config_file = "${forwarder_homedir}/etc/system/local/user-seed.conf" + $enterprise_seed_config_file = "${enterprise_homedir}/etc/system/local/user-seed.conf" $forwarder_password_config_file = "${forwarder_homedir}/etc/passwd" $enterprise_password_config_file = "${enterprise_homedir}/etc/passwd" $forwarder_secret_file = "${forwarder_homedir}/etc/splunk.secret" @@ -157,6 +162,8 @@ 'SunOS': { $path_delimiter = '/' $forwarder_src_subdir = 'solaris' + $forwarder_seed_config_file = "${forwarder_homedir}/etc/system/local/user-seed.conf" + $enterprise_seed_config_file = "${enterprise_homedir}/etc/system/local/user-seed.conf" $forwarder_password_config_file = "${forwarder_homedir}/etc/passwd" $enterprise_password_config_file = "${enterprise_homedir}/etc/passwd" $forwarder_secret_file = "${forwarder_homedir}/etc/splunk.secret" @@ -183,10 +190,10 @@ 'windows': { $path_delimiter = '\\' $forwarder_src_subdir = 'windows' + $forwarder_seed_config_file = "${forwarder_homedir}\\etc\\system\\local\\user-seed.conf" + $enterprise_seed_config_file = "${enterprise_homedir}\\etc\\system\\local\\user-seed.conf" $forwarder_password_config_file = "${forwarder_homedir}\\etc\\passwd" $enterprise_password_config_file = "${enterprise_homedir}\\etc\\passwd" - $forwarder_secret_file = "${forwarder_homedir}\\etc\\splunk.secret" - $enterprise_secret_file = "${enterprise_homedir}\\etc\\splunk.secret" $forwarder_service = 'SplunkForwarder' $forwarder_service_file = "${forwarder_homedir}\\dummy" # Not used in Windows, but attribute must be defined with a valid path $forwarder_confdir = "${forwarder_homedir}\\etc" diff --git a/spec/acceptance/splunk_enterprise_spec.rb b/spec/acceptance/splunk_enterprise_spec.rb index db497992..22863751 100644 --- a/spec/acceptance/splunk_enterprise_spec.rb +++ b/spec/acceptance/splunk_enterprise_spec.rb @@ -12,7 +12,7 @@ # Using puppet_apply as a helper it 'works idempotently with no errors' do pp = <<-EOS - class { '::splunk::enterprise': } + class { 'splunk::enterprise': } EOS # Run it twice and test for idempotency @@ -40,6 +40,39 @@ class { '::splunk::enterprise': } end end + context 'seed admin password' do + # Using puppet_apply as a helper + it 'works with no errors' do + pp = <<-EOS + class { 'splunk::enterprise': + seed_password => true, + reset_seeded_password => true, + password_hash => '$6$not4r3alh45h', + } + EOS + + apply_manifest(pp, catch_failures: true) + end + + it 'works idempotently with no errors' do + pp = <<-EOS + class { 'splunk::enterprise': + seed_password => true, + password_hash => '$6$not4r3alh45h', + } + EOS + + # Run it twice and test for idempotency + apply_manifest(pp, catch_failures: true) + apply_manifest(pp, catch_changes: true) + end + + describe file('/opt/splunk/etc/passwd') do + it { is_expected.to be_file } + its(:content) { is_expected.to match %r{\$6\$not4r3alh45h} } + end + end + # Uninstall so that splunkforwarder tests aren't affected by this set of tests context 'uninstalling splunk' do it do diff --git a/templates/user-seed.conf.epp b/templates/user-seed.conf.epp new file mode 100644 index 00000000..33532969 --- /dev/null +++ b/templates/user-seed.conf.epp @@ -0,0 +1,4 @@ +<%- | String $hash | -%> +[user_info] +USERNAME=admin +HASHED_PASSWORD=<%= $hash %>