mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-05-05 12:26:34 +02:00
Code Issues Projects Releases Wiki Activity

[QT-426] Ensure file audit device is only enabled if the leader is initialized. (#20974)

Browse Source
This commit is contained in:
Mike Baum 2023-06-03 13:50:28 -04:00 committed by GitHub
parent 155003aa0c
commit 2c9a75b093
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
enos/modules/vault_cluster/main.tf
View File

@ -63,6 +63,7 @@ locals {
]
audit_device_file_path = "/var/log/vault_audit.log"
vault_service_user = "vault"
enable_audit_device = var.enable_file_audit_device && var.initialize_cluster
}
resource "enos_remote_exec" "install_packages" {
@ -224,7 +225,7 @@ resource "enos_remote_exec" "create_audit_log_dir" {
]
for_each = toset([
for idx, host in toset(local.instances) : idx
if var.enable_file_audit_device
if local.enable_audit_device
])
environment = {
@ -291,7 +292,7 @@ resource "enos_remote_exec" "enable_file_audit_device" {
]
for_each = toset([
for idx in local.leader : idx
if var.enable_file_audit_device
if local.enable_audit_device
])
environment = {

2
enos/modules/vault_cluster/scripts/enable_audit_logging.sh
View File

@ -2,4 +2,4 @@
set -eux
sudo su "$SERVICE_USER" -c "VAULT_TOKEN=$VAULT_TOKEN VAULT_ADDR=$VAULT_ADDR $VAULT_BIN_PATH audit enable file file_path=$LOG_FILE_PATH"
$VAULT_BIN_PATH audit enable file file_path="$LOG_FILE_PATH"