diff --git a/vault/auth.go b/vault/auth.go index 5b2510c12b..fa00249263 100644 --- a/vault/auth.go +++ b/vault/auth.go @@ -19,6 +19,7 @@ import ( "github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/logical" + "github.com/hashicorp/vault/vault/observations" "github.com/hashicorp/vault/vault/plugincatalog" ) @@ -248,6 +249,18 @@ func (c *Core) enableCredentialInternal(ctx context.Context, entry *MountEntry, if c.logger.IsInfo() { c.logger.Info("enabled credential backend", "path", entry.Path, "type", entry.Type, "version", entry.RunningVersion) } + + err = c.observations.RecordObservationToLedger(ctx, observations.ObservationTypeMountAuthEnable, ns, map[string]interface{}{ + "path": entry.Path, + "local_mount": entry.Local, + "type": entry.Type, + "accessor": entry.Accessor, + "version": entry.RunningVersion, + }) + if err != nil { + c.logger.Error("failed to record observation after enabling credential backend", "path", entry.Path, "error", err) + } + return nil } @@ -380,6 +393,17 @@ func (c *Core) disableCredentialInternal(ctx context.Context, path string, updat c.logger.Info("disabled credential backend", "path", path) } + err = c.observations.RecordObservationToLedger(ctx, observations.ObservationTypeMountAuthDisable, ns, map[string]interface{}{ + "path": path, + "local_mount": entry.Local, + "type": entry.Type, + "accessor": entry.Accessor, + "version": entry.RunningVersion, + }) + if err != nil { + c.logger.Error("failed to record observation after disabling auth backend", "path", path, "error", err) + } + return nil } diff --git a/vault/mount.go b/vault/mount.go index c5012ed6ba..37381a79c0 100644 --- a/vault/mount.go +++ b/vault/mount.go @@ -25,6 +25,7 @@ import ( "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/helper/pluginutil" "github.com/hashicorp/vault/sdk/logical" + "github.com/hashicorp/vault/vault/observations" "github.com/hashicorp/vault/vault/plugincatalog" "github.com/mitchellh/copystructure" ) @@ -784,6 +785,18 @@ func (c *Core) mountInternal(ctx context.Context, entry *MountEntry, updateStora if c.logger.IsInfo() { c.logger.Info("successful mount", "namespace", entry.Namespace().Path, "path", entry.Path, "type", entry.Type, "version", entry.RunningVersion) } + + err = c.observations.RecordObservationToLedger(ctx, observations.ObservationTypeMountSecretsEnable, ns, map[string]interface{}{ + "path": entry.Path, + "local_mount": entry.Local, + "type": entry.Type, + "accessor": entry.Accessor, + "version": entry.RunningVersion, + }) + if err != nil { + c.logger.Error("failed to record observation after enabling mount backend", "path", entry.Path, "error", err) + } + return nil } @@ -967,6 +980,17 @@ func (c *Core) unmountInternal(ctx context.Context, path string, updateStorage b c.logger.Info("successfully unmounted", "path", path, "namespace", ns.Path) } + err = c.observations.RecordObservationToLedger(ctx, observations.ObservationTypeMountSecretsDisable, ns, map[string]interface{}{ + "path": entry.Path, + "local_mount": entry.Local, + "type": entry.Type, + "accessor": entry.Accessor, + "version": entry.RunningVersion, + }) + if err != nil { + c.logger.Error("failed to record observation after enabling mount backend", "path", entry.Path, "error", err) + } + return nil } diff --git a/vault/observations/observations_consts.go b/vault/observations/observations_consts.go index bbaf1d8afe..d09c76f506 100644 --- a/vault/observations/observations_consts.go +++ b/vault/observations/observations_consts.go @@ -11,4 +11,8 @@ const ( ObservationTypeLeaseLazyRevoke = "lease/lazy-revoke" ObservationTypeLeaseRevocation = "lease/revoke" ObservationTypePolicyACLEvaluation = "policy/acl/evaluation" + ObservationTypeMountAuthEnable = "mount/auth/enable" + ObservationTypeMountAuthDisable = "mount/auth/disable" + ObservationTypeMountSecretsEnable = "mount/secrets/enable" + ObservationTypeMountSecretsDisable = "mount/secrets/disable" )