Apply Vault policies before declaring trusted certificates

willaerk · willaerk · commit b7196ed76429 · 2025-01-31T09:12:10.000+01:00
diff --git a/manifests/vault.pp b/manifests/vault.pp
@@ -108,16 +108,16 @@
     }
 
     if $auto_unseal {
-      class { 'profiles::vault::authentication':
-        require => Class['profiles::vault::seal']
-      }
-
       class { 'profiles::vault::secrets_engines':
         require => Class['profiles::vault::seal']
       }
 
       class { 'profiles::vault::policies':
-        require => [Class['profiles::vault::secrets_engines'], Class['profiles::vault::authentication']]
+        require => Class['profiles::vault::secrets_engines']
+      }
+
+      class { 'profiles::vault::authentication':
+        require => Class['profiles::vault::policies']
       }
     }
   }
diff --git a/spec/classes/vault_spec.rb b/spec/classes/vault_spec.rb
@@ -155,6 +155,7 @@
           it { is_expected.to contain_class('profiles::vault::certificate').that_requires('Class[profiles::vault::install]') }
           it { is_expected.to contain_class('profiles::vault::certificate').that_comes_before('Class[profiles::vault::configuration]') }
           it { is_expected.to contain_class('profiles::vault::authentication').that_requires('Class[profiles::vault::seal]') }
+          it { is_expected.to contain_class('profiles::vault::authentication').that_requires('Class[profiles::vault::policies]') }
           it { is_expected.to contain_class('profiles::vault::secrets_engines').that_requires('Class[profiles::vault::seal]') }
           it { is_expected.to contain_class('profiles::vault::policies').that_requires('Class[profiles::vault::seal]') }
           it { is_expected.to contain_class('profiles::vault::policies').that_requires('Class[profiles::vault::secrets_engines]') }

Original file line number	Diff line number	Diff line change
`@@ -108,16 +108,16 @@`
`108`	`108`	`}`
`109`	`109`
`110`	`110`	`if $auto_unseal {`
`111`		`- class { 'profiles::vault::authentication':`
`112`		`- require => Class['profiles::vault::seal']`
`113`		`- }`
`114`		`-`
`115`	`111`	`class { 'profiles::vault::secrets_engines':`
`116`	`112`	`require => Class['profiles::vault::seal']`
`117`	`113`	`}`
`118`	`114`
`119`	`115`	`class { 'profiles::vault::policies':`
`120`		`- require => [Class['profiles::vault::secrets_engines'], Class['profiles::vault::authentication']]`
	`116`	`+ require => Class['profiles::vault::secrets_engines']`
	`117`	`+ }`
	`118`	`+`
	`119`	`+ class { 'profiles::vault::authentication':`
	`120`	`+ require => Class['profiles::vault::policies']`
`121`	`121`	`}`
`122`	`122`	`}`
`123`	`123`	`}`