Showing with 11 additions and 5 deletions.

+7 −1 lib/puppet/functions/azure_key_vault/lookup.rb

+4 −4 spec/functions/azure_key_vault_lookup_spec.rb
diff --git a/lib/puppet/functions/azure_key_vault/lookup.rb b/lib/puppet/functions/azure_key_vault/lookup.rb
@@ -3,7 +3,7 @@
 Puppet::Functions.create_function(:'azure_key_vault::lookup') do
   dispatch :lookup_key do
     param 'Variant[String, Numeric]', :secret_name
-    param 'Struct[{vault_name => String, vault_api_version => String, metadata_api_version => String, confine_to_keys => Array[Regexp], Optional[key_replacement_token] => String}]', :options
+    param 'Struct[{vault_name => String, vault_api_version => String, metadata_api_version => String, confine_to_keys => Array[String], Optional[key_replacement_token] => String}]', :options
     param 'Puppet::LookupContext', :context
   end
 
@@ -15,6 +15,12 @@ def lookup_key(secret_name, options, context)
     if confine_keys
       raise ArgumentError, 'confine_to_keys must be an array' unless confine_keys.is_a?(Array)
 
+      begin
+        confine_keys = confine_keys.map { |r| Regexp.new(r) }
+      rescue StandardError => e
+        raise ArgumentError, "creating regexp failed with: #{e}"
+      end
+
       regex_key_match = Regexp.union(confine_keys)
 
       unless secret_name[regex_key_match] == secret_name

diff --git a/spec/functions/azure_key_vault_lookup_spec.rb b/spec/functions/azure_key_vault_lookup_spec.rb
@@ -6,7 +6,7 @@
       'vault_name' => 'vault_name',
       'vault_api_version' => 'vault_api_version',
       'metadata_api_version' => 'metadata_api_version',
-      'confine_to_keys' => [%r{^.*sensitive_azure.*}],
+      'confine_to_keys' => ['^.*sensitive_azure.*'],
     }
   end
   let(:lookup_context) do
@@ -81,7 +81,7 @@
   it 'errors when passing invalid regexes' do
     is_expected.to run.with_params(
       'profile::windows::sqlserver::sensitive_azure_sql_user_password', options.merge({ 'confine_to_keys' => ['['] }), lookup_context
-    ).and_raise_error(ArgumentError, %r{'confine_to_keys' index 0 expects a Regexp value}i)
+    ).and_raise_error(ArgumentError, %r{creating regexp failed with}i)
   end
 
   it 'returns the key if regex matches confine_to_keys' do
@@ -90,7 +90,7 @@
     expect(TragicCode::Azure).to receive(:get_access_token).and_return(access_token_value)
     expect(TragicCode::Azure).to receive(:get_secret).and_return(secret_value)
     is_expected.to run.with_params(
-      'profile::windows::sqlserver::sensitive_azure_sql_user_password', options.merge({ 'confine_to_keys' => [%r{^.*sensitive_azure.*}] }), lookup_context
+      'profile::windows::sqlserver::sensitive_azure_sql_user_password', options.merge({ 'confine_to_keys' => ['^.*sensitive_azure.*'] }), lookup_context
     ).and_return(secret_value)
   end
 
@@ -103,7 +103,7 @@
     expect(TragicCode::Azure).to receive(:get_secret).and_return(secret_value)
 
     is_expected.to run.with_params(
-      'profile::windows::sqlserver::sensitive_sql_user_password', options.merge({ 'confine_to_keys' => [%r{^sensitive_azure.*$}] }), lookup_context
+      'profile::windows::sqlserver::sensitive_sql_user_password', options.merge({ 'confine_to_keys' => ['^sensitive_azure.*$'] }), lookup_context
     )
   end
 end