Feature suggestion: Automatic parameter lookup - allow list for lookups #69
Comments
|
Old module but example of what we are looking for https://github.com/Accenture/hiera-aws-sm
|
|
Hi, Do you know when this might be available for use? At the moment my lookups are generating 100's of calls to Keyvault with lookups that are being generated by variables outside hiera that I am not interested in. |
Hey @adelany , I can take a stab at this next weekend and let you know how it goes. |
|
Hey @adelany , Please give v2.0.0 a try with the new Thanks! |
|
Hi, I am getting the following error (not sure I am doing something wrong or it's my setup) Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, 'azure_key_vault::lookup' expects (Variant[String, Numeric] secret_name, Struct[{'vault_name' => String, 'vault_api_version' => String, 'metadata_api_version' => String, 'confine_to_keys' => Array[Regexp], Optional['key_replacement_token'] => String}] options, Object[{name => 'Puppet::LookupContext', parent => Any, attributes => {'environment_name' => {type => String[1], kind => derived}, 'module_name' => Variant[String[1], Undef]}, functions => {'not_found' => Callable[[0, 0], Undef], 'explain' => Callable[[0, 0, Callable[0, 0]], Undef], 'interpolate' => Callable[1, 1], 'cache' => Callable[Optional[Scalar], Any], 'cache_all' => Callable[[Hash[Optional[Scalar], Any]], Undef], 'cache_has_key' => Callable[[Optional[Scalar]], Boolean], 'cached_value' => Callable[Optional[Scalar]], 'cached_entries' => Variant[Callable[[0, 0, Callable[1, 1]], Undef], Callable[[0, 0, Callable[2, 2]], Undef], Callable[[0, 0], Iterable[Tuple[Optional[Scalar], Any]]]], 'cached_file_data' => Callable[String, Optional[Callable[Array[Integer]]]]}}] context) Line in site.pp is lookup('classes', {merge => unique}).include hiera.yaml : - version: 5 defaults: hierarchy:
Key's I am looking up from a dev.yaml file within hiera data profile::artifactory_app::artifactory_storage_accname: "%{lookup('artifactory-storage-account')}" Any ideas why this isn't working |
|
Hey @adelany , I know what the issue is. I was hoping this would work but apparently it doesn't. Let me push out a new release. |
|
Hey @adelany , Please get 2.0.1 which resolves your issue. |
|
Many thanks this resolved the issue now working perfectly. |
Suggest adding an optional
allowed_keysto thelookup_optionsparameters - when specified, this would prevent lookups for anything that does not match entries (either strings or regular expressions) in the list.Automatic parameter lookup will (by default) look up any variables not found in the hierarchy. Even on relatively small sites, this can mean hundreds or thousands of queries against the KeyVault when using this feature.
As an example, instrumenting
azure_key_vault::lookupwith the following code:Shows that when generating a catalog for a puppet master running Puppet Enterprise v2019.8.5, this results in 776 lookups against Azure KeyVault.
Azure KeyVault service limits allow a maximum of 2,000 lookups every 10 seconds against a key vault: https://docs.microsoft.com/en-us/azure/key-vault/general/service-limits#secrets-managed-storage-account-keys-and-vault-transactions
The text was updated successfully, but these errors were encountered: