workaround "sensitive in hash"

manifests/docker.pp

@@ -6,6 +6,7 @@
 #
 class hdm::docker {
   assert_private()
+
   if $hdm::manage_docker {
     include docker
   }
@@ -18,6 +19,7 @@
     'Debian' => '/usr/sbin/nologin',
     'RedHat' => '/sbin/nologin',
   }
+
   user { $hdm::user:
     ensure => present,
     gid    => $hdm::group,

manifests/init.pp

@@ -68,7 +68,7 @@
 #     }
 #   ```
 #
-# @param puppet_code_dir The path where HDM can find deployed 
+# @param puppet_code_dir The path where HDM can find deployed
 #   Puppet environments (similar to puppet config code_dir)
 #   defaults to '/etc/puppetlabs/code'
 #
@@ -77,8 +77,8 @@
 #   Values for keys are taken from hiera.yaml file and can
 #   not be set individually.
 #
-# @param read_only Set to false if you want the ability to 
-#   change data via HDM webfrontend. 
+# @param read_only Set to false if you want the ability to
+#   change data via HDM webfrontend.
 #   WARNING!! setting to true is untested!!!
 #   Changes are stored via GIT.
 #   Setting this to true also needs the git_data Array parameter
@@ -105,12 +105,13 @@
 #       'port'             => 389,
 #       'base_dn'          => 'ou=hdm,dc=nodomain',
 #       'bind_dn'          => 'cn=admin,dc=nodomain',
-#       'bind_dn_password' => 'openldap',
 #       'ldaps'            =>  false,
 #     }
 #   ```
 #
-# @param hdm_hiera_config_file Set to another file if you 
+# @param ldap_bind_dn_password sensitive password for ldap bind
+#
+# @param hdm_hiera_config_file Set to another file if you
 #   want HDM to not use hiera.yaml.
 #
 # @example
@@ -135,11 +136,21 @@
   Stdlib::Unixpath              $puppet_code_dir       = '/etc/puppetlabs/code',
   String[1]                     $hdm_hiera_config_file = 'hiera.yaml',
   # additional application parameter
-  Boolean                       $allow_encryption      = false,
-  Boolean                       $read_only             = true,
-  Optional[Hdm::Gitdata]        $git_data              = undef,
-  Optional[Hdm::Ldap_settings]  $ldap_settings         = undef,
+  Boolean                        $allow_encryption      = false,
+  Boolean                        $read_only             = true,
+  Optional[Hdm::Gitdata]         $git_data              = undef,
+  Optional[Hdm::Ldap_settings]   $ldap_settings         = undef,
+  Optional[Sensitive[String[1]]] $ldap_bind_dn_password = undef,
 ) {
+  if $ldap_settings {
+    if $ldap_bind_dn_password {
+      $final_ldap_settings = $ldap_settings + { bind_dn_password => $ldap_bind_dn_password }
+    }
+    else {
+      $final_ldap_settings = $ldap_settings
+    }
+  }
+
   case $method {
     'docker': {
       $run_mode = 'production'

manifests/rvm.pp

@@ -6,6 +6,7 @@
 # @api private
 class hdm::rvm {
   assert_private()
+
   group { $hdm::group:
     ensure => present,
   }
@@ -53,7 +54,9 @@
         package { 'devtoolset-7':
           ensure => present,
         }
+
         $exec_prefix = 'scl enable devtoolset-7 '
+
         exec { 'update sqlite':
           command => 'yum install -y https://kojipkgs.fedoraproject.org//packages/sqlite/3.8.11/1.fc21/x86_64/sqlite-devel-3.8.11-1.fc21.x86_64.rpm https://kojipkgs.fedoraproject.org//packages/sqlite/3.8.11/1.fc21/x86_64/sqlite-3.8.11-1.fc21.x86_64.rpm',
           path    => $facts['path'],

templates/hdm.yml.epp

@@ -7,10 +7,9 @@
     <%= $key %>: <%= $value %>
   <%- } -%>
   config_dir: <%= $hdm::puppet_code_dir %>
-<%- if ! $hdm::ldap_settings.empty { -%>
+<%- if ! $hdm::final_ldap_settings.empty { -%>
   ldap:
-  <%- $hdm::ldap_settings.each |$key, $value| { -%>
+  <%- $hdm::final_ldap_settings.each |$key, $value| { -%>
     <%= $key %>: <%= $value %>
   <%- } -%>
 <%- } -%>
-

types/ldap_settings.pp

@@ -5,7 +5,6 @@
     'port'             => Stdlib::Port,
     'base_dn'          => String[1],
     'bind_dn'          => String[1],
-    'bind_dn_password' => Sensitive,
     'ldaps'            => Boolean,
   }
 ]