Classes
simp_grafana
: Class: simp_grafana This module acts as a SIMP wrapper ("profile") for the Puppet, Inc. Approved Grafana module written by Bill Fraser and msimp_grafana::config::firewall
: Class simp_grafana::config::firewall This class is meant to be called from simp_grafana. It ensures that firewall rules are defined.simp_grafana::config::pki
: Class: simp_grafana::config::config::pki This class is meant to be called from simp_grafana. It ensures that pki rules are defined.simp_grafana::params
: Class: simp_grafana::params This class is meant to be called from simp_grafana. It sets variables according to platform.
Class: simp_grafana
This module acts as a SIMP wrapper ("profile") for the Puppet, Inc. Approved Grafana module written by Bill Fraser and maintained by Vox Pupuli. It sets baseline of secure defaults and integrates Grafana with other SIMP components.
Welcome to SIMP!
This module is a component of the System Integrity Management Platform (SIMP), a managed security compliance framework built on Puppet.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
-
As a SIMP wrapper module, the defaults use the larger SIMP ecosystem to manage security compliance settings from the Puppet server.
-
If used independently, all SIMP-managed security subsystems may be disabled via the
firewall
andpki
settings.
Parameters
Examples
- Note If SIMP integration is not required, direct use of the component Grafana module is advised.
class { 'simp_grafana':
firewall => true,
pki => true,
trusted_nets => ['10.255.0.0/16'],
cfg => { 'auth.ldap' => { enabled => true } },
ldap_cfg => {
verbose_logging => true,
servers => [
{
host => 'ldap.example.com',
# @note: If using Puppet 3.x, the param `port` MUST use arithmetic.
# If it does not, it will be converted into a string and the LDAP
# configuration file will fail to load with a type error.
port => 635 + 1,
use_ssl => true,
bind_dn => 'uid=grafana,ou=Services,dc=test',
bind_password => '123$%^qweRTY',
search_filter => '(uid=%s)',
search_base_dns => ['ou=People,dc=test'],
group_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))',
group_search_base_dns => ['ou=Group,dc=test'],
attributes => {
name => 'givenName',
surname => 'sn',
username => 'uid',
member_of => 'gidNumber',
email => 'mail',
},
group_mappings => [
{ group_dn => '50000', org_role => 'Admin' },
{ group_dn => '50001', org_role => 'Editor' },
],
},
],
},
}
The following parameters are available in the simp_grafana
class.
Data type: Simplib::Netlist
A whitelist of subnets (in CIDR notation) permitted access.
Default value: $::simp_grafana::params::trusted_nets
Data type: Boolean
If true, manage firewall rules to accommodate simp_grafana.
Default value: $::simp_grafana::params::firewall
Data type: Variant[Boolean,Enum['simp']]
- If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/grafana/x509
- If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/grafana/x509
- If false, do not include SIMP's pki module and do not use pki::copy
to manage certs. You will need to appropriately assign a subset of:
- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca
- app_pki_ca_dir
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })
Data type: String
-
If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.
-
If pki = false, this variable has no effect.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
NOTE: Controlled in params.pp This variable controls the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/grafana/x509.
NOTE: Controlled in params.pp Path and name of the private SSL key file
NOTE: Controlled in params.pp Path and name of the public SSL certificate
Data type: Hash
A passthrough to the Grafana component module, this will be
merged with the SIMP defaults in ::simp_grafana::params
.
Default value: {}
Data type: Hash
A passthrough to the Grafana component module.
merged with the SIMP defaults in ::simp_grafana::params
.
@note If using Puppet 3.x, Integer values in this Hash must be declared with
arithmetic expression to avoid converison to a String. For example, to
set a value to 1
, the value should be declared as 0 + 1
.
Default value: {}
Data type: String
A passthrough to the Grafana module, this sets the installation method of Grafana to a repository by default since this is the SIMP preferred method for installing packages.
Default value: 'repo'
Data type: Boolean
If set, allow the ::grafana module to point to the appropriate package repository on the Internet automatically.
Default value: false
Data type: String
Version of grafana to install
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
Data type: String
Default value: '1'
Data type: Boolean
Install SIMP dashboards
Default value: false
Class simp_grafana::config::firewall
This class is meant to be called from simp_grafana. It ensures that firewall rules are defined.
Class: simp_grafana::config::config::pki
This class is meant to be called from simp_grafana. It ensures that pki rules are defined.
Class: simp_grafana::params
This class is meant to be called from simp_grafana. It sets variables according to platform.