voxpupuli · teluq-pbrideau · Jul 28, 2022 · Aug 5, 2022 · Oct 19, 2022 · Dec 12, 2022
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -539,7 +539,7 @@ Default value: `$zabbix::params::server_api_user`
 
 ##### <a name="-zabbix--zabbix_api_pass"></a>`zabbix_api_pass`
 
-Data type: `Any`
+Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]`
 
 Password of the user which connects to the api. Default: zabbix
 
@@ -653,7 +653,7 @@ Default value: `$zabbix::params::server_database_user`
 
 ##### <a name="-zabbix--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]`
 
 Database password. ignored for sqlite.
 
@@ -2290,7 +2290,7 @@ Default value: `$zabbix::params::server_database_user`
 
 ##### <a name="-zabbix--database--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]`
 
 The password of the database_user.
 
@@ -2898,7 +2898,7 @@ Default value: `$zabbix::params::proxy_database_user`
 
 ##### <a name="-zabbix--proxy--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]`
 
 Database password. ignored for sqlite.
 
@@ -3860,7 +3860,7 @@ API username.
 
 ##### <a name="-zabbix--resources--web--zabbix_pass"></a>`zabbix_pass`
 
-Data type: `String[1]`
+Data type: `Variant[String[1], Sensitive[String[1]]]`
 
 API password.
 
@@ -3996,6 +3996,7 @@ The following parameters are available in the `zabbix::server` class:
 * [`startreportwriters`](#-zabbix--server--startreportwriters)
 * [`webserviceurl`](#-zabbix--server--webserviceurl)
 * [`vmwarefrequency`](#-zabbix--server--vmwarefrequency)
+* [`vmwareperffrequency`](#-zabbix--server--vmwareperffrequency)
 * [`vaultdbpath`](#-zabbix--server--vaultdbpath)
 * [`vaulttoken`](#-zabbix--server--vaulttoken)
 * [`vaulturl`](#-zabbix--server--vaulturl)
@@ -4043,6 +4044,7 @@ The following parameters are available in the `zabbix::server` class:
 * [`statsallowedip`](#-zabbix--server--statsallowedip)
 * [`loadmodulepath`](#-zabbix--server--loadmodulepath)
 * [`loadmodule`](#-zabbix--server--loadmodule)
+* [`sslcalocation_dir`](#-zabbix--server--sslcalocation_dir)
 * [`sslcertlocation_dir`](#-zabbix--server--sslcertlocation_dir)
 * [`sslkeylocation_dir`](#-zabbix--server--sslkeylocation_dir)
 * [`manage_selinux`](#-zabbix--server--manage_selinux)
@@ -4269,7 +4271,7 @@ Default value: `$zabbix::params::server_database_user`
 
 ##### <a name="-zabbix--server--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]`
 
 Database password. ignored for sqlite.
 
@@ -4502,6 +4504,15 @@ How often zabbix will connect to vmware service to obtain a new datan.
 
 Default value: `$zabbix::params::server_vmwarefrequency`
 
+##### <a name="-zabbix--server--vmwareperffrequency"></a>`vmwareperffrequency`
+
+Data type: `Any`
+
+Delay in seconds between performance counter statistics retrieval from a single VMware service.
+This delay should be set to the least update interval of any VMware monitoring item that uses VMware performance counters.
+
+Default value: `$zabbix::params::server_vmwareperffrequency`
+
 ##### <a name="-zabbix--server--vaultdbpath"></a>`vaultdbpath`
 
 Data type: `Optional[String[1]]`
@@ -4890,17 +4901,25 @@ Module to load at server startup.
 
 Default value: `$zabbix::params::server_loadmodule`
 
+##### <a name="-zabbix--server--sslcalocation_dir"></a>`sslcalocation_dir`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+Location of certificate authority (CA) files for SSL server certificate verification.
+
+Default value: `$zabbix::params::server_sslcalocation`
+
 ##### <a name="-zabbix--server--sslcertlocation_dir"></a>`sslcertlocation_dir`
 
-Data type: `Any`
+Data type: `Optional[Stdlib::Absolutepath]`
 
 Location of SSL client certificate files for client authentication.
 
 Default value: `$zabbix::params::server_sslcertlocation`
 
 ##### <a name="-zabbix--server--sslkeylocation_dir"></a>`sslkeylocation_dir`
 
-Data type: `Any`
+Data type: `Optional[Stdlib::Absolutepath]`
 
 Location of SSL private key files for client authentication.
 
@@ -5312,7 +5331,7 @@ Default value: `$zabbix::params::server_database_user`
 
 ##### <a name="-zabbix--web--database_password"></a>`database_password`
 
-Data type: `Any`
+Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]`
 
 Database password. ignored for sqlite.
 

diff --git a/manifests/database.pp b/manifests/database.pp
@@ -64,23 +64,23 @@
 #   the zabbix_server and zabbix_web parameter.
 # @author Werner Dijkerman ikben@werner-dijkerman.nl
 class zabbix::database (
-  $zabbix_type                     = 'server',
-  $zabbix_web                      = $zabbix::params::zabbix_web,
-  $zabbix_web_ip                   = $zabbix::params::zabbix_web_ip,
-  $zabbix_server                   = $zabbix::params::zabbix_server,
-  $zabbix_server_ip                = $zabbix::params::zabbix_server_ip,
-  $zabbix_proxy                    = $zabbix::params::zabbix_proxy,
-  $zabbix_proxy_ip                 = $zabbix::params::zabbix_proxy_ip,
-  $manage_database                 = $zabbix::params::manage_database,
-  Zabbix::Databases $database_type = $zabbix::params::database_type,
-  $database_schema_path            = $zabbix::params::database_schema_path,
-  $database_name                   = $zabbix::params::server_database_name,
-  $database_user                   = $zabbix::params::server_database_user,
-  $database_password               = $zabbix::params::server_database_password,
-  $database_host                   = $zabbix::params::server_database_host,
-  $database_host_ip                = $zabbix::params::server_database_host_ip,
-  $database_charset                = $zabbix::params::server_database_charset,
-  $database_collate                = $zabbix::params::server_database_collate,
+  $zabbix_type                                                          = 'server',
+  $zabbix_web                                                           = $zabbix::params::zabbix_web,
+  $zabbix_web_ip                                                        = $zabbix::params::zabbix_web_ip,
+  $zabbix_server                                                        = $zabbix::params::zabbix_server,
+  $zabbix_server_ip                                                     = $zabbix::params::zabbix_server_ip,
+  $zabbix_proxy                                                         = $zabbix::params::zabbix_proxy,
+  $zabbix_proxy_ip                                                      = $zabbix::params::zabbix_proxy_ip,
+  $manage_database                                                      = $zabbix::params::manage_database,
+  Zabbix::Databases $database_type                                      = $zabbix::params::database_type,
+  $database_schema_path                                                 = $zabbix::params::database_schema_path,
+  $database_name                                                        = $zabbix::params::server_database_name,
+  $database_user                                                        = $zabbix::params::server_database_user,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = $zabbix::params::server_database_password,
+  $database_host                                                        = $zabbix::params::server_database_host,
+  $database_host_ip                                                     = $zabbix::params::server_database_host_ip,
+  $database_charset                                                     = $zabbix::params::server_database_charset,
+  $database_collate                                                     = $zabbix::params::server_database_collate,
   Optional[String[1]] $database_tablespace = $zabbix::params::server_database_tablespace,
 ) inherits zabbix::params {
   # So lets create the databases and load all files. This can only be

diff --git a/manifests/database/mysql.pp b/manifests/database/mysql.pp
@@ -11,18 +11,24 @@
 # @param database_path Path to the database executable
 # @author Werner Dijkerman <ikben@werner-dijkerman.nl>
 class zabbix::database::mysql (
-  $zabbix_type                                        = '',
-  $zabbix_version                                     = $zabbix::params::zabbix_version,
-  $database_schema_path                               = '',
-  $database_name                                      = '',
-  $database_user                                      = '',
-  $database_password                                  = '',
-  $database_host                                      = '',
-  Optional[Stdlib::Port::Unprivileged] $database_port = undef,
-  $database_path                                      = $zabbix::params::database_path,
+  $zabbix_type                                                          = '',
+  $zabbix_version                                                       = $zabbix::params::zabbix_version,
+  $database_schema_path                                                 = '',
+  $database_name                                                        = '',
+  $database_user                                                        = '',
+  Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = undef,
+  $database_host                                                        = '',
+  Optional[Stdlib::Port::Unprivileged] $database_port                   = undef,
+  $database_path                                                        = $zabbix::params::database_path,
 ) inherits zabbix::params {
   assert_private()
 
+  $database_password_unsensitive = if $database_password =~ Sensitive[String] {
+    $database_password.unwrap
+  } else {
+    $database_password
+  }
+
   if ($database_schema_path == false) or ($database_schema_path == '') {
     if versioncmp($zabbix_version, '6.0') >= 0 {
       $schema_path = '/usr/share/zabbix-sql-scripts/mysql/'
@@ -43,34 +49,37 @@
   case $zabbix_type {
     'proxy': {
       $zabbix_proxy_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? {
-        true  => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done",
-        false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done"
+        true  => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p\"\${database_password}\" ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done",
+        false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p\"\${database_password}\" ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done"
       }
     }
     default: {
       $zabbix_server_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? {
-        true  => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done",
-        false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done"
+        true  => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p\"\${database_password}\" ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done",
+        false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p\"\${database_password}\" ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done"
       }
     }
   }
 
   # Loading the sql files.
+  $_mysql_env = ["database_password=${database_password_unsensitive}"]
   case $zabbix_type {
     'proxy'  : {
       exec { 'zabbix_proxy_create.sql':
-        command  => $zabbix_proxy_create_sql,
-        path     => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}",
-        unless   => 'test -f /etc/zabbix/.schema.done',
-        provider => 'shell',
+        command     => $zabbix_proxy_create_sql,
+        path        => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}",
+        unless      => 'test -f /etc/zabbix/.schema.done',
+        provider    => 'shell',
+        environment => $_mysql_env,
       }
     }
     'server' : {
       exec { 'zabbix_server_create.sql':
-        command  => $zabbix_server_create_sql,
-        path     => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}",
-        unless   => 'test -f /etc/zabbix/.schema.done',
-        provider => 'shell',
+        command     => $zabbix_server_create_sql,
+        path        => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}",
+        unless      => 'test -f /etc/zabbix/.schema.done',
+        provider    => 'shell',
+        environment => $_mysql_env,
       }
     }
     default  : {

diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp
@@ -11,18 +11,24 @@
 # @param database_path Path to the database executable
 # @author Werner Dijkerman <ikben@werner-dijkerman.nl>
 class zabbix::database::postgresql (
-  $zabbix_type                                        = '',
-  $zabbix_version                                     = $zabbix::params::zabbix_version,
-  $database_schema_path                               = '',
-  $database_name                                      = '',
-  $database_user                                      = '',
-  $database_password                                  = '',
-  $database_host                                      = '',
-  Stdlib::Port::Unprivileged $database_port           = 5432,
-  $database_path                                      = $zabbix::params::database_path,
+  $zabbix_type                                                          = '',
+  $zabbix_version                                                       = $zabbix::params::zabbix_version,
+  $database_schema_path                                                 = '',
+  $database_name                                                        = '',
+  $database_user                                                        = '',
+  Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = undef,
+  $database_host                                                        = '',
+  Stdlib::Port::Unprivileged $database_port                             = 5432,
+  $database_path                                                        = $zabbix::params::database_path,
 ) inherits zabbix::params {
   assert_private()
 
+  $database_password_unsensitive = if $database_password =~ Sensitive[String] {
+    $database_password.unwrap
+  } else {
+    $database_password
+  }
+
   if $database_schema_path != false and $database_schema_path != '' {
     $schema_path = $database_schema_path
   } elsif versioncmp($zabbix_version, '6.0') >= 0 {
@@ -56,7 +62,7 @@
     "PGHOST=${database_host}",
     "PGPORT=${database_port}",
     "PGUSER=${database_user}",
-    "PGPASSWORD=${database_password}",
+    "PGPASSWORD=${database_password_unsensitive}",
     "PGDATABASE=${database_name}",
   ]
 

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -251,7 +251,7 @@
   Optional[Stdlib::Absolutepath] $ldap_clientkey                              = $zabbix::params::ldap_clientkey,
   Optional[Enum['never', 'allow', 'try', 'demand', 'hard']] $ldap_reqcert     = $zabbix::params::ldap_reqcert,
   $zabbix_api_user                                                            = $zabbix::params::server_api_user,
-  $zabbix_api_pass                                                            = $zabbix::params::server_api_pass,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $zabbix_api_pass         = $zabbix::params::server_api_pass,
   Optional[Array[Stdlib::Host,1]] $zabbix_api_access                          = $zabbix::params::server_api_access,
   $listenport                                                                 = $zabbix::params::server_listenport,
   $sourceip                                                                   = $zabbix::params::server_sourceip,
@@ -265,7 +265,7 @@
   $database_schema                                                            = $zabbix::params::server_database_schema,
   Boolean $database_double_ieee754                                            = $zabbix::params::server_database_double_ieee754,
   $database_user                                                              = $zabbix::params::server_database_user,
-  $database_password                                                          = $zabbix::params::server_database_password,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $database_password       = $zabbix::params::server_database_password,
   $database_socket                                                            = $zabbix::params::server_database_socket,
   $database_port                                                              = $zabbix::params::server_database_port,
   $database_charset                                                           = $zabbix::params::server_database_charset,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -182,7 +182,7 @@
   $ldap_clientcert                          = undef
   $ldap_clientkey                           = undef
   $ldap_reqcert                             = undef
-  $server_api_pass                          = 'zabbix'
+  $server_api_pass                          = Sensitive('zabbix')
   $server_api_user                          = 'Admin'
   $server_api_access                        = undef
   $server_database_double_ieee754           = false
@@ -204,7 +204,7 @@
   $server_database_host                     = 'localhost'
   $server_database_host_ip                  = '127.0.0.1'
   $server_database_name                     = 'zabbix_server'
-  $server_database_password                 = 'zabbix_server'
+  $server_database_password                 = Sensitive('zabbix_server')
   $server_database_port                     = undef
   $server_database_schema                   = undef
   $server_database_socket                   = undef
@@ -241,6 +241,7 @@
   $server_snmptrapperfile                   = '/tmp/zabbix_traps.tmp'
   $server_sourceip                          = undef
   $server_sshkeylocation                    = undef
+  $server_sslcalocation                     = undef
   $server_sslcertlocation                   = '/usr/lib/zabbix/ssl/certs'
   $server_sslkeylocation                    = '/usr/lib/zabbix/ssl/keys'
   $server_startdbsyncers                    = '4'
@@ -291,6 +292,7 @@
   $server_vaulturl                          = 'https://127.0.0.1:8200'
   $server_vmwarecachesize                   = '8M'
   $server_vmwarefrequency                   = '60'
+  $server_vmwareperffrequency               = undef
   $server_vmwaretimeout                     = undef
   $server_socketdir                         = undef
   $server_hanodename                        = undef
@@ -374,7 +376,7 @@
   $proxy_proxyconfigfrequency               = undef
   $proxy_database_host                      = 'localhost'
   $proxy_database_name                      = 'zabbix_proxy'
-  $proxy_database_password                  = 'zabbix-proxy'
+  $proxy_database_password                  = Sensitive('zabbix-proxy')
   $proxy_database_port                      = undef
   $proxy_database_schema                    = undef
   $proxy_database_socket                    = undef