diff --git a/REFERENCE.md b/REFERENCE.md
index d076657c..b24b5a38 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -429,7 +429,7 @@ Default value: `'icinga2'`
##### `ssl_key`
-Data type: `Optional[Stdlib::Base64]`
+Data type: `Optional[Icinga::Secret]`
The private key in a base64 encoded string to store in cert directory. This parameter
requires pki to be set to 'none'.
@@ -438,7 +438,7 @@ Default value: `undef`
##### `ssl_cert`
-Data type: `Optional[Stdlib::Base64]`
+Data type: `Optional[String]`
The certificate in a base64 encoded string to store in cert directory This parameter
requires pki to be set to 'none'.
@@ -447,7 +447,7 @@ Default value: `undef`
##### `ssl_cacert`
-Data type: `Optional[Stdlib::Base64]`
+Data type: `Optional[String]`
The CA root certificate in a base64 encoded string to store in cert directory. This parameter
requires pki to be set to 'none'.
@@ -496,7 +496,7 @@ Default value: `undef`
##### `ca_port`
-Data type: `Stdlib::Port::Unprivileged`
+Data type: `Stdlib::Port`
Port of the 'ca_host'.
@@ -514,7 +514,7 @@ Default value: `undef`
##### `ticket_salt`
-Data type: `Variant[String, Sensitive[String]]`
+Data type: `Icinga::Secret`
Salt to use for ticket generation. The salt is stored to api.conf if none or ca is chosen for pki.
Defaults to constant TicketSalt. Keep in mind this parameter is parsed so please use only alpha numric
@@ -524,7 +524,7 @@ Default value: `'TicketSalt'`
##### `ticket_id`
-Data type: `Optional[Variant[String, Sensitive[String]]]`
+Data type: `Optional[Icinga::Secret]`
If a ticket_id is given it will be used instead of generating an ticket_id.
The ticket_id will be used only when requesting a certificate from the ca_host
@@ -590,7 +590,7 @@ Default value: `undef`
##### `bind_port`
-Data type: `Optional[Stdlib::Port::Unprivileged]`
+Data type: `Optional[Stdlib::Port]`
The port the api listener will be bound to.
@@ -800,7 +800,7 @@ Default value: `undef`
##### `port`
-Data type: `Optional[Stdlib::Port::Unprivileged]`
+Data type: `Optional[Stdlib::Port]`
Elasticsearch HTTP port.
@@ -824,7 +824,7 @@ Default value: `undef`
##### `password`
-Data type: `Optional[Variant[String, Sensitive[String]]]`
+Data type: `Optional[Icinga::Secret]`
Elasticsearch user password. The password parameter isn't parsed anymore.
@@ -872,7 +872,7 @@ Default value: `undef`
##### `ssl_key`
-Data type: `Optional[Variant[String, Sensitive[String]]]`
+Data type: `Optional[Icinga::Secret]`
The client private key in PEM format. Only valid if ssl is enabled.
@@ -967,7 +967,7 @@ Default value: `undef`
##### `port`
-Data type: `Optional[Stdlib::Port::Unprivileged]`
+Data type: `Optional[Stdlib::Port]`
GELF receiver port.
@@ -1015,7 +1015,7 @@ Default value: `undef`
##### `ssl_key`
-Data type: `Optional[Variant[String, Sensitive[String]]]`
+Data type: `Optional[Icinga::Secret]`
The client private key in PEM format. Only valid if ssl is enabled.
@@ -1109,7 +1109,7 @@ Default value: `undef`
##### `port`
-Data type: `Optional[Stdlib::Port::Unprivileged]`
+Data type: `Optional[Stdlib::Port]`
Graphite Carbon port.
@@ -1201,7 +1201,7 @@ Default value: `undef`
##### `port`
-Data type: `Optional[Stdlib::Port::Unprivileged]`
+Data type: `Optional[Stdlib::Port]`
IcingaDB Redis port.
@@ -1225,7 +1225,7 @@ Default value: `undef`
##### `password`
-Data type: `Optional[Variant[String, Sensitive[String]]]`
+Data type: `Optional[Icinga::Secret]`
IcingaDB Redis password. The password parameter isn't parsed anymore.
@@ -1233,7 +1233,7 @@ Default value: `undef`
##### `env_id`
-Data type: `Optional[Variant[String, Sensitive[String]]]`
+Data type: `Optional[Icinga::Secret]`
The ID is used in all Icinga DB components to separate data from multiple
different environments and is written to the file `/var/lib/icinga2/icingadb.env`
@@ -1284,7 +1284,7 @@ Default value: `undef`
##### `tls_key`
-Data type: `Optional[Variant[String, Sensitive[String]]]`
+Data type: `Optional[Icinga::Secret]`
The private key in a PEM formated string to store spicified in tls_key_file.
Only valid if tls is enabled.
@@ -1415,7 +1415,7 @@ Default value: `'localhost'`
##### `port`
-Data type: `Optional[Stdlib::Port::Unprivileged]`
+Data type: `Optional[Stdlib::Port]`
MySQL database port.
@@ -1439,10 +1439,12 @@ Default value: `'icinga'`
##### `password`
-Data type: `Variant[String, Sensitive[String]]`
+Data type: `Optional[Icinga::Secret]`
MySQL database user's password. The password parameter isn't parsed anymore.
+Default value: `undef`
+
##### `database`
Data type: `String`
@@ -1485,7 +1487,7 @@ Default value: `undef`
##### `ssl_key`
-Data type: `Optional[Variant[String, Sensitive[String]]]`
+Data type: `Optional[Icinga::Secret]`
The client private key in PEM Format. Only valid if ssl is enabled.
@@ -1659,7 +1661,7 @@ Default value: `'localhost'`
##### `port`
-Data type: `Optional[Stdlib::Port::Unprivileged]`
+Data type: `Optional[Stdlib::Port]`
PostgreSQL database port.
@@ -1675,10 +1677,12 @@ Default value: `'icinga'`
##### `password`
-Data type: `Variant[String, Sensitive[String]]`
+Data type: `Optional[Icinga::Secret]`
PostgreSQL database user's password. The password parameter isn't parsed anymore.
+Default value: `undef`
+
##### `database`
Data type: `String`
@@ -1726,7 +1730,7 @@ Default value: `undef`
##### `ssl_key`
-Data type: `Optional[Variant[String, Sensitive[String]]]`
+Data type: `Optional[Icinga::Secret]`
The client private key in PEM format. Only valid if ssl_mode is set unequal to `disabled`.
@@ -1900,7 +1904,7 @@ Default value: `undef`
##### `password`
-Data type: `Optional[Variant[String, Sensitive[String]]]`
+Data type: `Optional[Icinga::Secret]`
InfluxDB user password. The password parameter isn't parsed anymore.
@@ -1956,7 +1960,7 @@ Default value: `undef`
##### `ssl_key`
-Data type: `Optional[Variant[String, Sensitive[String]]]`
+Data type: `Optional[Icinga::Secret]`
The client private key in PEM format. Only valid if ssl is enabled.
@@ -2133,7 +2137,7 @@ InfluxDB bucket name.
##### `auth_token`
-Data type: `Variant[String, Sensitive[String]]`
+Data type: `Icinga::Secret`
InfluxDB authentication token.
@@ -2179,7 +2183,7 @@ Default value: `undef`
##### `ssl_key`
-Data type: `Optional[Variant[String, Sensitive[String]]]`
+Data type: `Optional[Icinga::Secret]`
The client private key in PEM format. Only valid if ssl is enabled.
@@ -2314,7 +2318,7 @@ Default value: `undef`
##### `bind_port`
-Data type: `Optional[Stdlib::Port::Unprivileged]`
+Data type: `Optional[Stdlib::Port]`
Port to listen for connections. Only valid when socket_type is 'tcp'.
@@ -2430,7 +2434,7 @@ Default value: `undef`
##### `port`
-Data type: `Optional[Stdlib::Port::Unprivileged]`
+Data type: `Optional[Stdlib::Port]`
OpenTSDB port.
@@ -2687,7 +2691,7 @@ Default value: `undef`
##### `ca_key`
-Data type: `Optional[String]`
+Data type: `Optional[Icinga::Secret]`
Content of the CA key. If this is unset, a key will be generated with the Icinga 2 CLI.
@@ -2878,7 +2882,7 @@ Default value: `$title`
##### `password`
-Data type: `Optional[Variant[String, Sensitive[String]]]`
+Data type: `Optional[Icinga::Secret]`
Password string. The password parameter isn't parsed anymore.
@@ -3343,7 +3347,7 @@ Default value: `undef`
##### `port`
-Data type: `Optional[Stdlib::Port::Unprivileged]`
+Data type: `Optional[Stdlib::Port]`
The service name/port of the remote Icinga 2 instance.
diff --git a/manifests/feature/api.pp b/manifests/feature/api.pp
index 32ac30e4..0a193712 100644
--- a/manifests/feature/api.pp
+++ b/manifests/feature/api.pp
@@ -157,20 +157,20 @@
Optional[Boolean] $accept_commands = undef,
Optional[Integer[0]] $max_anonymous_clients = undef,
Optional[Stdlib::Host] $ca_host = undef,
- Stdlib::Port::Unprivileged $ca_port = 5665,
- Variant[String, Sensitive[String]] $ticket_salt = 'TicketSalt',
- Optional[Variant[String, Sensitive[String]]] $ticket_id = undef,
+ Stdlib::Port $ca_port = 5665,
+ Icinga::Secret $ticket_salt = 'TicketSalt',
+ Optional[Icinga::Secret] $ticket_id = undef,
Hash[String, Hash] $endpoints = { 'NodeName' => {} },
Hash[String, Hash] $zones = { 'ZoneName' => { endpoints => ['NodeName'] } },
- Optional[Stdlib::Base64] $ssl_key = undef,
- Optional[Stdlib::Base64] $ssl_cert = undef,
- Optional[Stdlib::Base64] $ssl_cacert = undef,
+ Optional[Icinga::Secret] $ssl_key = undef,
+ Optional[String] $ssl_cert = undef,
+ Optional[String] $ssl_cacert = undef,
Optional[Enum['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3']] $ssl_protocolmin = undef,
Optional[Icinga2::Interval] $ssl_handshake_timeout = undef,
Optional[Icinga2::Interval] $connect_timeout = undef,
Optional[String] $ssl_cipher_list = undef,
Optional[Stdlib::Host] $bind_host = undef,
- Optional[Stdlib::Port::Unprivileged] $bind_port = undef,
+ Optional[Stdlib::Port] $bind_port = undef,
Optional[Array[Enum['GET', 'POST', 'PUT', 'DELETE']]] $access_control_allow_methods = undef,
Optional[Array[String]] $access_control_allow_origin = undef,
Optional[Boolean] $access_control_allow_credentials = undef,
diff --git a/manifests/feature/elasticsearch.pp b/manifests/feature/elasticsearch.pp
index 513cf1cc..8b40e241 100644
--- a/manifests/feature/elasticsearch.pp
+++ b/manifests/feature/elasticsearch.pp
@@ -62,24 +62,24 @@
# Enable the high availability functionality. Only valid in a cluster setup.
#
class icinga2::feature::elasticsearch (
- Enum['absent', 'present'] $ensure = present,
- Optional[Stdlib::Host] $host = undef,
- Optional[Stdlib::Port::Unprivileged] $port = undef,
- Optional[String] $index = undef,
- Optional[String] $username = undef,
- Optional[Variant[String, Sensitive[String]]] $password = undef,
- Optional[Boolean] $enable_ssl = undef,
- Optional[Boolean] $ssl_noverify = undef,
- Optional[Stdlib::Absolutepath] $ssl_key_path = undef,
- Optional[Stdlib::Absolutepath] $ssl_cert_path = undef,
- Optional[Stdlib::Absolutepath] $ssl_cacert_path = undef,
- Optional[Variant[String, Sensitive[String]]] $ssl_key = undef,
- Optional[String] $ssl_cert = undef,
- Optional[String] $ssl_cacert = undef,
- Optional[Boolean] $enable_send_perfdata = undef,
- Optional[Icinga2::Interval] $flush_interval = undef,
- Optional[Integer] $flush_threshold = undef,
- Optional[Boolean] $enable_ha = undef,
+ Enum['absent', 'present'] $ensure = present,
+ Optional[Stdlib::Host] $host = undef,
+ Optional[Stdlib::Port] $port = undef,
+ Optional[String] $index = undef,
+ Optional[String] $username = undef,
+ Optional[Icinga::Secret] $password = undef,
+ Optional[Boolean] $enable_ssl = undef,
+ Optional[Boolean] $ssl_noverify = undef,
+ Optional[Stdlib::Absolutepath] $ssl_key_path = undef,
+ Optional[Stdlib::Absolutepath] $ssl_cert_path = undef,
+ Optional[Stdlib::Absolutepath] $ssl_cacert_path = undef,
+ Optional[Icinga::Secret] $ssl_key = undef,
+ Optional[String] $ssl_cert = undef,
+ Optional[String] $ssl_cacert = undef,
+ Optional[Boolean] $enable_send_perfdata = undef,
+ Optional[Icinga2::Interval] $flush_interval = undef,
+ Optional[Integer] $flush_threshold = undef,
+ Optional[Boolean] $enable_ha = undef,
) {
if ! defined(Class['icinga2']) {
fail('You must include the icinga2 base class before using any icinga2 feature class!')
diff --git a/manifests/feature/gelf.pp b/manifests/feature/gelf.pp
index e9f3116c..996a50e6 100644
--- a/manifests/feature/gelf.pp
+++ b/manifests/feature/gelf.pp
@@ -44,20 +44,20 @@
# Enable the high availability functionality. Only valid in a cluster setup.
#
class icinga2::feature::gelf (
- Enum['absent', 'present'] $ensure = present,
- Optional[Stdlib::Host] $host = undef,
- Optional[Stdlib::Port::Unprivileged] $port = undef,
- Optional[String] $source = undef,
- Boolean $enable_ssl = false,
- Optional[Stdlib::Absolutepath] $ssl_key_path = undef,
- Optional[Stdlib::Absolutepath] $ssl_cert_path = undef,
- Optional[Stdlib::Absolutepath] $ssl_cacert_path = undef,
- Optional[Variant[String, Sensitive[String]]] $ssl_key = undef,
- Optional[String] $ssl_cert = undef,
- Optional[String] $ssl_cacert = undef,
- Optional[Boolean] $ssl_noverify = undef,
- Optional[Boolean] $enable_send_perfdata = undef,
- Optional[Boolean] $enable_ha = undef,
+ Enum['absent', 'present'] $ensure = present,
+ Optional[Stdlib::Host] $host = undef,
+ Optional[Stdlib::Port] $port = undef,
+ Optional[String] $source = undef,
+ Boolean $enable_ssl = false,
+ Optional[Stdlib::Absolutepath] $ssl_key_path = undef,
+ Optional[Stdlib::Absolutepath] $ssl_cert_path = undef,
+ Optional[Stdlib::Absolutepath] $ssl_cacert_path = undef,
+ Optional[Icinga::Secret] $ssl_key = undef,
+ Optional[String] $ssl_cert = undef,
+ Optional[String] $ssl_cacert = undef,
+ Optional[Boolean] $ssl_noverify = undef,
+ Optional[Boolean] $enable_send_perfdata = undef,
+ Optional[Boolean] $enable_ha = undef,
) {
if ! defined(Class['icinga2']) {
fail('You must include the icinga2 base class before using any icinga2 feature class!')
diff --git a/manifests/feature/graphite.pp b/manifests/feature/graphite.pp
index 67f7e999..34709c6b 100644
--- a/manifests/feature/graphite.pp
+++ b/manifests/feature/graphite.pp
@@ -32,14 +32,14 @@
# Enable the high availability functionality. Only valid in a cluster setup.
#
class icinga2::feature::graphite (
- Enum['absent', 'present'] $ensure = present,
- Optional[Stdlib::Host] $host = undef,
- Optional[Stdlib::Port::Unprivileged] $port = undef,
- Optional[String] $host_name_template = undef,
- Optional[String] $service_name_template = undef,
- Optional[Boolean] $enable_send_thresholds = undef,
- Optional[Boolean] $enable_send_metadata = undef,
- Optional[Boolean] $enable_ha = undef,
+ Enum['absent', 'present'] $ensure = present,
+ Optional[Stdlib::Host] $host = undef,
+ Optional[Stdlib::Port] $port = undef,
+ Optional[String] $host_name_template = undef,
+ Optional[String] $service_name_template = undef,
+ Optional[Boolean] $enable_send_thresholds = undef,
+ Optional[Boolean] $enable_send_metadata = undef,
+ Optional[Boolean] $enable_ha = undef,
) {
if ! defined(Class['icinga2']) {
fail('You must include the icinga2 base class before using any icinga2 feature class!')
diff --git a/manifests/feature/icingadb.pp b/manifests/feature/icingadb.pp
index 8cd1fab1..ed4c3cdd 100644
--- a/manifests/feature/icingadb.pp
+++ b/manifests/feature/icingadb.pp
@@ -65,25 +65,25 @@
# Whether not to verify the peer.
#
class icinga2::feature::icingadb (
- Enum['absent', 'present'] $ensure = present,
- Optional[Stdlib::Host] $host = undef,
- Optional[Stdlib::Port::Unprivileged] $port = undef,
- Optional[Stdlib::Absolutepath] $socket_path = undef,
- Optional[Icinga2::Interval] $connect_timeout = undef,
- Optional[Variant[String, Sensitive[String]]] $password = undef,
- Optional[Variant[String, Sensitive[String]]] $env_id = undef,
- Boolean $enable_tls = false,
- Optional[Stdlib::Absolutepath] $tls_key_file = undef,
- Optional[Stdlib::Absolutepath] $tls_cert_file = undef,
- Optional[Stdlib::Absolutepath] $tls_cacert_file = undef,
- Optional[Stdlib::Absolutepath] $tls_crl_file = undef,
- Optional[Variant[String, Sensitive[String]]] $tls_key = undef,
- Optional[String] $tls_cert = undef,
- Optional[String] $tls_cacert = undef,
- Optional[String] $tls_capath = undef,
- Optional[String] $tls_cipher = undef,
- Optional[String] $tls_protocolmin = undef,
- Optional[Boolean] $tls_noverify = undef,
+ Enum['absent', 'present'] $ensure = present,
+ Optional[Stdlib::Host] $host = undef,
+ Optional[Stdlib::Port] $port = undef,
+ Optional[Stdlib::Absolutepath] $socket_path = undef,
+ Optional[Icinga2::Interval] $connect_timeout = undef,
+ Optional[Icinga::Secret] $password = undef,
+ Optional[Icinga::Secret] $env_id = undef,
+ Boolean $enable_tls = false,
+ Optional[Stdlib::Absolutepath] $tls_key_file = undef,
+ Optional[Stdlib::Absolutepath] $tls_cert_file = undef,
+ Optional[Stdlib::Absolutepath] $tls_cacert_file = undef,
+ Optional[Stdlib::Absolutepath] $tls_crl_file = undef,
+ Optional[Icinga::Secret] $tls_key = undef,
+ Optional[String] $tls_cert = undef,
+ Optional[String] $tls_cacert = undef,
+ Optional[String] $tls_capath = undef,
+ Optional[String] $tls_cipher = undef,
+ Optional[String] $tls_protocolmin = undef,
+ Optional[Boolean] $tls_noverify = undef,
) {
if ! defined(Class['icinga2']) {
fail('You must include the icinga2 base class before using any icinga2 feature class!')
diff --git a/manifests/feature/idomysql.pp b/manifests/feature/idomysql.pp
index bb5ace94..2d281502 100644
--- a/manifests/feature/idomysql.pp
+++ b/manifests/feature/idomysql.pp
@@ -94,18 +94,18 @@
# whereas with mysql its different options.
#
class icinga2::feature::idomysql (
- Variant[String, Sensitive[String]] $password,
Enum['absent', 'present'] $ensure = present,
Stdlib::Host $host = 'localhost',
- Optional[Stdlib::Port::Unprivileged] $port = undef,
+ Optional[Stdlib::Port] $port = undef,
Optional[Stdlib::Absolutepath] $socket_path = undef,
String $user = 'icinga',
String $database = 'icinga',
+ Optional[Icinga::Secret] $password = undef,
Boolean $enable_ssl = false,
Optional[Stdlib::Absolutepath] $ssl_key_path = undef,
Optional[Stdlib::Absolutepath] $ssl_cert_path = undef,
Optional[Stdlib::Absolutepath] $ssl_cacert_path = undef,
- Optional[Variant[String, Sensitive[String]]] $ssl_key = undef,
+ Optional[Icinga::Secret] $ssl_key = undef,
Optional[String] $ssl_cert = undef,
Optional[String] $ssl_cacert = undef,
Optional[Stdlib::Absolutepath] $ssl_capath = undef,
diff --git a/manifests/feature/idopgsql.pp b/manifests/feature/idopgsql.pp
index 2a4ae992..1297610c 100644
--- a/manifests/feature/idopgsql.pp
+++ b/manifests/feature/idopgsql.pp
@@ -82,28 +82,28 @@
# Whether to import the PostgreSQL schema or not.
#
class icinga2::feature::idopgsql (
- Variant[String, Sensitive[String]] $password,
- Enum['absent', 'present'] $ensure = present,
- Stdlib::Host $host = 'localhost',
- Optional[Stdlib::Port::Unprivileged] $port = undef,
- String $user = 'icinga',
- String $database = 'icinga',
+ Enum['absent', 'present'] $ensure = present,
+ Stdlib::Host $host = 'localhost',
+ Optional[Stdlib::Port] $port = undef,
+ String $user = 'icinga',
+ String $database = 'icinga',
+ Optional[Icinga::Secret] $password = undef,
Optional[Enum['disable', 'allow', 'prefer',
- 'verify-full', 'verify-ca', 'require']] $ssl_mode = undef,
- Optional[Stdlib::Absolutepath] $ssl_key_path = undef,
- Optional[Stdlib::Absolutepath] $ssl_cert_path = undef,
- Optional[Stdlib::Absolutepath] $ssl_cacert_path = undef,
- Optional[Variant[String, Sensitive[String]]] $ssl_key = undef,
- Optional[String] $ssl_cert = undef,
- Optional[String] $ssl_cacert = undef,
- Optional[String] $table_prefix = undef,
- Optional[String] $instance_name = undef,
- Optional[String] $instance_description = undef,
- Optional[Boolean] $enable_ha = undef,
- Optional[Icinga2::Interval] $failover_timeout = undef,
- Optional[Icinga2::IdoCleanup] $cleanup = undef,
- Optional[Array] $categories = undef,
- Boolean $import_schema = false,
+ 'verify-full', 'verify-ca', 'require']] $ssl_mode = undef,
+ Optional[Stdlib::Absolutepath] $ssl_key_path = undef,
+ Optional[Stdlib::Absolutepath] $ssl_cert_path = undef,
+ Optional[Stdlib::Absolutepath] $ssl_cacert_path = undef,
+ Optional[Icinga::Secret] $ssl_key = undef,
+ Optional[String] $ssl_cert = undef,
+ Optional[String] $ssl_cacert = undef,
+ Optional[String] $table_prefix = undef,
+ Optional[String] $instance_name = undef,
+ Optional[String] $instance_description = undef,
+ Optional[Boolean] $enable_ha = undef,
+ Optional[Icinga2::Interval] $failover_timeout = undef,
+ Optional[Icinga2::IdoCleanup] $cleanup = undef,
+ Optional[Array] $categories = undef,
+ Boolean $import_schema = false,
) {
if ! defined(Class['icinga2']) {
fail('You must include the icinga2 base class before using any icinga2 feature class!')
diff --git a/manifests/feature/influxdb.pp b/manifests/feature/influxdb.pp
index 1e56e7ab..57cf5468 100644
--- a/manifests/feature/influxdb.pp
+++ b/manifests/feature/influxdb.pp
@@ -87,14 +87,14 @@
Optional[Stdlib::Port] $port = undef,
Optional[String] $database = undef,
Optional[String] $username = undef,
- Optional[Variant[String, Sensitive[String]]] $password = undef,
+ Optional[Icinga::Secret] $password = undef,
Optional[Icinga2::BasicAuth] $basic_auth = undef,
Optional[Boolean] $enable_ssl = undef,
Optional[Boolean] $ssl_noverify = undef,
Optional[Stdlib::Absolutepath] $ssl_key_path = undef,
Optional[Stdlib::Absolutepath] $ssl_cert_path = undef,
Optional[Stdlib::Absolutepath] $ssl_cacert_path = undef,
- Optional[Variant[String, Sensitive[String]]] $ssl_key = undef,
+ Optional[Icinga::Secret] $ssl_key = undef,
Optional[String] $ssl_cert = undef,
Optional[String] $ssl_cacert = undef,
String $host_measurement = '$host.check_command$',
diff --git a/manifests/feature/influxdb2.pp b/manifests/feature/influxdb2.pp
index f0fea9c7..1482a585 100644
--- a/manifests/feature/influxdb2.pp
+++ b/manifests/feature/influxdb2.pp
@@ -79,29 +79,29 @@
# Enable the high availability functionality. Only valid in a cluster setup.
#
class icinga2::feature::influxdb2 (
- String $organization,
- String $bucket,
- Variant[String, Sensitive[String]] $auth_token,
- Enum['absent', 'present'] $ensure = present,
- Optional[Stdlib::Host] $host = undef,
- Optional[Stdlib::Port] $port = undef,
- Optional[Boolean] $enable_ssl = undef,
- Optional[Boolean] $ssl_noverify = undef,
- Optional[Stdlib::Absolutepath] $ssl_key_path = undef,
- Optional[Stdlib::Absolutepath] $ssl_cert_path = undef,
- Optional[Stdlib::Absolutepath] $ssl_cacert_path = undef,
- Optional[Variant[String, Sensitive[String]]] $ssl_key = undef,
- Optional[String] $ssl_cert = undef,
- Optional[String] $ssl_cacert = undef,
- String $host_measurement = '$host.check_command$',
- Hash $host_tags = { hostname => '$host.name$' },
- String $service_measurement = '$service.check_command$',
- Hash $service_tags = { hostname => '$host.name$', service => '$service.name$' },
- Optional[Boolean] $enable_send_thresholds = undef,
- Optional[Boolean] $enable_send_metadata = undef,
- Optional[Icinga2::Interval] $flush_interval = undef,
- Optional[Integer[1]] $flush_threshold = undef,
- Optional[Boolean] $enable_ha = undef,
+ String $organization,
+ String $bucket,
+ Icinga::Secret $auth_token,
+ Enum['absent', 'present'] $ensure = present,
+ Optional[Stdlib::Host] $host = undef,
+ Optional[Stdlib::Port] $port = undef,
+ Optional[Boolean] $enable_ssl = undef,
+ Optional[Boolean] $ssl_noverify = undef,
+ Optional[Stdlib::Absolutepath] $ssl_key_path = undef,
+ Optional[Stdlib::Absolutepath] $ssl_cert_path = undef,
+ Optional[Stdlib::Absolutepath] $ssl_cacert_path = undef,
+ Optional[Icinga::Secret] $ssl_key = undef,
+ Optional[String] $ssl_cert = undef,
+ Optional[String] $ssl_cacert = undef,
+ String $host_measurement = '$host.check_command$',
+ Hash $host_tags = { hostname => '$host.name$' },
+ String $service_measurement = '$service.check_command$',
+ Hash $service_tags = { hostname => '$host.name$', service => '$service.name$' },
+ Optional[Boolean] $enable_send_thresholds = undef,
+ Optional[Boolean] $enable_send_metadata = undef,
+ Optional[Icinga2::Interval] $flush_interval = undef,
+ Optional[Integer[1]] $flush_threshold = undef,
+ Optional[Boolean] $enable_ha = undef,
) {
if ! defined(Class['icinga2']) {
fail('You must include the icinga2 base class before using any icinga2 feature class!')
diff --git a/manifests/feature/livestatus.pp b/manifests/feature/livestatus.pp
index 7cd90045..d1960bf5 100644
--- a/manifests/feature/livestatus.pp
+++ b/manifests/feature/livestatus.pp
@@ -20,12 +20,12 @@
# Required for historical table queries. Requires CompatLogger feature to be enabled.
#
class icinga2::feature::livestatus (
- Enum['absent', 'present'] $ensure = present,
- Optional[Enum['tcp', 'unix']] $socket_type = undef,
- Optional[Stdlib::Host] $bind_host = undef,
- Optional[Stdlib::Port::Unprivileged] $bind_port = undef,
- Optional[Stdlib::Absolutepath] $socket_path = undef,
- Optional[Stdlib::Absolutepath] $compat_log_path = undef,
+ Enum['absent', 'present'] $ensure = present,
+ Optional[Enum['tcp', 'unix']] $socket_type = undef,
+ Optional[Stdlib::Host] $bind_host = undef,
+ Optional[Stdlib::Port] $bind_port = undef,
+ Optional[Stdlib::Absolutepath] $socket_path = undef,
+ Optional[Stdlib::Absolutepath] $compat_log_path = undef,
) {
if ! defined(Class['icinga2']) {
fail('You must include the icinga2 base class before using any icinga2 feature class!')
diff --git a/manifests/feature/opentsdb.pp b/manifests/feature/opentsdb.pp
index d70d13d7..932f3e67 100644
--- a/manifests/feature/opentsdb.pp
+++ b/manifests/feature/opentsdb.pp
@@ -14,10 +14,10 @@
# Enable the high availability functionality. Only valid in a cluster setup.
#
class icinga2::feature::opentsdb (
- Enum['absent', 'present'] $ensure = present,
- Optional[Stdlib::Host] $host = undef,
- Optional[Stdlib::Port::Unprivileged] $port = undef,
- Optional[Boolean] $enable_ha = undef,
+ Enum['absent', 'present'] $ensure = present,
+ Optional[Stdlib::Host] $host = undef,
+ Optional[Stdlib::Port] $port = undef,
+ Optional[Boolean] $enable_ha = undef,
) {
if ! defined(Class['icinga2']) {
fail('You must include the icinga2 base class before using any icinga2 feature class!')
diff --git a/manifests/object/apiuser.pp b/manifests/object/apiuser.pp
index 2c9a3c5a..ebb7fcfc 100644
--- a/manifests/object/apiuser.pp
+++ b/manifests/object/apiuser.pp
@@ -61,14 +61,14 @@
# Export object to destination, collected by class `icinga2::query_objects`.
#
define icinga2::object::apiuser (
- Stdlib::Absolutepath $target,
- Enum['absent', 'present'] $ensure = present,
- String $apiuser_name = $title,
- Optional[Array] $permissions = undef,
- Optional[Variant[String, Sensitive[String]]] $password = undef,
- Optional[String] $client_cn = undef,
- Variant[String, Integer] $order = 30,
- Variant[Array[String], String] $export = [],
+ Stdlib::Absolutepath $target,
+ Enum['absent', 'present'] $ensure = present,
+ String $apiuser_name = $title,
+ Optional[Array] $permissions = undef,
+ Optional[Icinga::Secret] $password = undef,
+ Optional[String] $client_cn = undef,
+ Variant[String, Integer] $order = 30,
+ Variant[Array[String], String] $export = [],
) {
$_password = if $password =~ String {
Sensitive($password)
diff --git a/manifests/object/endpoint.pp b/manifests/object/endpoint.pp
index 8b4b4d91..4c7fed75 100644
--- a/manifests/object/endpoint.pp
+++ b/manifests/object/endpoint.pp
@@ -33,7 +33,7 @@
Enum['absent', 'present'] $ensure = present,
String $endpoint_name = $title,
Optional[Stdlib::Host] $host = undef,
- Optional[Stdlib::Port::Unprivileged] $port = undef,
+ Optional[Stdlib::Port] $port = undef,
Optional[Icinga2::Interval] $log_duration = undef,
Optional[Stdlib::Absolutepath] $target = undef,
Variant[String, Integer] $order = 40,
diff --git a/manifests/pki/ca.pp b/manifests/pki/ca.pp
index ba1846dd..fc89412d 100644
--- a/manifests/pki/ca.pp
+++ b/manifests/pki/ca.pp
@@ -21,8 +21,8 @@
# Content of the CA key. If this is unset, a key will be generated with the Icinga 2 CLI.
#
class icinga2::pki::ca (
- Optional[String] $ca_cert = undef,
- Optional[String] $ca_key = undef,
+ Optional[String] $ca_cert = undef,
+ Optional[Icinga::Secret] $ca_key = undef,
) {
require icinga2::config