Issue gathering multiple fields from a secret in vault

[imrein]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 7.31.0
• Ruby: ?
• Distribution: AlmaLinux release 9.4
• Module version: v1.1.0

How to reproduce (e.g Puppet code you use)

class profile_test::test (
  Sensitive  $test1 = Deferred('vault_lookup::lookup', ['secret/data/app', { field => 'test1' }]),
  Sensitive  $test2 = Deferred('vault_lookup::lookup', ['secret/data/app', { field => 'test2' }]),
  Sensitive  $test3 = Deferred('vault_lookup::lookup', ['secret/data/app', { field => 'test3' }]),
) {
  notify { 'test1' :
    message => $test1,
  }

  notify { 'test2' :
    message => $test2,
  }

  notify { 'test3' :
    message => $test3,
  }
}

What are you seeing

My first parameter is gathered correctly but the other 2 are not.

What behaviour did you expect instead

I expect to get my parameters as the Sensitive type. I suspect it's something to do with the caching of the connection? By reading the documentation page, my understanding is that there will be a new connection request when the field is changed.

Output log

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, Class[Profile_test::test]:
  parameter 'test2' expects a Sensitive value, got String
  parameter 'test3' expects a Sensitive value, got String (file: /etc/puppetlabs/code/environments/production/modules/profile_test/manifests/init.pp, line: 7, column: 3) on node xxx

Any additional information you'd like to impart

It would be more interesting if I can just gather the full hash of the secret and just get the value of the needed key.

[imrein]

Nevermind... The 2 params were defined in hieradata by accident. It's working now by removing them. I would still like to know why I can't just get the full secret hash and just grab the desired field inside.