Replace pkcs7.rb by our own patched backend

common/configuration/puppet.yaml

@@ -62,6 +62,7 @@ runcmd:
   - systemctl enable puppetserver
 # Install gem dependencies
   - "/opt/puppetlabs/puppet/bin/gem install autosign:1.0.1 faraday:2.8.1 faraday-net_http:3.0.2 puppet_forge:4.1.0 r10k:4.0.1"
+  - curl -L -o /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/hiera-eyaml-3.4.0/lib/hiera/backend/eyaml/encryptors/pkcs7.rb https://raw.githubusercontent.com/MagicCastle/hiera-eyaml/6e40e4618579b4804c4b6157279d057365bbd561/lib/hiera/backend/eyaml/encryptors/pkcs7.rb
 # Enable autosign with password
   - chgrp puppet /etc/autosign.conf
   - chown puppet:puppet /var/log/autosign.log

common/provision/main.tf

@@ -69,8 +69,6 @@ resource "terraform_data" "deploy_puppetserver_files" {
       "sudo chown -R root:52 ${local.provision_folder}",
       "sudo mkdir -p -m 755 /etc/puppetlabs/",
       "sudo rsync -avh --no-t ${local.provision_folder}/ /etc/puppetlabs/",
-      # hiera-eyaml 3.4.0 requires a public key in the form of a X509 certificate to decrypt
-      "sudo test -f ${local.provision_folder}/puppet/eyaml/private_key.pkcs7.pem && sudo openssl req -new -key /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem -set_serial 1 -batch -out /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem",
       "sudo rm -rf ${local.provision_folder}/ ${local.provision_folder}.zip",
       "[ -f /usr/local/bin/consul ] && [ -f /usr/bin/jq ] && consul event -token=$(sudo jq -r .acl.tokens.agent /etc/consul/config.json) -name=puppet $(date +%s) || true",
     ]

docs/README.md

@@ -803,7 +803,7 @@ per-value encryption of sensitive properties to be used by Puppet.
 The private key and its corresponding public key wrapped in a X509 certificate can be generated with `openssl`:
 
 ```shell
-openssl req -x509 -nodes -set_serial 1 -newkey rsa:2048 -keyout private_key.pkcs7.pem -out public_key.pkcs7.pem -batch
+openssl req -x509 -nodes -newkey rsa:2048 -keyout private_key.pkcs7.pem -out public_key.pkcs7.pem -batch
 ```
 
 or with `eyaml`: