bolt 1.27.1 → 1.28.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 479e933992d2ff527a0c863ed9b4e2d6f94f5726e1c1ef910e3de3e4a92f97d3
-  data.tar.gz: 19c0c435262e63acb8d94a4adc59bb1613fe126f2e276c66cca392a6074358c0
+  metadata.gz: a2d33a034fb69edd25b761aec5e21075aa9ad9f0ccce67122994a2e24dda01f4
+  data.tar.gz: '0348c1d2ed663a0c3556795017c219a88c4e432788fe10e8d75bb1f03f0eed89'
 SHA512:
-  metadata.gz: a44e8201beb5d720068b0217191495141a34e302748358117d308fd8e6bd4906a05f53e653982a08686d1c2b78c673caec5ddecd9cc5d9b60447a594b299dbc2
-  data.tar.gz: 42f6ceb89094cf0aac648133b37d477adc8bfdff54c5941a6c8228793d980e4106959e1179f548f3aea296fbc35f27307fdeb874736b5cf3c76fc3ce23b818ae
+  metadata.gz: b842c4a35c334729e47f361ea5be9a0467934d1afc718cec50d117f6573f1a2024eac84e4049730c02bd6cc97158dadc7c4ce1d6adff207efbdc103ffc4f0560
+  data.tar.gz: 470115a05e6edd058de12934e48e77441105cd83baeadca192d7bf7591b2e5f2bef998164614bee9cbebe0b511fe7507a8dcd61b0fbb19810e75e59bb55c7900

data/bolt-modules/boltlib/lib/puppet/functions/get_targets.rb

@@ -3,6 +3,10 @@
 require 'bolt/error'
 
 # Parses common ways of referring to targets and returns an array of Targets.
+#
+# **NOTE:** Calling `get_targets` inside an `apply` block with a
+# version 2 inventory creates a new Target object.
+# `get_targets('all')` returns an empty array.
 Puppet::Functions.create_function(:get_targets) do
   # @param names A pattern or array of patterns identifying a set of targets.
   # @return A list of unique Targets resolved from any target URIs and groups.

data/lib/bolt/analytics.rb

@@ -29,7 +29,7 @@ module Bolt
     def self.build_client
       logger = Logging.logger[self]
       config_file = File.expand_path('~/.puppetlabs/bolt/analytics.yaml')
-      config = load_config(config_file)
+      config = load_config(config_file, logger)
 
       if config['disabled'] || ENV['BOLT_DISABLE_ANALYTICS']
         logger.debug "Analytics opt-out is set, analytics will be disabled"
@@ -47,10 +47,22 @@ module Bolt
       NoopClient.new
     end
 
-    def self.load_config(filename)
+    def self.load_config(filename, logger)
       if File.exist?(filename)
         YAML.load_file(filename)
       else
+        unless ENV['BOLT_DISABLE_ANALYTICS']
+          logger.warn <<~ANALYTICS
+            Bolt collects data about how you use it. You can opt out of providing this data.
+
+            To disable analytics data collection, add this line to ~/.puppetlabs/bolt/analytics.yaml :
+              disabled: true
+
+            Read more about what data Bolt collects and why here:
+              https://puppet.com/docs/bolt/latest/bolt_installing.html#concept-8242
+            ANALYTICS
+        end
+
         {}
       end
     end

data/lib/bolt/bolt_option_parser.rb

@@ -83,181 +83,181 @@ module Bolt
     end
 
     def self.examples(cmd, desc)
-      <<-EXAMP
-#{desc} a Windows host via WinRM, providing for the password
-  bolt #{cmd} -n winrm://winhost -u Administrator -p
-#{desc} the local machine, a Linux host via SSH, and hosts from a group specified in an inventory file
-  bolt #{cmd} -n localhost,nixhost,node_group
-#{desc} Windows hosts queried from PuppetDB via WinRM as a domain user, prompting for the password
-  bolt #{cmd} -q 'inventory[certname] { facts.os.family = "windows" }' --transport winrm -u 'domain\\Administrator' -p
-EXAMP
+      <<~EXAMP
+      #{desc} a Windows host via WinRM, providing for the password
+        bolt #{cmd} -n winrm://winhost -u Administrator -p
+      #{desc} the local machine, a Linux host via SSH, and hosts from a group specified in an inventory file
+        bolt #{cmd} -n localhost,nixhost,node_group
+      #{desc} Windows hosts queried from PuppetDB via WinRM as a domain user, prompting for the password
+        bolt #{cmd} -q 'inventory[certname] { facts.os.family = "windows" }' --transport winrm -u 'domain\\Administrator' -p
+      EXAMP
     end
 
-    BANNER = <<-HELP
-Usage: bolt <subcommand> <action>
-
-Available subcommands:
-  bolt command run <command>       Run a command remotely
-  bolt file upload <src> <dest>    Upload a local file or directory
-  bolt script run <script>         Upload a local script and run it remotely
-  bolt task show                   Show list of available tasks
-  bolt task show <task>            Show documentation for task
-  bolt task run <task> [params]    Run a Puppet task
-  bolt plan convert <plan_path>    Convert a YAML plan to a Puppet plan
-  bolt plan show                   Show list of available plans
-  bolt plan show <plan>            Show details for plan
-  bolt plan run <plan> [params]    Run a Puppet task plan
-  bolt apply <manifest>            Apply Puppet manifest code
-  bolt puppetfile install          Install modules from a Puppetfile into a Boltdir
-  bolt puppetfile show-modules     List modules available to Bolt
-  bolt secret createkeys           Create new encryption keys
-  bolt secret encrypt <plaintext>  Encrypt a value
-  bolt secret decrypt <encrypted>  Decrypt a value
-  bolt inventory show              Show the list of targets an action would run on
-
-Run `bolt <subcommand> --help` to view specific examples.
-
-Available options are:
+    BANNER = <<~HELP
+      Usage: bolt <subcommand> <action>
+
+      Available subcommands:
+        bolt command run <command>       Run a command remotely
+        bolt file upload <src> <dest>    Upload a local file or directory
+        bolt script run <script>         Upload a local script and run it remotely
+        bolt task show                   Show list of available tasks
+        bolt task show <task>            Show documentation for task
+        bolt task run <task> [params]    Run a Puppet task
+        bolt plan convert <plan_path>    Convert a YAML plan to a Puppet plan
+        bolt plan show                   Show list of available plans
+        bolt plan show <plan>            Show details for plan
+        bolt plan run <plan> [params]    Run a Puppet task plan
+        bolt apply <manifest>            Apply Puppet manifest code
+        bolt puppetfile install          Install modules from a Puppetfile into a Boltdir
+        bolt puppetfile show-modules     List modules available to Bolt
+        bolt secret createkeys           Create new encryption keys
+        bolt secret encrypt <plaintext>  Encrypt a value
+        bolt secret decrypt <encrypted>  Decrypt a value
+        bolt inventory show              Show the list of targets an action would run on
+
+      Run `bolt <subcommand> --help` to view specific examples.
+
+      Available options are:
     HELP
 
-    TASK_HELP = <<-HELP
-Usage: bolt task <action> <task> [parameters]
+    TASK_HELP = <<~HELP
+      Usage: bolt task <action> <task> [parameters]
 
-Available actions are:
-  show                             Show list of available tasks
-  show <task>                      Show documentation for task
-  run <task>                       Run a Puppet task
+      Available actions are:
+        show                             Show list of available tasks
+        show <task>                      Show documentation for task
+        run <task>                       Run a Puppet task
 
-Parameters are of the form <parameter>=<value>.
+      Parameters are of the form <parameter>=<value>.
 
-#{examples('task run facts', 'run facter on')}
-Available options are:
+      #{examples('task run facts', 'run facter on')}
+      Available options are:
     HELP
 
-    TASK_SHOW_HELP = <<-HELP
-Usage: bolt task show <task>
+    TASK_SHOW_HELP = <<~HELP
+      Usage: bolt task show <task>
 
-Available actions are:
-  show                             Show list of available tasks
-  show <task>                      Show documentation for task
+      Available actions are:
+        show                             Show list of available tasks
+        show <task>                      Show documentation for task
 
-Available options are:
+      Available options are:
     HELP
 
-    TASK_RUN_HELP = <<-HELP
-Usage: bolt task run <task> [parameters]
+    TASK_RUN_HELP = <<~HELP
+      Usage: bolt task run <task> [parameters]
 
-Parameters are of the form <parameter>=<value>.
+      Parameters are of the form <parameter>=<value>.
 
-#{examples('task run facts', 'run facter on')}
-Available options are:
+      #{examples('task run facts', 'run facter on')}
+      Available options are:
     HELP
 
-    COMMAND_HELP = <<-HELP
-Usage: bolt command <action> <command>
+    COMMAND_HELP = <<~HELP
+      Usage: bolt command <action> <command>
 
-Available actions are:
-  run                              Run a command remotely
+      Available actions are:
+        run                              Run a command remotely
 
-#{examples('command run hostname', 'run hostname on')}
-Available options are:
+      #{examples('command run hostname', 'run hostname on')}
+      Available options are:
     HELP
 
-    SCRIPT_HELP = <<-HELP
-Usage: bolt script <action> <script> [[arg1] ... [argN]]
+    SCRIPT_HELP = <<~HELP
+      Usage: bolt script <action> <script> [[arg1] ... [argN]]
 
-Available actions are:
-  run                              Upload a local script and run it remotely
+      Available actions are:
+        run                              Upload a local script and run it remotely
 
-#{examples('script run my_script.ps1 some args', 'run a script on')}
-Available options are:
+      #{examples('script run my_script.ps1 some args', 'run a script on')}
+      Available options are:
     HELP
 
-    PLAN_HELP = <<-HELP
-Usage: bolt plan <action> <plan> [parameters]
+    PLAN_HELP = <<~HELP
+      Usage: bolt plan <action> <plan> [parameters]
 
-Available actions are:
-  convert <plan_path>              Convert a YAML plan to a Puppet plan
-  show                             Show list of available plans
-  show <plan>                      Show details for plan
-  run                              Run a Puppet task plan
+      Available actions are:
+        convert <plan_path>              Convert a YAML plan to a Puppet plan
+        show                             Show list of available plans
+        show <plan>                      Show details for plan
+        run                              Run a Puppet task plan
 
-Parameters are of the form <parameter>=<value>.
+      Parameters are of the form <parameter>=<value>.
 
-#{examples('plan run canary command=hostname', 'run the canary plan on')}
-Available options are:
+      #{examples('plan run canary command=hostname', 'run the canary plan on')}
+      Available options are:
     HELP
 
-    PLAN_CONVERT_HELP = <<-HELP
-Usage: bolt plan convert <plan_path>
+    PLAN_CONVERT_HELP = <<~HELP
+      Usage: bolt plan convert <plan_path>
 
-Available options are:
+      Available options are:
     HELP
 
-    PLAN_SHOW_HELP = <<-HELP
-Usage: bolt plan show <plan>
+    PLAN_SHOW_HELP = <<~HELP
+      Usage: bolt plan show <plan>
 
-Available actions are:
-  show                             Show list of available plans
-  show <plan>                      Show details for plan
+      Available actions are:
+        show                             Show list of available plans
+        show <plan>                      Show details for plan
 
-Available options are:
+      Available options are:
     HELP
 
-    PLAN_RUN_HELP = <<-HELP
-Usage: bolt plan run <plan> [parameters]
+    PLAN_RUN_HELP = <<~HELP
+      Usage: bolt plan run <plan> [parameters]
 
-Parameters are of the form <parameter>=<value>.
+      Parameters are of the form <parameter>=<value>.
 
-#{examples('plan run canary command=hostname', 'run the canary plan on')}
-Available options are:
+      #{examples('plan run canary command=hostname', 'run the canary plan on')}
+      Available options are:
     HELP
 
-    FILE_HELP = <<-HELP
-Usage: bolt file <action>
+    FILE_HELP = <<~HELP
+      Usage: bolt file <action>
 
-Available actions are:
-  upload <src> <dest>              Upload local file or directory <src> to <dest> on each node
+      Available actions are:
+        upload <src> <dest>              Upload local file or directory <src> to <dest> on each node
 
-#{examples('file upload /tmp/source /etc/profile.d/login.sh', 'upload a file to')}
-Available options are:
+      #{examples('file upload /tmp/source /etc/profile.d/login.sh', 'upload a file to')}
+      Available options are:
     HELP
 
-    PUPPETFILE_HELP = <<-HELP
-Usage: bolt puppetfile <action>
+    PUPPETFILE_HELP = <<~HELP
+      Usage: bolt puppetfile <action>
 
-Available actions are:
-  install                          Install modules from a Puppetfile into a Boltdir
-  show-modules                     List modules available to Bolt
+      Available actions are:
+        install                          Install modules from a Puppetfile into a Boltdir
+        show-modules                     List modules available to Bolt
 
-Install modules into the local Boltdir
-  bolt puppetfile install
+      Install modules into the local Boltdir
+        bolt puppetfile install
 
-Available options are:
+      Available options are:
     HELP
 
-    PUPPETFILE_INSTALL_HELP = <<-HELP
-Usage: bolt puppetfile install
+    PUPPETFILE_INSTALL_HELP = <<~HELP
+      Usage: bolt puppetfile install
 
-Install modules into the local Boltdir
-  bolt puppetfile install
+      Install modules into the local Boltdir
+        bolt puppetfile install
 
-Available options are:
+      Available options are:
     HELP
 
-    PUPPETFILE_SHOWMODULES_HELP = <<-HELP
-Usage: bolt puppetfile show-modules
+    PUPPETFILE_SHOWMODULES_HELP = <<~HELP
+      Usage: bolt puppetfile show-modules
 
-Available options are:
+      Available options are:
     HELP
 
-    APPLY_HELP = <<-HELP
-Usage: bolt apply <manifest.pp>
+    APPLY_HELP = <<~HELP
+      Usage: bolt apply <manifest.pp>
 
-#{examples('apply site.pp', 'apply a manifest on')}
-  bolt apply site.pp --nodes foo.example.com,bar.example.com
+      #{examples('apply site.pp', 'apply a manifest on')}
+        bolt apply site.pp --nodes foo.example.com,bar.example.com
 
-Available options are:
+      Available options are:
     HELP
 
     SECRET_HELP = <<~SECRET_HELP

data/lib/bolt/config.rb

@@ -31,13 +31,13 @@ module Bolt
   end
 
   class Config
-    attr_accessor :aws, :concurrency, :format, :trace, :log, :puppetdb, :color, :save_rerun,
+    attr_accessor :concurrency, :format, :trace, :log, :puppetdb, :color, :save_rerun,
                   :transport, :transports, :inventoryfile, :compile_concurrency, :boltdir,
                   :puppetfile_config, :plugins
     attr_writer :modulepath
 
     TRANSPORT_OPTIONS = %i[password run-as sudo-password extensions
-                           private-key tty tmpdir user connect-timeout
+                           private-key tty tmpdir user connect-timeout disconnect-timeout
                            cacert token-file service-url interpreters file-protocol smb-port realm].freeze
 
     PUPPETFILE_OPTIONS = %w[proxy forge].freeze
@@ -162,7 +162,7 @@ module Bolt
       # Plugins are only settable from config not inventory so we can overwrite
       @plugins = data['plugins'] if data.key?('plugins')
 
-      %w[aws concurrency format puppetdb color transport].each do |key|
+      %w[concurrency format puppetdb color transport].each do |key|
         send("#{key}=", data[key]) if data.key?(key)
       end
 

data/lib/bolt/pal/yaml_plan/evaluator.rb

@@ -88,6 +88,8 @@ module Bolt
         end
 
         def resources_step(scope, step)
+          # TODO: Only call apply_prep when needed
+          scope.call_function('apply_prep', step['target'])
           manifest = generate_manifest(step['resources'])
 
           apply_manifest(scope, step['target'], manifest)

data/lib/bolt/pal/yaml_plan/step/resources.rb

@@ -65,6 +65,13 @@ module Bolt
 
           def transpile
             code = StringIO.new
+
+            code.print "  "
+            fn = 'apply_prep'
+            args = [@target]
+            code << function_call(fn, args)
+            code.print "\n"
+
             code.print "  "
             code.print "$#{@name} = " if @name
 

data/lib/bolt/plugin.rb

@@ -6,6 +6,7 @@ require 'bolt/plugin/pkcs7'
 require 'bolt/plugin/prompt'
 require 'bolt/plugin/task'
 require 'bolt/plugin/aws'
+require 'bolt/plugin/vault'
 
 module Bolt
   class Plugin
@@ -37,7 +38,8 @@ module Bolt
       plugins.add_plugin(Bolt::Plugin::Prompt.new)
       plugins.add_plugin(Bolt::Plugin::Pkcs7.new(config.boltdir.path, config.plugins['pkcs7'] || {}))
       plugins.add_plugin(Bolt::Plugin::Task.new(config))
-      plugins.add_plugin(Bolt::Plugin::Aws::EC2.new(config))
+      plugins.add_plugin(Bolt::Plugin::Aws::EC2.new(config.plugins['aws'] || {}))
+      plugins.add_plugin(Bolt::Plugin::Vault.new(config.plugins['vault'] || {}))
       plugins
     end
 

data/lib/bolt/plugin/aws.rb

@@ -34,12 +34,12 @@ module Bolt
           if opts.key?('profile')
             options[:profile] = opts['profile']
           end
-          if config.aws&.key?('credentials')
-            creds = File.expand_path(config.aws['credentials'])
+          if config['credentials']
+            creds = File.expand_path(config['credentials'])
             if File.exist?(creds)
               options[:credentials] = ::Aws::SharedCredentials.new(path: creds)
             else
-              raise Bolt::ValidationError, "Cannot load credentials file #{config.aws['credentials']}"
+              raise Bolt::ValidationError, "Cannot load credentials file #{config['credentials']}"
             end
           end
 

data/lib/bolt/plugin/vault.rb

@@ -0,0 +1,206 @@
+# frozen_string_literal: true
+
+module Bolt
+  class Plugin
+    class Vault
+      class VaultHTTPError < Bolt::Error
+        def initialize(response)
+          err = JSON.parse(response.body)['errors']
+          m = String.new("#{response.code} \"#{response.msg}\"")
+          m << ": #{err.join(';')}" unless err.nil?
+          super(m, 'bolt.plugin/vault-http-error')
+        end
+      end
+
+      attr_reader :config
+
+      # All requests for secrets must have a token in the request header
+      TOKEN_HEADER = "X-Vault-Token"
+
+      # Default header for all requests, including auth methods
+      DEFAULT_HEADER = {
+        "Content-Type" => "application/json",
+        "Accept" => "application/json"
+      }.freeze
+
+      # Make sure no unexpected keys are in the config
+      def validate_config(config)
+        known_keys = %w[server_url auth cacert]
+
+        config.each do |key, _v|
+          next if known_keys.include?(key)
+          raise Bolt::ValidationError, "Unexpected key in Vault plugin config: #{key}"
+        end
+      end
+
+      # Make sure no unexpected keys are in the inventory config and
+      # that required keys are present
+      def validate_options(opts)
+        known_keys = %w[_plugin server_url auth path field version cacert]
+        required_keys = %w[path]
+
+        opts.each do |key, _v|
+          next if known_keys.include?(key)
+          raise Bolt::ValidationError, "Unexpected key in inventory config: #{key}"
+        end
+
+        required_keys.each do |key|
+          next if opts[key]
+          raise Bolt::ValidationError, "Expected key in inventory config: #{key}"
+        end
+      end
+
+      def name
+        'vault'
+      end
+
+      def hooks
+        ['inventory_config']
+      end
+
+      def initialize(config)
+        validate_config(config)
+        @config = config
+        @logger = Logging.logger[self]
+      end
+
+      def inventory_config(opts)
+        validate_options(opts)
+
+        header = {
+          TOKEN_HEADER => token(opts)
+        }
+
+        response = request(:Get, uri(opts), opts, nil, header)
+
+        parse_response(response, opts)
+      end
+
+      # Request uri - built up from Vault server url and secrets path
+      def uri(opts, path = nil)
+        url = opts['server_url'] || config['server_url'] || ENV['VAULT_ADDR']
+
+        # Handle the different versions of the API
+        if opts['version'] == 2
+          mount, store = opts['path'].split('/', 2)
+          opts['path'] = [mount, 'data', store].join('/')
+        end
+
+        path ||= opts['path']
+
+        URI.parse(File.join(url, "v1", path))
+      end
+
+      # Configure the http/s client
+      def client(uri, opts)
+        client = Net::HTTP.new(uri.host, uri.port)
+
+        if uri.scheme == 'https'
+          cacert = opts['cacert'] || config['cacert'] || ENV['VAULT_CACERT']
+
+          unless cacert
+            raise Bolt::ValidationError, "Expected cacert to be set when using https"
+          end
+
+          client.use_ssl = true
+          client.ssl_version = :TLSv1_2
+          client.ca_file = cacert
+          client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        end
+
+        client
+      end
+
+      # Auth token to vault server
+      def token(opts)
+        if (auth = opts['auth'] || config['auth'])
+          request_token(auth, opts)
+        else
+          ENV['VAULT_TOKEN']
+        end
+      end
+
+      def request(verb, uri, opts, data, header = {})
+        # Add on any header options
+        header = DEFAULT_HEADER.merge(header)
+
+        # Create the HTTP request
+        client = client(uri, opts)
+        request = Net::HTTP.const_get(verb).new(uri.request_uri, header)
+
+        # Attach any data
+        request.body = data if data
+
+        # Send the request
+        begin
+          response = client.request(request)
+        rescue StandardError => e
+          raise Bolt::Error.new(
+            "Failed to connect to #{uri}: #{e.message}",
+            'CONNECT_ERROR'
+          )
+        end
+
+        case response
+        when Net::HTTPOK
+          JSON.parse(response.body)
+        else
+          raise VaultHTTPError, response
+        end
+      end
+
+      def parse_response(response, opts)
+        data = case opts['version']
+               when 2
+                 response['data']['data']
+               else
+                 response['data']
+               end
+
+        if opts['field']
+          unless data[opts['field']]
+            raise Bolt::ValidationError, "Unknown secrets field: #{opts['field']}"
+          end
+          data[opts['field']]
+        else
+          data
+        end
+      end
+
+      # Request a token from Vault using one of the auth methods
+      def request_token(auth, opts)
+        case auth['method']
+        when 'token'
+          auth_token(auth)
+        when 'userpass'
+          auth_userpass(auth, opts)
+        else
+          raise Bolt::ValidationError, "Unknown auth method: #{auth['method']}"
+        end
+      end
+
+      def validate_auth(auth, required_keys)
+        required_keys.each do |key|
+          next if auth[key]
+          raise Bolt::ValidationError, "Expected key in #{auth['method']} auth method: #{key}"
+        end
+      end
+
+      # Authenticate with Vault using the 'Token' auth method
+      def auth_token(auth)
+        validate_auth(auth, %w[token])
+        auth['token']
+      end
+
+      # Authenticate with Vault using the 'Userpass' auth method
+      def auth_userpass(auth, opts)
+        validate_auth(auth, %w[user pass])
+        path = "auth/userpass/login/#{auth['user']}"
+        uri = uri(opts, path)
+        data = { "password" => auth['pass'] }.to_json
+
+        request(:Post, uri, opts, data)['auth']['client_token']
+      end
+    end
+  end
+end

data/lib/bolt/transport/ssh.rb

@@ -10,7 +10,7 @@ module Bolt
     class SSH < Sudoable
       def self.options
         %w[host port user password sudo-password private-key host-key-check
-           connect-timeout tmpdir run-as tty run-as-command proxyjump interpreters]
+           connect-timeout disconnect-timeout tmpdir run-as tty run-as-command proxyjump interpreters]
       end
 
       def self.default_options
@@ -18,7 +18,8 @@ module Bolt
           'connect-timeout' => 10,
           'host-key-check' => true,
           'tty' => false,
-          'load-config' => true
+          'load-config' => true,
+          'disconnect-timeout' => 5
         }
       end
 
@@ -42,10 +43,12 @@ module Bolt
           end
         end
 
-        timeout_value = options['connect-timeout']
-        unless timeout_value.is_a?(Integer) || timeout_value.nil?
-          error_msg = "connect-timeout value must be an Integer, received #{timeout_value}:#{timeout_value.class}"
-          raise Bolt::ValidationError, error_msg
+        %w[connect-timeout disconnect-timeout].each do |timeout|
+          timeout_value = options[timeout]
+          unless timeout_value.is_a?(Integer) || timeout_value.nil?
+            error_msg = "#{timeout} value must be an Integer, received #{timeout_value}:#{timeout_value.class}"
+            raise Bolt::ValidationError, error_msg
+          end
         end
       end
 

data/lib/bolt/transport/ssh/connection.rb

@@ -130,7 +130,11 @@ module Bolt
 
         def disconnect
           if @session && !@session.closed?
-            @session.close
+            begin
+              Timeout.timeout(@target.options['disconnect-timeout']) { @session.close }
+            rescue Timeout::Error
+              @session.shutdown!
+            end
             @logger.debug { "Closed session" }
           end
         end

data/lib/bolt/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bolt
-  VERSION = '1.27.1'
+  VERSION = '1.28.0'
 end

data/lib/bolt_server/schemas/partials/target-ssh.json

@@ -28,6 +28,10 @@
       "type": "integer",
       "description": "How long Bolt should wait when establishing connections"
     },
+    "disconnect-timeout": {
+      "type": "integer",
+      "description": "How long Bolt should wait before forcing a disconnect"
+    },
     "run-as-command": {
       "type": "array",
       "description": "Command elevate permissions",

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bolt
 version: !ruby/object:Gem::Version
-  version: 1.27.1
+  version: 1.28.0
 platform: ruby
 authors:
 - Puppet
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-07-31 00:00:00.000000000 Z
+date: 2019-08-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -416,6 +416,7 @@ files:
 - lib/bolt/plugin/puppetdb.rb
 - lib/bolt/plugin/task.rb
 - lib/bolt/plugin/terraform.rb
+- lib/bolt/plugin/vault.rb
 - lib/bolt/puppetdb.rb
 - lib/bolt/puppetdb/client.rb
 - lib/bolt/puppetdb/config.rb