Puppet module level hiera for setting dependency values

0
votes

I have created a puppet module and wish to use (hiera 5) module-level hiera to set values for dependencies. I have created a hiera.yaml, data dir and common.yaml. However, module hiera values do not appear to be passed to the dependencies, and I have to set the hiera at the environment level instead (which is then not self contained within the module).

It appears that hiera keys only resolve with the local module prefix.

The dependency I am targeting is fervid/secure_linux_cis and I need to set some hiera for it's classes with 'enforced => false'. Doing this in a manifest isn't 100% effective as a few classes present as duplicate resources.

Essentially, what I want to be able to do in my module's common.yaml is:

---
my::module::key1:  'value'
secure_linux_cis::redhat7::cis_1_1_2:enforced: false

Using the above example, I can resolve the my::module value but the dependency secure_linux_cis value is ignored.

Is there a way to get module level hiera to pass values to a dependency?

2
moduleoverridingpuppethiera

2 Answers

0
votes

Is there a way to get module level hiera to pass values to a dependency?

Not directly, no. Automatic data binding performs Hiera lookups in the context of the class whose parameters are being looked up, not that of the one declaring it. In your case, then, it is the hiera data of module secure_linux_cis that will be consulted for default values for the parameters of class secure_linux_cis::redhat7::cis_1_1_2.

If you are willing to risk using a resource-like declaration of that class, then you should be able to do something along these lines:

class my::module(
    String $key1
) {
    $cis112_enforced = lookup('secure_linux_cis::redhat7::cis_1_1_2:enforced', Boolean, undef, false)
    class { 'secure_linux_cis::redhat7::cis_1_1_2': enforced => $cis112_enforced }
}

Of course, that carries all the risks attending resource-like class declarations. I don't actually recommend it. You could consider instead setting the parameter in a per-node level of the environment-level data. You might also consider looking at the Roles & Profiles pattern, for resource-like class declarations make a little bit more sense in a profile class.

0
votes

secure_linux_cis::redhat7::cis_1_1_2::enforced

This should work. You missed one : in your example.