Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x
- Puppet >= 6.1.0 < 8.0.0
Start using this module
Add this module to your Puppetfile:
mod 'kenyon-bind', '0.5.1'
Learn more about managing modules with a PuppetfileDocumentation
bind
Table of Contents
- Description
- Setup - The basics of getting started with bind
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
- Alternatives
- BIND documentation
- License
Description
This module manages the BIND DNS server and associated DNS zones.
Setup
What bind affects
- the BIND package, service, configuration, and zone files
- a resolvconf package, by default
openresolv, is installed if
resolvconf_service_enable
istrue
. This causes the localhost's BIND to be used in/etc/resolv.conf
. - if configured to install the backported package, also affects APT sources by ensuring that backports are available.
Setup requirements
See metadata.json
for supported operating systems, supported Puppet versions,
and Puppet module dependencies.
Beginning with bind
For a default configuration that provides recursive, caching name resolution service:
include bind
On Debian, install the bind9
package from the backports repository (ensures that the
$facts['os']['distro']['codename']-backports
apt source is configured using the
puppetlabs-apt
module, but will fail if a
backported package does not exist for your particular
$facts['os']['distro']['codename']-backports
repo; check on the Debian package
tracker):
class { 'bind':
package_backport => true,
}
Usage
See the reference for available class parameters and defaults. For
platform-specific defaults, see the data
directory, which is organized according to
hiera.yaml
.
The test suite in the spec
directory is a good source for usage examples.
To manage the resource records of a zone with this module, the zone must be dynamically updatable
by the host being managed, via either the allow-update
or update-policy
configuration
options.
Recursive, caching only
Using a minimal configuration with BIND defaults:
include bind
TODO: provide more examples.
Authoritative only
Note that support for authoritative servers is incomplete in this module.
When creating a new zone with BIND, the zone file must have a $TTL
, a SOA record, an NS record,
and an address record for that host used in the NS record. All of these have defaults (see the
zone_default_*
parameters of init.pp
and the initial zone
template) so you don't have to specify them. The default initial zone
creates A
and AAAA
records based on the host's facts. Those default NS records are only used
if no NS records are provided for the zone's origin. You should specify your own SOA and NS
records unless you happen to want those defaults. Note that if you want to provide your own NS
records at the zone origin, you also have to provide your own SOA record.
class { 'bind':
authoritative => true,
# TODO: add settings to disable recursive query support
}
TODO: provide more examples.
Authoritative and caching
class { 'bind':
authoritative => true,
}
TODO: provide more examples.
The resource_record
type
DNS resource records can be created with the resource_record
Puppet type.
Equivalent examples:
resource_record { 'www.example.com. AAAA':
data => '2001:db8::1',
}
resource_record { 'my record':
zone => 'example.com.',
record => 'www',
type => 'AAAA',
data => '2001:db8::1',
}
The title of resource_record
resources can be in one of the following formats:
- Name, zone, type:
www.example.com. AAAA
(AAAA recordwww
in theexample.com.
zone) - Name and zone:
www.example.com.
(recordwww
in theexample.com.
zone with type specified as a parameter) - Name and type:
www AAAA
(AAAA recordwww
in a zone specified as a parameter) - Name:
www
(recordwww
with zone and type specified as parameters) - Any other format means all of the required parameters need to be specified in the resource definition.
The bind::key
defined type
TSIG keys for dynamic zone updates used by clients can be added to the configuration as follows.
bind::key { 'key_name':
algorithm => 'hmac-sha512',
secret => 'ZlfCDgP7d3g7LjV4YMLg62EbpLZRCt9BMh3MyqiZfPX5Y2IcTyx/la6PMsfAqLMM9QDadZiNiLVzD4IPoI/4hg==',
}
The key's secret needs to be generated using the BIND tool tsig-keygen
; example:
tsig-keygen -a $algorithm [$key_name]
Limitations
See metadata.json
for supported operating systems, supported Puppet versions,
and Puppet module dependencies.
Downgrading the package by setting package_backport => false
(after it had been true
) is not
supported by this module, but you can of course do such a downgrade manually outside of Puppet.
Changing the value provided for a zone's $TTL
directive after initial zone creation is not
supported by this module (because the zone file is only created initially from a template and
then never replaced, only updated dynamically using the RFC
2136 method), but you can do this manually outside of
Puppet.
Development
The development of this module attempts to be
test-driven as much as possible.
Therefore, changes should generally be accompanied by tests. The test suite is located in the
spec
directory. Acceptance tests (in the acceptance
directory) use
Serverspec, while unit tests (everything else) use
rspec-puppet.
Running tests
PDK and
Docker must be installed and working.
GNU Parallel is used to run acceptance tests in
parallel by default. This can be disabled with the --no-parallel
option.
./run_tests
Generating documentation
pdk bundle exec rake strings:generate:reference
See also:
Release process
- Update the version in
metadata.json
to the to-be-released version. pdk bundle exec rake changelog
git commit --all
git tag -a <version>
pdk build
git push
(I havegit config --global push.followTags true
so that the tag will also be pushed. This also causes thepublish.yaml
GitHub workflow to build and publish a release to the Puppet Forge.)gh release create <version> pkg/*
(using GitHub CLI)
Alternatives
Other BIND modules on Puppet Forge
BIND documentation
Acknowledgments
The following files came from the Debian package and are licensed under the MPL-2.0.
License
Copyright ⓒ 2021 Kenyon Ralph
This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License along with this program. If not, see https://www.gnu.org/licenses/.
Reference
Table of Contents
Classes
Public Classes
bind
: Manages the BIND domain name server and DNS zones
Private Classes
bind::config
: Manages BIND configurationbind::install
: Manages BIND installationbind::service
: Manages BIND service
Defined types
bind::key
: Create TSIG key for zone updates in the configuration file for BINDbind::zone
: A DNS zone
Resource types
resource_record
: a DNS resource record type
Functions
Public Functions
Private Functions
bind::service_name
: Determines the name of the BIND service
Data types
Bind::Include
: Type definition for BIND'sinclude
statementBind::Logging
: Type definition for BIND'slogging
statementBind::Logging::Category
: Type definition for BIND'slogging
categoriesBind::Logging::CategoryPhrase
: Type definition for BIND'slogging
category
phraseBind::Logging::ChannelName
: Type definition for BIND'slogging
channel
namesBind::Logging::ChannelPhrase
: Type definition for BIND'slogging
channel
phraseBind::Options
: Type definition for BIND'soptions
statementBind::Size
: Type definition for BIND's file size specificationBind::ZoneConfig::UpdatePolicy
: Type definition for BIND'supdate-policy
clause in thezone
statementBind::ZoneConfig::UpdatePolicy::Rule
: Type definition for rules in BIND'supdate-policy
clause in thezone
statement
Classes
bind
Manages the BIND domain name server and DNS zones
Examples
Caching nameserver with default configuration
include bind
Parameters
The following parameters are available in the bind
class:
authoritative
config_dir
default_options
default_zones
dev_packages
doc_packages
utils_packages
includes
dev_packages_ensure
doc_packages_ensure
utils_packages_ensure
logging
keys
options
package_manage
service_manage
package_backport
package_name
package_ensure
resolvconf_package_name
resolvconf_service_enable
root_hint_zone
service_config_file
service_enable
service_ensure
service_group
service_name
service_user
service_options
zones
zone_default_expire
zone_default_mname
zone_default_negative_caching_ttl
zone_default_refresh
zone_default_retry
zone_default_rname
zone_default_serial
zone_default_ttl
authoritative
Data type: Boolean
Whether to enable features needed for authoritative server operation.
Default value: false
config_dir
Data type: Stdlib::Absolutepath
Directory for BIND configuration files.
Default value: '/etc/bind'
default_options
Data type: Bind::Options
Default BIND
options loaded
from Hiera data in this module's data
directory. Merged with, and overridden by, the options
parameter. You'll generally want to use the options
parameter and leave default_options
alone.
Default value: { 'directory' => '/var/cache/bind', }
default_zones
Data type: Boolean
Whether to include the default zones in the BIND configuration.
Default value: true
dev_packages
Data type: Array[String[1]]
List of BIND development packages.
Default value: ['bind9-dev']
doc_packages
Data type: Array[String[1]]
List of BIND documentation packages.
Default value: ['bind9-doc']
utils_packages
Data type: Array[String[1]]
List of BIND utilities packages.
Default value: ['bind9-dnsutils']
includes
Data type: Optional[Variant[Array[Bind::Include], Bind::Include]]
Additional configuration files to include in the BIND configuration using the include statement.
Default value: undef
dev_packages_ensure
Data type: Optional[String[1]]
The ensure
value for the BIND development packages (libraries and header files).
Default value: undef
doc_packages_ensure
Data type: Optional[String[1]]
The ensure
value for the BIND documentation packages.
Default value: undef
utils_packages_ensure
Data type: String[1]
The ensure
value for the BIND utilities packages.
Default value: 'installed'
logging
Data type: Optional[Bind::Logging]
Configuration of the logging statement.
Default value: undef
keys
Data type: Hash
Hash for creating Bind::Key resources.
Default value: {}
options
Data type: Optional[Bind::Options]
Configuration of the options
statement.
Merged with, and overrides, the default_options
parameter.
Default value: undef
package_manage
Data type: Boolean
Whether to have this module manage the BIND package.
Default value: true
service_manage
Data type: Boolean
Whether to have this module manage the BIND service.
Default value: true
package_backport
Data type: Boolean
Whether to install the BIND package from Debian backports.
Default value: false
package_name
Data type: String[1]
The name of the BIND package.
Default value: 'bind9'
package_ensure
Data type: String[1]
The ensure
parameter for the BIND package.
Default value: installed
resolvconf_package_name
Data type: String[1]
The name of the resolvconf package to use if resolvconf_service_enable
is true
.
Default value: 'openresolv'
resolvconf_service_enable
Data type: Boolean
Whether to enable the named-resolvconf service so that localhost's BIND resolver is used in
/etc/resolv.conf
.
Default value: false
root_hint_zone
Data type: Boolean
Whether to include the root zone "." in the BIND configuration with type
hint
.
Default value: true
service_config_file
Data type: Stdlib::Absolutepath
The path to the BIND config file.
Default value: extlib::path_join([$config_dir, 'named.conf'])
service_enable
Data type: Variant[Boolean, String[1]]
The enable
parameter for the BIND service.
Default value: true
service_ensure
Data type: Stdlib::Ensure::Service
The ensure
parameter for the BIND service.
Default value: running
service_group
Data type: String[1]
The primary group of $service_user
. Used for directory permissions.
Default value: $service_user
service_name
Data type: String[1]
The name of the BIND service.
Default value: 'named'
service_user
Data type: String[1]
The user to run BIND as (for the -u
command line option).
Default value: 'bind'
service_options
Data type: Optional[String[1]]
Command line options for the BIND service.
Default value: undef
zones
Data type: Hash
Hash for creating Bind::Zone resources.
Default value: {}
zone_default_expire
Data type: String[1]
The default SOA expire time, set per a RIPE
recommendation (same as with all of the default
time values). Can be overridden by individual zones by providing a SOA record in the zone's hash
of the $zones
parameter. Reference: RFC
1035
Default value: '1000h'
zone_default_mname
Data type: String[1]
The default SOA MNAME. That is, the domain name of the primary name server for the zone. Can be
overridden by individual zones by providing a SOA record in the zone's hash of the $zones
parameter. Reference: RFC 1035
Default value: $facts['networking']['hostname']
zone_default_negative_caching_ttl
Data type: String[1]
The default negative caching TTL, the last field of the SOA record. Can be overridden by
individual zones by providing a SOA record in the zone's hash of the $zones
parameter.
Reference: RFC 2308
Default value: '1h'
zone_default_refresh
Data type: String[1]
The default SOA refresh time. Can be overridden by individual zones by providing a SOA record in
the zone's hash of the $zones
parameter. Reference: RFC
1035
Default value: '24h'
zone_default_retry
Data type: String[1]
The default SOA retry time. Can be overridden by individual zones by providing a SOA record in
the zone's hash of the $zones
parameter. Reference: RFC
1035
Default value: '2h'
zone_default_rname
Data type: String[1]
The default SOA RNAME. That is, the domain name-formatted email address of the person responsible
for the zone. Can be overridden by individual zones by providing a SOA record in the zone's hash
of the $zones
parameter. Reference: RFC
1035
Default value: 'hostmaster'
zone_default_serial
Data type: Integer[0]
The default initial serial number for the zone. Can be overridden by individual zones by
providing a SOA record in the zone's hash of the $zones
parameter.
Default value: 1
zone_default_ttl
Data type: String[1]
The default zone-wide TTL. This value is used in the zone's $TTL
directive at the start of the
zone. Individual zones can override this default with the ttl
key in their configuration hashes
in the $zones
parameter. Also, individual resource records can override this value with the
ttl
key in their hashes. Reference: RFC 2308
Default value: '2d'
Defined types
bind::key
Create TSIG key for zone updates in the configuration file for BIND
Examples
Add a TSIG key to the nameserver
bind::key { 'tsig-client':
algorithm => 'hmac-sha512',
secret => 'secret-key-data',
}
Parameters
The following parameters are available in the bind::key
defined type:
algorithm
Data type: Enum['hmac-sha256', 'hmac-sha384', 'hmac-sha512']
Defines the algorithm which was used to generate the key data. For security reasons just allow algorithms hmac-sha256 and above: https://www.rfc-editor.org/rfc/rfc8945.html#name-algorithms-and-identifiers
secret
Data type: String[44]
Provide the secret data of the TSIG key, generated using tsig-keygen.
bind::zone
A DNS zone
Examples
Basic usage
bind::zone { 'example.com.': }
Parameters
The following parameters are available in the bind::zone
defined type:
zone_name
allow_transfer
allow_update
also_notify
auto_dnssec
class
file
forward
forwarders
in_view
inline_signing
key_directory
manage
masters
primaries
purge
resource_records
serial_update_method
ttl
type
update_policy
zone_name
Data type: Pattern[/\.$/]
The name of the zone.
Default value: $title
allow_transfer
Data type: Optional[Array[Variant[Stdlib::Host, Stdlib::IP::Address]]]
Which hosts are allowed to receive zone transfers from the server. https://bind9.readthedocs.io/en/latest/reference.html#allow-transfer-access
Default value: undef
allow_update
Data type: Optional[Array[Variant[Stdlib::Host, Stdlib::IP::Address]]]
Which hosts are allowed to submit Dynamic DNS updates to the zone.
Default value: undef
also_notify
Data type: Optional[Array[Variant[Stdlib::Host, Stdlib::IP::Address]]]
list of IP addresses of name servers that are also sent NOTIFY messages whenever a fresh copy of the zone is loaded, in addition to the servers listed in the zone’s NS records.
Default value: undef
auto_dnssec
Data type: Optional[Enum['allow', 'maintain', 'off']]
The automatic DNSSEC key management mode.
Default value: undef
class
Data type: Optional[Enum['IN', 'HS', 'hesiod', 'CHAOS']]
DNS class. Defaults to 'IN', for Internet. https://bind9.readthedocs.io/en/latest/reference.html#class
Default value: undef
file
Data type: Optional[String[1]]
The zone's filename.
Default value: undef
forward
Data type: Optional[Enum['first', 'only']]
This option is only meaningful if the zone has a forwarders list. The 'only' value causes the lookup to fail after trying the forwarders and getting no answer, while 'first' allows a normal lookup to be tried. https://bind9.readthedocs.io/en/latest/reference.html#forwarding
Default value: undef
forwarders
Data type: Optional[Array[Stdlib::Host]]
Hosts to which queries are forwarded. https://bind9.readthedocs.io/en/latest/reference.html#forwarding
Default value: undef
in_view
Data type: Optional[String[1]]
Allows for referencing the zone in another view.
Default value: undef
inline_signing
Data type: Optional[Variant[Boolean, Stdlib::Yes_no]]
Allows BIND to automatically sign zones.
Default value: undef
key_directory
Data type: Optional[String[1]]
The directory where the public and private DNSSEC key files should be found when performing a dynamic update of secure zones, if different than the current working directory.
Default value: undef
manage
Data type: Boolean
Whether to manage the contents of this zone with Puppet. If false, only manages the configuration of the zone in named.conf. If true, creates and manages the zone file and resource records of the zone.
Default value: false
masters
Data type: Optional[Array[Stdlib::Host]]
Synonym for primaries
.
Default value: undef
primaries
Data type: Optional[Array[Stdlib::Host]]
Defines a named list of servers for inclusion in stub and secondary zones' primaries or also-notify lists.
Default value: undef
purge
Data type: Boolean
Whether to purge unmanaged resource records from the zone.
Default value: false
resource_records
Data type: Hash
Hash for creating resource_record
resources.
Default value: {}
serial_update_method
Data type: Optional[Enum['date', 'increment', 'unixtime']]
Method for incrementing the zone's serial number.
Default value: undef
ttl
Data type: Optional[String[1]]
The value for the $TTL
directive, which sets the default resource record TTL for the
zone.
Default value: undef
type
Data type: Optional[Enum[ 'primary', 'master', 'secondary', 'slave', 'mirror', 'hint', 'stub', 'static-stub', 'forward', 'redirect', 'delegation-only', ]]
The zone type. https://bind9.readthedocs.io/en/latest/reference.html#zone-types
Default value: undef
update_policy
Data type: Optional[Array[Bind::ZoneConfig::UpdatePolicy]]
The update-policy. https://bind9.readthedocs.io/en/latest/reference.html#dynamic-update-policies
Default value: undef
Resource types
resource_record
This type provides Puppet with the capabilities to manage DNS resource records.
Autorequires: If Puppet is managing the zone that this resource record belongs to, the resource record will autorequire the zone.
Examples
AAAA record in the example.com. zone
resource_record { 'foo.example.com.':
ensure => 'present',
type => 'AAAA',
data => '2001:db8::1',
}
Properties
The following properties are available in the resource_record
type.
data
Data type: String
The data for the resource record.
ensure
Data type: Enum[present, absent]
Whether this resource record should be present or absent on the target system.
Default value: present
record
Data type: String
The name of the resource record, also known as the owner or label.
ttl
Data type: Optional[String]
The TTL for the resource record.
type
Data type: String
The type of the resource record.
zone
Data type: String
The zone the resource record belongs to.
Functions
Data types
Bind::Include
Reference: https://bind9.readthedocs.io/en/latest/reference.html#include-statement-grammar
Alias of
Stdlib::Absolutepath
Bind::Logging
Reference: https://bind9.readthedocs.io/en/latest/reference.html#logging-statement-grammar
Alias of
Struct[{
Optional['channels'] => Hash[Bind::Logging::ChannelName, Bind::Logging::ChannelPhrase],
Optional['categories'] => Hash[Bind::Logging::Category, Bind::Logging::CategoryPhrase],
}]
Bind::Logging::Category
Reference: https://bind9.readthedocs.io/en/latest/reference.html#the-category-phrase
Alias of
Enum['client', 'cname', 'config', 'database', 'default', 'delegation-only', 'dispatch', 'dnssec', 'dnstap', 'edns-disabled', 'general', 'lame-servers', 'network', 'notify', 'nsid', 'queries', 'query-errors', 'rate-limit', 'resolver', 'rpz', 'rpz-passthru', 'security', 'serve-stale', 'spill', 'trust-anchor-telemetry', 'unmatched', 'update', 'update-security', 'xfer-in', 'xfer-out', 'zoneload']
Bind::Logging::CategoryPhrase
Reference: https://bind9.readthedocs.io/en/latest/reference.html#the-category-phrase
Alias of
Struct[{
Optional['channels'] => Array[String[1]],
}]
Bind::Logging::ChannelName
Reference: https://bind9.readthedocs.io/en/latest/reference.html#the-channel-phrase
Alias of
Pattern[/\A\w+\Z/]
Bind::Logging::ChannelPhrase
Reference: https://bind9.readthedocs.io/en/latest/reference.html#the-channel-phrase
Alias of
Variant[Enum['null', 'stderr', 'syslog'], Struct[{
Optional['buffered'] => Boolean,
Optional['file'] => Struct[{
'name' => String[1],
Optional['versions'] => Variant[Enum['unlimited'], Integer[1]],
Optional['size'] => Bind::Size,
Optional['suffix'] => Enum['increment', 'timestamp'],
}],
Optional['print-category'] => Boolean,
Optional['print-severity'] => Boolean,
Optional['print-time'] => Variant[Boolean, Stdlib::Yes_no, Enum['iso8601', 'iso8601-utc', 'local']],
Optional['severity'] => String[1],
Optional['syslog'] => Stdlib::Syslogfacility,
}]]
Bind::Options
Reference: https://bind9.readthedocs.io/en/latest/reference.html#options-statement-grammar
Alias of
Struct[{
Optional['allow-transfer'] => Array[Variant[Stdlib::Host, Stdlib::IP::Address]],
Optional['allow-update'] => Array[Variant[Stdlib::Host, Stdlib::IP::Address]],
Optional['allow-query'] => Array[Variant[Stdlib::Host, Stdlib::IP::Address]],
Optional['also-notify'] => Array[Variant[Stdlib::Host, Stdlib::IP::Address]],
Optional['auto-dnssec'] => Enum['allow', 'maintain', 'off'],
Optional['directory'] => Stdlib::Absolutepath,
Optional['inline-signing'] => Variant[Boolean, Stdlib::Yes_no],
Optional['key-directory'] => String[1],
Optional['serial-update-method'] => Enum['date', 'increment', 'unixtime'],
Optional['zone-statistics'] => Variant[Boolean, Stdlib::Yes_no, Enum['full', 'terse', 'none']],
}]
Bind::Size
Reference: size_spec
under https://bind9.readthedocs.io/en/latest/reference.html#configuration-file-elements
Alias of
Variant[Enum['unlimited', 'default'], Integer[0], Pattern[/\A\d+(?i:k|m|g)\Z/]]
Bind::ZoneConfig::UpdatePolicy
Reference: https://bind9.readthedocs.io/en/latest/reference.html#dynamic-update-policies
Alias of
Variant[Enum['local'], Bind::ZoneConfig::UpdatePolicy::Rule]
Bind::ZoneConfig::UpdatePolicy::Rule
Reference: https://bind9.readthedocs.io/en/latest/reference.html#dynamic-update-policies
Alias of
Struct[{
'permission' => Enum['deny', 'grant'],
'identity' => String[1],
'ruletype' => Enum[
'name',
'subdomain',
'zonesub',
'wildcard',
'self',
'selfsub',
'selfwild',
'ms-self',
'ms-selfsub',
'ms-subdomain',
'krb5-self',
'krb5-selfsub',
'krb5-subdomain',
'tcp-self',
'6to4-self',
'external',
],
Optional['name'] => String[1],
Optional['types'] => String[1],
}]
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v0.5.1 (2021-05-31)
Fixed
v0.5.0 (2021-05-09)
Added
Fixed
v0.4.0 (2021-03-28)
- Test enhancements
bind::zone
: change$purge
default to false so that unmanaged resource records are not purged by defaultbind::zone
: add parameter$manage
. When true, means you want to manage the content of the zone with this module.named.conf
template: whitespace cleanup, logic simplification
v0.3.0 (2021-03-21)
- Allow disabling the default root hint zone so that you can have a mirror of the root zone
- Fix handling of backport packages
- Better ordering of named.conf fragments
resource_record
type and provider work. Still incomplete.
v0.2.1 (2021-03-14)
- Correctly update
metadata.json
and publish to Puppet Forge
v0.2.0 (2021-03-14)
Features
- Rework package management parameters
- Add GitHub Actions workflows
Known Issues
- Types and providers needed to manage DNS zones not complete
v0.1.0 (2021-03-13)
Features
- Recursive server management
Known Issues
- Types and providers needed to manage DNS zones not complete
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- camptocamp/systemd (>= 2.10.0 < 4.0.0)
- puppet/extlib (>= 5.0.0 < 6.0.0)
- puppetlabs/apt (>= 7.7.0 < 9.0.0)
- puppetlabs/concat (>= 6.4.0 < 8.0.0)
- puppetlabs/stdlib (>= 6.5.0 < 8.0.0)