deferred_resources
Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-deferred_resources', '0.4.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
Description
This module provides capabilities to add resources to the puppet catalog after the initial compilation has been compiled.
WARNING:
This module is not recommended for use outside of the SIMP framework. It was developed for specific policy requirements from the DISA STIG, CIS Benchmark, etc... that require resources to either be installed or removed. In order to not interfere with other manifests that might have legitimately added resources, it first checks if each resource has already been included in the catalog and then adds the appropriate resource to add or remove that resource, as necessary.
WARNING:
See REFERENCE.md for full API details.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they may be submitted to our bug tracker.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems are disabled by
default and must be explicitly opted into by administrators. Please review
the parameters in
simp/simp_options
for details.
Usage
This module provides classes that help users properly use the underlying native type for processing deferred resources.
Example: Managing Packages
class { 'deferred_resources::packages':
'remove' => ['pkg1', 'pkg2'],
'install' => ['pkg3', 'pkg4'],
'mode' => 'enforcing'
}
Example: Managing Packages but silencing messages
class { 'deferred_resources::packages':
'remove' => ['pkg1', 'pkg2'],
'install' => ['pkg3', 'pkg4'],
'mode' => 'enforcing',
'log_level' => 'debug'
}
Reference
Please refer to the inline documentation within each source file, or to the module's generated YARD documentation for reference material.
Limitations
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux
and compatible distributions, such as CentOS. Please see the
metadata.json
file for the most up-to-date list of
supported operating systems, Puppet versions, and module dependencies.
Development
Please read our Contribution Guide.
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suites
Please refer to the SIMP Beaker Helpers documentation for more information.
Reference
Table of Contents
Classes
deferred_resources
:deferred_resources::files
: This class takes an Array of file resources to remove, and a Hash of file resources to install. After the entire puppet catalog has been comdeferred_resources::groups
: This class takes an Array of group resources to remove, and a Hash of group resources to install. After the entire puppet catalog has been cdeferred_resources::packages
: This class takes twoHashes
of packages, one to remove and one to install. After the entire puppet catalog has been compiled, it will procdeferred_resources::users
: This class takes an Array of user resources to remove, and a Hash of user resources to install. After the entire puppet catalog has been com
Resource types
deferred_resources
: DANGER THIS RESOURCE TYPE DOES THINGS THAT MAY BE CONFUSING MAKE SURE YOU FULLY UNDERSTAND HOW IT WORKS PRIOR TO USING IT *** DANGE
Classes
deferred_resources
The deferred_resources class.
Parameters
The following parameters are available in the deferred_resources
class.
mode
Data type: Enum['warning','enforcing']
If set to enforcing
then the management classses will take action on the
system. If set to 'warning' a message will be printed noting what would
have taken place on the system but the catalog will not be updated.
Default value: 'warning'
log_level
Data type: Simplib::PuppetLogLevel
Set the log level for warning messages
Default value: 'info'
auto_include
Data type: Boolean
Default value: true
deferred_resources::files
This class takes an Array of file resources to remove, and a Hash of file resources to install.
After the entire puppet catalog has been compiled, it will process both lists and, for any resource that is not already defined in the catalog, it will take the appropriate action.
An exception will be raised if you list the same file in both lists.
Parameters
The following parameters are available in the deferred_resources::files
class.
remove
Data type: Array[Stdlib::Absolutepath]
A list of files to remove.
Default value: []
install
Data type: Hash[Stdlib::Absolutepath, Hash]
A Hash of files to install.
Default value: {}
update_existing_resources
Data type: Boolean
DANGEROUS - READ CAREFULLY
Update the following attributes of resources that already exist in the
catalog if set in the install
Hash:
- user
- group
- content
- Will unset
source
- Will unset
If you wish to affect additional parameters on an existing resource in the catalog, you should not use this class and should instead use a Resource Collector.
@see https://puppet.com/docs/puppet/5.3/lang_resources_advanced.html#amending-attributes-with-a-collector
Default value: false
mode
Data type: Enum['warning','enforcing']
@see deferred_resources::mode
Default value: $deferred_resources::mode
log_level
Data type: Simplib::PuppetLogLevel
@see deferred_resources::log_level
Default value: $deferred_resources::log_level
deferred_resources::groups
This class takes an Array of group resources to remove, and a Hash of group resources to install.
After the entire puppet catalog has been compiled, it will process both lists and, for any resource that is not already defined in the catalog, it will take the appropriate action.
An exception will be raised if you list the same group in both lists.
Parameters
The following parameters are available in the deferred_resources::groups
class.
remove
Data type: Array[String[1]]
A list of groups to remove.
Default value: []
install
Data type: Variant[Hash, Array[String[1]]]
A list of groups to install.
- A
Hash
can be used to add extra attributes for the group, but theensure
attribute will always be set toabsent
for removal andpresent
for creation.
Default value: {}
mode
Data type: Enum['warning','enforcing']
@see deferred_resources::mode
Default value: $deferred_resources::mode
log_level
Data type: Simplib::PuppetLogLevel
@see deferred_resources::log_level
Default value: $deferred_resources::log_level
deferred_resources::packages
This class takes two Hashes
of packages, one to remove and one to install.
After the entire puppet catalog has been compiled, it will process both lists and, for any resource that is not already defined in the catalog, it will take the appropriate action.
An exception will be raised if you list the same package in both lists.
Parameters
The following parameters are available in the deferred_resources::packages
class.
remove
Data type: Variant[Hash, Array]
A list of packages to remove.
- A
Hash
can be used to add extra attributes for the package, but theensure
attribute will be overwritten if it is included.
Default value: {}
remove_ensure
Data type: Enum['absent','purged']
If removing, then this is the state that the packages should have.
- This will be overridden by anything set in options applied to an entry in
the
$remove
Hash.
Default value: 'absent'
install
Data type: Variant[Hash, Array]
A list of packages to install.
- A
Hash
can be used to add extra attributes for the package, but theensure
attribute will always be set to$package_ensure
.
Default value: {}
install_ensure
Data type: Enum['latest','present','installed']
If installing, then this is the state that the packages should have.
- This will be overridden by anything set in options applied to an entry in
the
$install
Hash.
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
default_options
Data type: Hash
A Hash
of options to apply to all packages (both remove and install.
If ensure is entered in these options it will be overwritten.
- These options may be anything that a Puppet
Package
resource can normally accept.
Default value: {}
mode
Data type: Enum['warning','enforcing']
@see deferred_resources::mode
Default value: $deferred_resources::mode
log_level
Data type: Simplib::PuppetLogLevel
@see deferred_resources::log_level
Default value: $deferred_resources::log_level
deferred_resources::users
This class takes an Array of user resources to remove, and a Hash of user resources to install.
After the entire puppet catalog has been compiled, it will process both lists and, for any resource that is not already defined in the catalog, it will take the appropriate action.
An exception will be raised if you list the same user in both lists.
Parameters
The following parameters are available in the deferred_resources::users
class.
remove
Data type: Array[String[1]]
A list of users to remove.
Default value: []
install
Data type: Variant[Hash, Array[String[1]]]
A list of users to install.
- A
Hash
can be used to add extra attributes for the user, but theensure
attribute will always be set toabsent
for removal andpresent
for creation.
Default value: {}
mode
Data type: Enum['warning','enforcing']
@see deferred_resources::mode
Default value: $deferred_resources::mode
log_level
Data type: Simplib::PuppetLogLevel
@see deferred_resources::log_level
Default value: $deferred_resources::log_level
Resource types
deferred_resources
DANGER
THIS RESOURCE TYPE DOES THINGS THAT MAY BE CONFUSING MAKE SURE YOU FULLY UNDERSTAND HOW IT WORKS PRIOR TO USING IT
DANGER
WARNING: This type is NOT meant to be called directly. Please use the helper classes in the module.
This type will process after the catalog has been compiled but before it is applied. It takes a list of resources and checks for the existence of that resource in the compiled catalog. If the resource has already been defined in the catalog, it prints out a message that an action will not be performed.
If mode is set to warning
, instead of adding resources to the catalog,
it prints out a list of resources that would have been added.
Parameters
The following parameters are available in the deferred_resources
type.
name
namevar
Unique name for this resource.
default_options
A Hash of options to be used for all resources.
Default value: Hash.new
resource_type
Valid values: /.+/
The type of Puppet resource that will be passed in :resources
resources
A Hash or Array of resources to add to the catalog.
override_existing_attributes
A Hash or Array of items that should be updated on existing attributes if they exist.
This is basically a controlled resource collector and absolutely must not be taken lightly when used since it will affect existing resources in your catalog.
If you want to be explicit, use a Resource Collector and do not set this.
If a Hash is passed, each key is the attribute that can be overridden and an optional hash of options can be passed with the following meanings.
- 'invalidates':
- An Array of entries that this particular parameter invalidates.
This means that the items in the list will be set to
nil
in the overridden resource.
- An Array of entries that this particular parameter invalidates.
This means that the items in the list will be set to
log_level
Valid values: alert, crit, debug, notice, emerg, err, info, warning
Set the message log level for notifications.
Default value: warning
mode
Valid values: enforcing, warning
enforcing
=> Actually add the resource to the catalog post-compilation
warning
=> Tell the user what would be done but do not actually alter
the catalog.
Default value: warning
- Tue Jun 15 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 0.4.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Thu Dec 17 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 0.3.1
- Removed EL6 support
- Wed Dec 11 2019 Trevor Vaughan tvaughan@onyxpoint.com - 0.3.0
- Add EL8 support
- Thu Oct 31 2019 Liz Nemsick lnemsick.simp@gmail.com - 0.2.3
- Remove 'ftp' and 'games' users and groups when enforcing STIG compliance.
- Support simp/simplib 5.x.
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 0.2.3
- Support puppetlabs/stdlib 6.x.
- Thu Jul 25 2019 Trevor Vaughan tvaughan@onyxpoint.com - 0.2.2
- Allow users to set 'absent' or 'purged' when removing packages.
- Tue Jul 23 2019 Liz Nemsick lnemsick.simp@gmail.com - 0.2.2
- Remove unnecessary
data_provider
key in the metadata.json file.
- Mon Jun 17 2019 Trevor Vaughan tvaughan@onyxpoint.com - 0.2.1
- Define deep merge strategies for the Hash and Array class arguments.
- Mon Apr 01 2019 Trevor Vaughan tvaughan@onyxpoint.com - 0.2.0
- Add deferred_resources::users
- Add deferred_resources::groups
- Add deferred_resources::files
- Add 'override_existing_attributes' capability to the 'deferred_resources' native type
- Drop Puppet 4 support
- Add Puppet 6 support
- Thu Mar 07 2019 Liz Nemsick lnemsick.simp@gmail.com - 0.1.1
- Update the upper bound of stdlib to < 6.0.0
- Update a URL in the README.md
- Thu Jul 05 2018 Jeanne Greulich jeannegreulich@onyxpoint.com - 0.1.0
- This module supports adding lists of packages to the catalog after the all the manifests have been compiled. Its purpose is to support policy enforcement for the SIMP project and is not meant for general purpose use.
Dependencies
- simp/simplib (>= 3.10.0 < 5.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
deferred_resources - This module creates custom types used to add resources to the catalog after the compilation of the manifests. Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.