Group nodes in hiera by hiera-defined fact

2015-06-09

sinned

I have a hierachy like this:

- "nodes/%{::certname}"
- (what is here is my question)
- common

I'd like to assign a group to my nodes in their individual configuration in hiera, like this in nodes/hostname.yaml:

group: alpha

Now, I'd like to have a file alpha.yaml, where I state group-specific settings.

So my question is how do I write the hierachy to ask hiera for the filename of the group definition?

Is there another way to achieve this?

2015-06-10

cbarbour

updated 2015-06-10 19:01:01 -0600

There are a few ways to accomplish this. The direct answer to your question is to use site.pp to define a global group variable from hiera:


$group = hiera('group', 'default')


- "nodes/%{::clientcert}"
- "groups/${::group}"
- "common"

Alternatively, you can use Puppet to define a 'group' fact on each node. A static fact would be fine for this purpose. If you use this approach, Puppet will no longer be truly idempotent; you'll need to invoke Puppet twice to reach a converged state, because group won't be defined the first time Puppet runs (facts are evaluated before the catalog is compiled.)

With that said, what you're trying to do violates a bunch of best practices. It would be better to use an ENC to supply node data. The ENC can set the group, and group data can be stored in Hiera.

You could also define a group static fact manually, as part of provisioning.

Be aware that static facts and $c::lientcert are untrusted variables; the node can override these values. Do not use these values to protect sensitive information such as passwords.

I recommend against using Hiera as an node classifier, unless your needs are very basic. This is an example of why using a real ENC is the better approach.

Actually, until yesterday I thought hiera is a poor mans ENC, additionally to a way to get constants out of the code... so those are different concepts. Thanks for the clarification. Actually, thanks for the hint that I am on the wrong path. And for the security implications as well.

sinned ( 2015-06-11 )

