Ask Your Question

How can I do conditional logic based on a Role?

asked 2016-06-30 15:43:11 -0500

Rob Ogilvie gravatar image

Given a Roles & Profiles pattern set up with site.pp matching nodes to roles, and roles then including profiles, is there a way to do conditional logic in my custom classes based on the assigned Role?

My specific use case has to do with Splunk. I have three Splunk servers (given the role "splunkserver") that should NOT include the Splunk Universal Forwarder. However, every other system should include the Splunk Universal Forwarder. I have a base profile that includes specifications that are essentially global, and I'd like to be able to essentially say:

if ! (the splunkserver role is defined in site.pp) {
  include profile::splunkuf
} # Else don't include the splunk universal forwarder

I'm currently defining an "exclude" parameter to the splunkuf class and setting it to true for the individual splunk servers via hiera, but I feel there should be a better way.

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted

answered 2016-07-03 05:06:30 -0500

updated 2016-07-06 04:26:10 -0500

While you can do this, you shouldn't. By convention, you are supposed to end up with a simple 1-to-1 relationship between roles & nodes. There would be two ways to solve this without violating the roles/profiles pattern:

1) If you regard the presence or absence of the Splunk UF as intrinsic to the role, you would create two roles, one with and one without the UF.

2) More likely, you would add the conditional logic at the profile level:

class profile::base (
) {
  if ($splunkuf) {
    include profile::base::splunkuf

In Hiera:


profile::base::splunkuf: false


profile::base::splunkuf: true
edit flag offensive delete link more


We use a similar idea for our ntp profile, everything that's not an ntp_server role is an ntp_client.

DarylW gravatar imageDarylW ( 2016-07-04 09:55:55 -0500 )edit

answered 2016-07-02 23:32:19 -0500

DarylW gravatar image

updated 2016-07-02 23:33:16 -0500

If you are using puppet4 and using hiera as your ENC, you can use the 'knockout' prefix to remove the class.. Example found here( or here(

Given data like this:


    - sensu
    - sysadmin

    - --sensu #Knockout prefix to remove the sensu class
    - nagios
    - webserver
edit flag offensive delete link more

answered 2016-06-30 18:12:09 -0500

lupin gravatar image

You can either;

Assign your specific role class(splunk server) on node definition via cert/nodename:

 node '<splunk_server_hostname>' {
       include ::role::splunkserver

Or evaluate a server role base on custom facts( you need to create a custom facts).

if $server_role == 'splunk_server" {
  include '::role::splunkserver'
edit flag offensive delete link more


The node definitions (assigning a role to each node) are the easy part; I'm wondering if I can then use that information (what role has been assigned) later in my code to exclude other classes that are otherwise defaults. Custom facts could solve this, but I'm in search of best practice.

Rob Ogilvie gravatar imageRob Ogilvie ( 2016-07-01 09:56:41 -0500 )edit

Yes, use of custom facts is another solution. See my answer above.

Alex Harvey gravatar imageAlex Harvey ( 2016-07-03 05:08:01 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2016-06-30 15:43:11 -0500

Seen: 124 times

Last updated: Jul 06 '16