Ask Your Question

How to create users with hiera 5?

asked 2017-11-09 09:22:24 -0500

markhorrocks gravatar image

I'm new to Hiera and would like to manage users on ubuntu, especially passwords and ssh keys with hiera. I can't find any specific documentation anywhere and wondering what would be the best practice method.

edit retag flag offensive close merge delete


Hi Markhorrocks, Are you already managing users through Puppet? If yes, are you using an existing module (like

stivesso gravatar imagestivesso ( 2017-11-09 09:31:55 -0500 )edit

Yes but not using a puppetlabs module. Here is an example of the users config. user { "mark": comment => "Markl", ensure => "present", groups => "admin", home => "/home/mark", managehome => "true", name => "mark", etc }

markhorrocks gravatar imagemarkhorrocks ( 2017-11-09 09:44:42 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2017-11-10 03:32:30 -0500

Henrik Lindberg gravatar image

updated 2017-11-10 03:33:19 -0500

What @stivesso suggested, but brought up to latest recommended best practise:

  • Use lookup() function instead of hiera() (the hiera_xxx() family of functions are deprecated in hiera 5).
  • Use iteration with each instead of create_resources()

Here I have a longer form that also shows how to use defaults in a good way, adds checking that what you get from hiera is actually a hash. Note that it uses 'first' as a merge strategy (same as @stivesso's example. You may want to change that to 'deep' to make it easy to have overrides of specific user entries in your hiera data.

lookup('profiles::usermgt::users', Hash, 'first', {}).each | $resource_title, $params| { 
  user {
    # Give the defaults so you do not have to set these the same for
    # every user in your hiera data
      ensure     => 'present',
      home       => "/home/${params['name']}",
      managehome => true, ;

     # Set all parameters from values in the hash
     # (The '* =>' construct "splats" everything in the $params hash)
     $resource_title: * => $params ;

In best practices this is preferred as it takes the magic out of what is going on inside of create_resources, and you have opportunity to do things / modify values, add notice calls when you need to debug etc. If your resource title/name is the same as the user name, you can also simplify (no need to have the same name twice; once for the resource, and once as the name attribute - I left that as an exercise).

edit flag offensive delete link more


Thanks, this works well. Could you comment about how "deep" might work please?

markhorrocks gravatar imagemarkhorrocks ( 2017-11-10 08:19:34 -0500 )edit

Thanks for that update Henrik, I think I have to update some of my old adopted practice :-) ,

stivesso gravatar imagestivesso ( 2017-11-11 09:33:02 -0500 )edit

Here is the documentation of the merge behaviours in the lookup function:

Henrik Lindberg gravatar imageHenrik Lindberg ( 2017-11-12 08:20:45 -0500 )edit

answered 2017-11-09 10:46:03 -0500

stivesso gravatar image

updated 2017-11-09 10:49:36 -0500

Hi Markhorrocks,

As you're using the classic user resource type to manage your users, my suggestion is to use create_resources for the code and hiera for data. See below an illustration of that suggestion.

Let's say you want to manage two users, mark and stiv. Without hiera, I guess you were managing these users like this :

class profiles::usermgt
  user { "mark": 
    comment            => "Markl",
    ensure             => "present",
    groups             => "admin",
    home               => "/home/mark",
    managehome         => "true",
    name               => "mark",

  user { "stiv": 
    comment            => "stiv1",
    ensure             => "present",
    groups             => "admin",
    home               => "/home/stiv",
    managehome         => "true",
    name               => "stiv",


Now using Hiera and create_resources, You will have something like this:


# Create a hash from Hiera Data with the Users
$myUsers = hiera('profiles::usermgt::users', {})

# With Create Resource Converts a hash into a set of resources
create_resources(user, $myUsers)


    comment:    'Markl'
    ensure:     'present'
    groups:     'admin'
    home:       '/home/mark'
    managehome: 'true'
    name:       'mark'
    comment:    'stivl'
    ensure:     'present'
    groups:     'admin'
    home:       '/home/stiv'
    managehome: 'true'
    name:       'stiv'
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2017-11-09 09:22:24 -0500

Seen: 259 times

Last updated: Nov 10 '17