Write a deferred function to store secrets

Use the Deferred type to create a function that you add to a module to redact sensitive information.

These instructions use Puppet Development Kit (PDK), our recommended tool for creating modules. The steps are also based on RHEL 7 OS.

  1. Install PDK using the command appropriate to your system.

    You might have to restart your command-line interface for pdk commands to be in your path.

  2. From a working directory, run the following commands. You can accept the default answers to the questions for the steps.
    1. pdk new module mymodule
    2. cd mymodule
    3. pdk new class mymodule
    4. mkdir -p lib/puppet/functions
  3. Paste this code into manifests/init.pp.
    # This is a simple example of calling a function at catalog apply time.
    #
    # @summary Demonstrates calling a Deferred function that is housed with this module in lib/puppet/functions/myupcase.rb
    #
    # @example
    #   puppet apply manifests/init.pp
    class mymodule {
      $d = Deferred("mymodule::myupcase", ["mysecret"])
    
      notify { example :
        message => $d
      }
    }
    
    class { 'mymodule': }
  4. Paste this code into lib/puppet/functions/mymodule/myupcase.rb
    Puppet::Functions.create_function(:'mymodule::myupcase') do
      dispatch :up do
        param 'String', :some_string
      end
    
      def up(some_string)
        Puppet::Pops::Types::PSensitiveType::Sensitive.new(some_string.upcase)
      end
    end
  5. Run /opt/puppetlabs/bin/puppet apply manifests/init.pp. This outputs a notice.

    The use of Sensitive in the up function tells the agent not to store the cleartext value in logs or reports. On the command line and in the Puppet Enterprise console, sensitive data appears as [redacted].

    Note: The workflow using Deferred functions is the same module adoption workflow that you already use for other modules; you can package functions in a module that are synced down to agents. In most cases, you add the new module to your Puppetfile.