Write a Puppet function to store secrets

This version is out of date. For current versions, see Puppet packages and versions.

Use the Deferred type to create a function that you add to a module to redact sensitive information.

These instructions use Puppet Development Kit (PDK), our recommended tool for creating modules. The steps are also based on RHEL 7 OS.

  1. Install PDK using the the following commands:
    1. sudo rpm -Uvh https://yum.puppet.com/puppet5-release-el-7.noarch.rpm
    2. sudo yum install pdk

      You might have to restart your command-line interface for pdk commands to be in your path.

  2. From a working directory, run the following commands. You can accept the default answers to the questions for the steps.
    1. pdk new module mymodule
    2. cd mymodule
    3. pdk new class mymodule
    4. mkdir -p lib/puppet/functions
  3. Paste this code into manifests/init.pp.
    # This is a simple example of calling a function at catalog apply time.
    # @summary Demonstrates calling a Deferred function that is housed with this module in lib/puppet/functions/myupcase.rb
    # @example
    #   puppet apply manifests/init.pp
    class mymodule {
      $d = Deferred("mymodule::myupcase", ["mysecret"])
      notify { example :
        message => $d
    class { 'mymodule': }
  4. Paste this code into lib/puppet/functions/myupcase.rb
    Puppet::Functions.create_function(:'mymodule::myupcase') do
      dispatch :up do
        param 'String', :some_string
      def up(some_string)
  5. Run /opt/puppetlabs/bin/puppet apply manifests/init.pp. This outputs a notice.

    The use of Sensitive in the up function tells the agent not to store the cleartext value in logs or reports. On the command line and in the Puppet Enterprise console, sensitive data appears as [redacted].

    Note: The workflow using Deferred functions is the same module adoption workflow that you already use for other modules; you can package functions in a module that are synced down to agents. In most cases, you add the new module to your Puppetfile.

Deferred functions - notes on using

Notes for consideration when working with Deferred functions.

Important info about using Deferred

  • If an agent is applying a cached catalog, the Deferred function is still called at application time, and the value returned at that time is the value that is used.
  • It is the responsibility of the function to handle edge cases such as providing default or cached values in cases where a remote store is unavailable.
  • Deferred supports only the Puppet function API for Ruby.
  • If a function called on the agent side does not return Sensitive, you can wrap the value returned by Deferred in a Sensitive type if a sensitive value is desired. For example: $d = Sensitive(Deferred("myupcase", ["example value"]))
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.