Overriding Parameters in Previously Declared Puppet Resource
I would use Hiera.
Hiera lets you decouple your variable data from your Puppet manifests.
Hiera, as the name implies, is hierarchical, allowing for some interesting ways to override, as well as combine, variable data.
First, modify your sssd:: domain declaration to perform Hiera lookups for the parameters:
sssd::domain { 'LDAP':
domain_type => 'ldap',
ldap_uri => hiera('ldap_uri', 'ldaps://ldap.site.com:636'),
ldap_search_base => hiera('ldap_search_base', 'DC=site,DC=com'),
ldap_user_search_base => hiera('ldap_user_search_base', 'OU=People,DC=site,DC=com'),
ldap_group_search_base => hiera('ldap_group_search_base', 'OU=Groups,DC=site,DC=com'),
ldap_default_bind_dn => hiera('ldap_default_bind', 'CN=bindaccount,OU=ServiceAccounts,OU=People,DC=site,DC=com'),
ldap_default_authtok => hiera('ldap_default_authtok', 'soopersekretbindpw'),
simple_allow_groups => hiera_array('ldap_simple_allow_groups', ['SysAdmins','AppAdmins']),
}
In the code above, I've defined default values for each of the lookups. You could exclude those, if you like, by sticking the defaults in your most-generic Hiera data file (typically "common.yaml" or "common.json"):
common.yaml:
---
ldap_uri: ldaps://ldap.site.com:636
ldap_search_base: DC=site,DC=com
ldap_simple_allow_groups:
- SysAdmins
- AppAdmins
For the bits you want to personalize on a per-host basis, you'd create a YAML or JSON file named after the FQDN of the host in question, and put the necessary values in there.
node1.systems.private.yaml:
---
ldap_simple_allow_groups:
- SomeOtherGroup
In this example, note that ldap_simple_allow_groups
is using the hiera_array
lookup function. This will concatenate ALL the valid founds in the hierarchy. As such, node1 will get the values defined in common.yaml as well as the "SomeOtherGroup" defined in its own YAML file.
Read the Hiera lookup types documentation for more details.
While Hiera is the best way and is duely accepted, I'd like to add for completeness' sake: There is a syntax to do just this override you had in mind:
node "node1.systems.private" {
include "org::default"
Sssd::Domain<| title == 'LDAP' |> {
simple_allow_groups => ['SysAdmins','AppAdmins'],
}
}
Note that this syntax also serves to collect virtual resources, but may well be used to override resource parameters.
Obviously, this technique will lead to chaos if used consequently, so again - Hiera is superior in most cases.