Overriding Parameters in Previously Declared Puppet Resource

puppet authentication sssd

I would use Hiera.

Hiera lets you decouple your variable data from your Puppet manifests.

Hiera, as the name implies, is hierarchical, allowing for some interesting ways to override, as well as combine, variable data.

First, modify your sssd:: domain declaration to perform Hiera lookups for the parameters:

sssd::domain { 'LDAP':
    domain_type            => 'ldap',
    ldap_uri               => hiera('ldap_uri', 'ldaps://ldap.site.com:636'),
    ldap_search_base       => hiera('ldap_search_base', 'DC=site,DC=com'),
    ldap_user_search_base  => hiera('ldap_user_search_base', 'OU=People,DC=site,DC=com'),
    ldap_group_search_base => hiera('ldap_group_search_base', 'OU=Groups,DC=site,DC=com'),
    ldap_default_bind_dn   => hiera('ldap_default_bind', 'CN=bindaccount,OU=ServiceAccounts,OU=People,DC=site,DC=com'),
    ldap_default_authtok   => hiera('ldap_default_authtok', 'soopersekretbindpw'),
    simple_allow_groups    => hiera_array('ldap_simple_allow_groups', ['SysAdmins','AppAdmins']),
}

In the code above, I've defined default values for each of the lookups. You could exclude those, if you like, by sticking the defaults in your most-generic Hiera data file (typically "common.yaml" or "common.json"):

common.yaml:

---
ldap_uri: ldaps://ldap.site.com:636
ldap_search_base: DC=site,DC=com
ldap_simple_allow_groups:
 - SysAdmins
 - AppAdmins

For the bits you want to personalize on a per-host basis, you'd create a YAML or JSON file named after the FQDN of the host in question, and put the necessary values in there.

node1.systems.private.yaml:

---
ldap_simple_allow_groups:
 - SomeOtherGroup

In this example, note that ldap_simple_allow_groups is using the hiera_array lookup function. This will concatenate ALL the valid founds in the hierarchy. As such, node1 will get the values defined in common.yaml as well as the "SomeOtherGroup" defined in its own YAML file.

Read the Hiera lookup types documentation for more details.


While Hiera is the best way and is duely accepted, I'd like to add for completeness' sake: There is a syntax to do just this override you had in mind:

node "node1.systems.private" {
  include "org::default"

  Sssd::Domain<| title == 'LDAP' |> {
    simple_allow_groups => ['SysAdmins','AppAdmins'],
  }
}

Note that this syntax also serves to collect virtual resources, but may well be used to override resource parameters.

Obviously, this technique will lead to chaos if used consequently, so again - Hiera is superior in most cases.

Related

How does the barbarian "revenge" skill work?
Where to find the Old Keepsake Box?
What are the extra icons that sometimes show up on Okami HUD during combat?
What is a good (non legendary) crafting item to invest in?
How do you drop the intelligence/Australium?
Where do I find the Minecraft tribute?
How should I be getting hold of my first gun?
Skipping laser weapon research in favor of plasma weapons
Is there any way to prevent Battle.net from locking an account while traveling
Where can I find a Portal Gem, and how does it work?
How do I turn off disasters in SimCity?
Do I need my Starcraft 2: Wings of Liberty disk for Heart of the Swarm?