managedmac::activedirectory class needs a seatbelt

dayglojesus / managedmac

Comprehensive Puppet module for OS X.

http://dayglojesus.github.io/managedmac/

Apache License 2.0

62 stars 21 forks source link

managedmac::activedirectory class needs a seatbelt #59

Closed dayglojesus closed 9 years ago

dayglojesus commented 9 years ago

Binding to AD using a profile is great, except for one thing...

When you change the content of a profile, it's an all or nothing operation. If you need to modify one of the plugin settings after you've deployed the profile, the entire profile will be removed and reinstalled.

However, if your AD is not available when this happens, you will wind up with cascading Puppet resource failures. Fun!

Example:

AD is only available on a private network
machine is deployed and successfully bound to AD
machine connects from a foreign network
a change to the managedmac::activedirectory params is made

As a workaround, create a new class param that will force a check the availability of the specified Active Directory domain before attempting any operations.

dayglojesus commented 9 years ago

There aren't a lot of choices when it comes to executing conditional resource application in Puppet. The constructs and language features are there, but they're not flexible enough to deal with dynamic environments.

Functions are handy, but they suck if you need information specific to the client because they're executed by the Puppet Master. This makes sense because it's the Puppet Master that should be determining state, not the client. Still, this one-way street can be aggravating when your client doesn't live at a fixed address. If they ride around town in a Winnebago, and you never know what street they're going to be on, you are basically f'd.

Apart from building conditional logic into the type/provider, there's really only one choice...

Facter.

dayglojesus commented 9 years ago

Also... How do I test this? It would take more time to write the test than the code itself.

dayglojesus commented 9 years ago

Facter doesn't understand booleans. Hiera doesn't understand Facter. Puppet equates undef with empty.

Ginja commented 9 years ago

Sounds like a typical party.

dayglojesus commented 9 years ago

Does Chef have real data types? Cuz, I am fed up. Get it? Chef? Fed? Nevermind...

dayglojesus commented 9 years ago

This is going to be my longest commit message ever, and I didn't even rant.

dayglojesus commented 9 years ago

So, this new parameter basically affords you a seatbelt for performing conditional evaluation of the only resource in the class, the 'managedmac.activedirectory.alacarte' mobileconfig.

If $evaluate is "yes", "true" or undef, the mobileconfig gets evaluated. Otherwise, evaluation of the resource is skipped.

You can use a fact like the one in this Gist to determine state.

And then use the interpolated fact in your Hiera, like this...

managedmac::activedirectory::evaluate: "%{::domain_available?}"