using `lookup` in data source causes unit test failures in puppet 5

[LongLiveCHIEF]

I've been struggling for days trying to test a new puppet 5 module that contains a hiera-eyaml data source. It seems that due to the nature of how hiera's layer hierarchy works, it's nearly impossible to prevent eyaml from decrypting a value during unit testing.

I'm using pdk, (which uses rspec-puppet) and here's what i've tried and the failures i've encountered along the way:

No .pem key files

My first error when running unit tests was a error @rb_open file does not exists /etc/puppetlabs/secure/keys/key.pem.

To resolve this, I tried:

• providing a default value for the two class params that have eyaml data-sources in my hierarchy.
• overriding the EYAML_CONFIG location, with config file defining different locations for key files (and creating fake keys)
• setting hiera_config value to an alternative hiera.yaml in fixutres, that didn't contain any eyaml data sources

both of these still resulted in the error above. It seems that since the key locations specified in the module's hiera.yaml file are now as of puppet 4.8/5 part of hiera layer 3, they override any value/location passed using a config file defined using the EYAML_CONFIG environment variable, or even

Next, I tried:

• providing fake keys for test environments, and creating a level of higher specificity in hierarchy that essentially allowed me to tac on -testing to any eyaml source file to use the test keys and values in stead of the encrypted values that require the private key stored on the puppetserver to decrypt.

Even though the hierarchy was no longer using the real encrypted data sources in APL, I now get errors for a bad decrypt:

failed: rspec: ./spec/classes/some_profile_spec.rb:26: error during compilation: Evaluation Error: Error while evaluating a Resource Statement, bad decrypt at line 2:1 on node a43bf5579874

I've tried just about everything, but it seems that due to the nature of specificity for layer 3 data-sources, the old ways of tricking the unit test suite to use test values no longer work.

Is there a known way/documenation/examples to unit test puppet 5 modules with eyaml data sources? A way to mock the eyaml lookup, or override the config provided by the layer 3 hiera.yaml file?

This relates to #252, since I believe if I could use variable interpolation in my layer 3 hiera.yaml file, I could easily use testing keys for testing to get rid of the bad decrypt errors in my unit testing suite.

[LongLiveCHIEF]

Able to reproduce: https://github.com/LongLiveCHIEF/eyaml-rspec-example-failure/blob/add-eyaml-data-source/data/sector/alpha.yaml#L5

Looks like you don't wind up with any of the bad decrypt errors, until you try to use lookup from within a data source.

To reproduce, I made it convenient by wrapping everything with docker and make:

git clone -b add-eyaml-data-source https://github.com/LongLiveCHIEF/eyaml-rspec-example-failure.git
cd eyaml-rspec-example-failure
make build
make test