Allow execution of Puppet functions from Hiera

voxpupuli / hiera-eyaml

A backend for Hiera that provides per-value asymmetric encryption of sensitive data

MIT License

527 stars 130 forks source link

Allow execution of Puppet functions from Hiera #336

Open tuxmea opened 1 year ago

tuxmea commented 1 year ago

It should be possible to call puppet functions directly from Hiera. e.g.

stdlib::manage::create_resources:
  file:
    '/etc/app/db.cfg':
      ensure: 'file'
      content: "%{epp('profile/app/db.cfg.epp')}"

Hiera should then return the epp parsed content.

How are we able to solve this? Which syntax would be possible or recommended?

tuxmea commented 1 year ago

Note: the above is just an example. It should be possible to execute any Puppet function, like upcase, template, keys, profile::get_url, ... Maybe limit to custom functions only, omitting Puppet DSL functions.

ekohl commented 1 year ago

There's a risk of recursion, like calling lookup().

tuxmea commented 1 year ago

There's a risk of recursion, like calling lookup().

Risk of recursion is there at the moment, too when using lookup or alias. I assume I saw some Ruby code which takes care on this.

hlindberg commented 1 year ago

A recursion guard is indeed implemented in hiera 5. I wrote a puppet language backend (available in my github.com/hlindberg/tahu module that interprets all data as puppet language "snippets". With it is possible to call any function from within hiera data, and it does recursion checks.