The only trickiness that I'm aware of is in the file
resource type.
Backup for replaced files behaves differently, using the server's filebucket by default instead of the local filebucket.
The more significant thing to be aware of is the source
parameter.
source => '/tmp/somepath/sshd_config',
With a raw file path, it'll always try the local path.
source => 'puppet://puppetmaster1/modules/sshd/sshd_config',
With a puppet://server/
path, it'll always try the remote path.
source => 'puppet:///modules/sshd/sshd_config',
With an empty server specification, then it gets interesting.
Applied locally, the local puppet module path is used to find the file.
When reporting to a puppetmaster, the server that gave it the manifest is treated as the server.
Additionally, if you need to get creative about the source of a file, you can give the source
parameter a list:
source => [ '/tmp/somepath/sshd_config', 'puppet:///modules/sshd/sshd_config'],
The first location where something's found will be used.
The documentation for the Puppet File Server should be able to cover most of what you are asking. In particular see the security section.
First a note. If you have autosign enabled, then pretty much any security offered is moot. You should verify each certificate. Since security settings you configure will be based on the hostname/certname or a regex match them, having autosign enabled would potentially mean that any un-trusted system could simple request a cert for a name that matched a pattern that had access to secret files.
By default anything in the special plugins and modules fileserver mounts are avialable to any client. But this can be controlled to a certain extent through the configuration.
You can also setup custom 'mounts' that point to specific locations. An example is provided in the documentation about how to create a [private] mount for distributing private SSH keys. The host name is used as part of the mount path, so a given host can only see files that belong to it.
Best Answer
I just found out the problem. First, instead of 'file' use 'directory' at ensure parameter . Second, make the copy process recursive to include all sub-folders.