Puppet dependency ordering with ensure absent

dependenciespuppet

Puppet supports the concept of resource dependencies where one resource will not by synced until another is synced first. For example, the following Puppet fragment will create the user user1 and the group group1 but it will create the group first:

group { 'group1': 
  ensure => present
}

user { 'user1':
  ensure  => present,
  gid     => 'group1',
  require => Group['group1']
}

My question is: how do dependencies work when the ensure parameter is changed from "present" to "absent":

group { 'group1': 
  ensure => absent
}

user { 'user1':
  ensure  => absent,
  gid     => 'group1',
  require => Group['group1']
}

What does Puppet do in a case like this? Does it remove the group first, or the user first? Or perhaps the order is not defined?

In general, how would you ensure that one resource is not present only when some other resource is already not present.

Best Answer

You can remove "require => Group['group1']" from the user resource and the resources will still be created properly. You can then use a conditional to change the relationship between User and Group when trying to "ensure => absent".

$ensure = 'absent'

if $ensure == 'absent' {
    User[user1] -> Group[group1]
}

group { 'group1':
    ensure => $ensure
}

user { 'user1':
    ensure  => $ensure,
    gid     => 'group1',
}

Here is an existing bug report:

http://projects.puppetlabs.com/issues/9622

Related Topic