Ubuntu – Depend on a resource only if it exists in Puppet

puppetUbuntuufw

I have a class for enabling firewall on nodes (using ufw, in Ubuntu):

class ufw {
  package { ["ufw"]:
    ensure => latest
  }

  exec { "enable-firewall":
    command => "/usr/bin/yes | /usr/sbin/ufw enable",
    unless => "/usr/sbin/ufw status | grep \"Status: active\"",
    require => [Package["ufw"]]
  }
}

That works fine. On the nodes where I include that class, firewalling is enabled.

Then I have another class, for enabling OpenSSH:

class openssh {
  package { "openssh-server":
    ensure => latest
  }

  service { ssh:
    enable => true,
    ensure => running,
    require => [Package["openssh-server"]]
  }

  exec { "allow-openssh":
    command => "/usr/sbin/ufw allow OpenSSH",
    unless => "/usr/sbin/ufw status | grep \"OpenSSH.*ALLOW.*Anywhere\\|Status: inactive\"",
    require => [Package["ufw"], Exec["enable-firewall"]]
  }
}

As you can see it not only enables OpenSSH, but also opens up the firewall for it. The problem is when OpenSSH is used in a server that doesn't have a firewall. There I get:

warning: Configuration could not be
instantiated: Could not find
dependency Package[ufw] for
Exec[allow-openssh] at
/etc/puppet/manifests/classes/openssh.pp:19;
using cached catalog

Is there a way to require a resource so that it's executed first, but if it's not present, just drop the current resource all together?

Best Answer

I'd do a separate class in the same manifest :

class openssh::ufw {
  exec { "allow-openssh":
    command => "/usr/sbin/ufw allow OpenSSH",
    unless => "/usr/sbin/ufw status | grep \"OpenSSH.*ALLOW.*Anywhere\\|Status: inactive\"",
    require => [Package["ufw"], Exec["enable-firewall"], Package["openssh-server"], Service["ssh"]]
  }
}

which you'd include either when both ssh and ufw are there, or always and it should bork when ufw is not there but leaving the class openssh working.

Related Topic