I have a class for enabling firewall on nodes (using ufw, in Ubuntu):
class ufw {
package { ["ufw"]:
ensure => latest
}
exec { "enable-firewall":
command => "/usr/bin/yes | /usr/sbin/ufw enable",
unless => "/usr/sbin/ufw status | grep \"Status: active\"",
require => [Package["ufw"]]
}
}
That works fine. On the nodes where I include that class, firewalling is enabled.
Then I have another class, for enabling OpenSSH:
class openssh {
package { "openssh-server":
ensure => latest
}
service { ssh:
enable => true,
ensure => running,
require => [Package["openssh-server"]]
}
exec { "allow-openssh":
command => "/usr/sbin/ufw allow OpenSSH",
unless => "/usr/sbin/ufw status | grep \"OpenSSH.*ALLOW.*Anywhere\\|Status: inactive\"",
require => [Package["ufw"], Exec["enable-firewall"]]
}
}
As you can see it not only enables OpenSSH, but also opens up the firewall for it. The problem is when OpenSSH is used in a server that doesn't have a firewall. There I get:
warning: Configuration could not be
instantiated: Could not find
dependency Package[ufw] for
Exec[allow-openssh] at
/etc/puppet/manifests/classes/openssh.pp:19;
using cached catalog
Is there a way to require a resource so that it's executed first, but if it's not present, just drop the current resource all together?
Best Answer
I'd do a separate class in the same manifest :
which you'd include either when both ssh and ufw are there, or always and it should bork when ufw is not there but leaving the
class openssh
working.