Conversation
…e documentation - Add Ansible, Hiera, and Puppet Server integration manifests - Remove custom and Terraform integration manifests (replaced by standard integrations) - Update Bolt and PuppetDB integration configurations - Expand README with complete setup, usage, and configuration documentation - Add detailed integration reference guide with examples - Update common.yaml with enhanced default configuration - Update docker SSL example with improved certificate handling - Refactor main module manifest with integration management logic - Update npm and docker installation methods with .env file generation - Establish concat-based .env file structure for multi-integration configuration
…iguration - Add GitHub Actions PR workflow for syntax validation and unit tests across Puppet 6, 7, and 8 - Refactor integration configuration from nested structure to flat parameter hierarchy for better clarity - Update common.yaml with simplified integration array and per-integration parameter documentation - Enhance integration manifests with improved parameter handling and documentation - Update full_integrations.pp example to reflect new configuration structure - Improve init.pp with refined integration inclusion logic and parameter management - Enables easier toggling of integrations via enabled parameter while maintaining pre-configuration capability
There was a problem hiding this comment.
Pull request overview
This PR refactors the module’s integration configuration to be .env-driven (via puppetlabs/concat), adds/expands multiple integrations (Bolt, PuppetDB, Puppet Server, Hiera, Ansible), and updates installation classes (npm/Docker) to generate the base .env configuration.
Changes:
- Replace the old integration enablement flags/hash with an
integrationsarray and have integrations emit.envfragments. - Add new integrations (Ansible, Hiera, Puppet Server) and rework existing Bolt/PuppetDB integration manifests to align with
.envconfiguration and optional source-based content management. - Expand documentation/default Hiera data and add a GitHub Actions workflow for validations/unit tests.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| manifests/integrations/terraform.pp | Removes Terraform stub integration class. |
| manifests/integrations/custom.pp | Removes custom stub integration class. |
| manifests/integrations/puppetserver.pp | Adds Puppet Server integration that writes settings to .env and manages SSL assets. |
| manifests/integrations/puppetdb.pp | Refactors PuppetDB integration from YAML config output to .env fragments + SSL asset sourcing. |
| manifests/integrations/hiera.pp | Adds Hiera integration with optional package management and control-repo cloning + .env. |
| manifests/integrations/bolt.pp | Refactors Bolt integration to .env-based config and optional repo/package management. |
| manifests/integrations/ansible.pp | Adds Ansible integration with optional package management, repo cloning, and .env output. |
| manifests/install/npm.pp | Adds base .env creation via concat and new auth/log/db settings for npm install method. |
| manifests/install/docker.pp | Adds base .env creation via concat, mounts .env into the container, and adds auth/log/db settings. |
| manifests/init.pp | Switches to integrations array and includes integration classes accordingly. |
| examples/full_integrations.pp | Updates example to new integrations model and parameters (but currently redeclares classes). |
| examples/docker_custom_ssl.pp | Updates example Docker image reference. |
| data/common.yaml | Updates defaults to integrations array model and adds integration/install .env-related settings. |
| README.md | Major documentation expansion describing .env model, integrations, and examples. |
| .github/workflows/pr.yml | Adds CI workflow for PDK validation and unit tests (currently non-blocking). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
manifests/init.pp
Outdated
| # Process integrations - simply include each class | ||
| $integrations.each |String $name| { | ||
| $integration_class = "pabawi::integrations::${name}" | ||
|
|
||
| # Log that we're attempting to enable this integration | ||
| # If the class doesn't exist, Puppet will fail with a descriptive error | ||
| # This is intentional - missing integration classes should be caught early | ||
| notify { "pabawi_integration_${name}": | ||
| message => "Enabling integration: ${integration_class}", | ||
| loglevel => 'notice', | ||
| } | ||
|
|
||
| # Include the integration class | ||
| # Puppet will fail compilation if the class doesn't exist | ||
| include $integration_class | ||
| notify { "pabawi_integration_${name}": | ||
| message => "Enabling integration: ${integration_class}", | ||
| loglevel => 'notice', | ||
| } | ||
|
|
||
| include $integration_class | ||
| } |
There was a problem hiding this comment.
The integrations array is used to build class names and notify resource titles, but there’s no validation for invalid segment names or duplicates. If the array contains invalid characters, Puppet will error on an invalid class name; if it contains duplicates, notify { "pabawi_integration_${name}" } will be declared twice and fail compilation. Consider validating each $name against a strict pattern (e.g., integration name segment) and de-duplicating the list before iterating.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback allowed integrations are puppetdb, puppetserver, hiera, bolt, ansible
| # Clone playbook repository if source is provided | ||
| if $playbook_source and $playbook_path { | ||
| # Ensure parent directory exists | ||
| $playbook_parent_dir = dirname($playbook_path) | ||
| exec { "create_ansible_playbook_parent_dir_${playbook_path}": | ||
| command => "mkdir -p ${playbook_parent_dir}", | ||
| path => ['/usr/bin', '/bin'], |
There was a problem hiding this comment.
When playbook_source is provided but playbook_path is undef, the module silently skips cloning and writes an empty ANSIBLE_PLAYBOOK_PATH to .env. This is difficult to debug and likely unintended. Add a validation that fails if playbook_source is set without playbook_path (or make playbook_path required when playbook_source is used).
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback if enabled is true the playbook path and inventory path are mandatory
| elsif $source =~ /^https:\/\/.+$/ { | ||
| exec { "download_puppetserver_${name}": | ||
| command => "curl -sL -o ${dest_path} ${source}", | ||
| path => ['/usr/bin', '/bin'], | ||
| creates => $dest_path, | ||
| } | ||
| -> file { $dest_path: | ||
| ensure => file, | ||
| mode => $mode, | ||
| owner => 'root', | ||
| group => 'root', | ||
| } |
There was a problem hiding this comment.
The https certificate download relies on curl via an exec but doesn’t ensure curl is installed and doesn’t verify the downloaded content (checksum/signature). This is fragile on minimal hosts and has security implications. Prefer a managed/verified download approach, or at least manage the curl package and add appropriate safeguards.
There was a problem hiding this comment.
add optional curl package installation (default true)
| # PuppetDB integration configuration | ||
| # pabawi::integrations::puppetdb::enabled: true # Set to false to disable but keep configured | ||
| pabawi::integrations::puppetdb::server_url: 'https://puppetdb.example.com:8081' | ||
| # pabawi::integrations::puppetdb::port: 8081 | ||
| # pabawi::integrations::puppetdb::ssl_enabled: true | ||
| # pabawi::integrations::puppetdb::ssl_cert: 'file:///etc/puppetlabs/puppet/ssl/certs/agent.pem' | ||
| # pabawi::integrations::puppetdb::ssl_key: 'file:///etc/puppetlabs/puppet/ssl/private_keys/agent.pem' | ||
| # pabawi::integrations::puppetdb::ssl_ca: 'file:///etc/puppetlabs/puppet/ssl/certs/ca.pem' | ||
| # pabawi::integrations::puppetdb::ssl_reject_unauthorized: true |
There was a problem hiding this comment.
The commented PuppetDB SSL parameters (ssl_cert, ssl_key, ssl_ca) are shown as file://... URIs, but in the manifests these parameters represent file paths that are written into .env; the *_source parameters are the ones that accept file:///https:// sources. These examples will mislead users into putting URIs where paths are expected.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
| class pabawi ( | ||
| Boolean $proxy_manage = true, | ||
| String[1] $proxy_class = 'pabawi::proxy::nginx', | ||
| Boolean $install_manage = true, | ||
| String[1] $install_class = 'pabawi::install::npm', | ||
| Boolean $bolt_enable = false, | ||
| Boolean $puppetdb_enable = false, | ||
| Hash[String[1], Boolean] $integrations = {}, | ||
| Array[String[1]] $integrations = [], | ||
| ) { |
There was a problem hiding this comment.
This change removes bolt_enable, puppetdb_enable, and the integrations hash, but the existing unit spec still references those parameters (e.g., bolt_enable: true, integrations hash values). That spec will fail to compile against the updated class interface; it should be updated to pass integrations => [...] and assert the included integration classes accordingly.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
| elsif $source =~ /^https:\/\/.+$/ { | ||
| exec { "download_puppetdb_${name}": | ||
| command => "curl -sL -o ${dest_path} ${source}", | ||
| path => ['/usr/bin', '/bin'], | ||
| creates => $dest_path, | ||
| } | ||
| -> file { $dest_path: | ||
| ensure => file, | ||
| mode => $mode, | ||
| owner => 'root', | ||
| group => 'root', | ||
| } |
There was a problem hiding this comment.
The https certificate download uses exec with curl, but the module doesn’t ensure curl is installed and doesn’t perform any integrity verification (checksum/signature). This can break runs on minimal systems and has security implications. Prefer a managed download mechanism with verification (or at least manage the curl package and add failure handling).
| # | ||
| class pabawi::integrations::puppetserver ( | ||
| Boolean $enabled = true, | ||
| Optional[String[1]] $server_url = undef, |
There was a problem hiding this comment.
server_url is documented as a URL, but it’s only typed as Optional[String[1]]. Since this is written directly into .env, invalid values won’t be caught until runtime. Consider constraining this to a URL pattern (and align expectations with the separate port parameter).
| Optional[String[1]] $server_url = undef, | |
| Optional[Stdlib::HTTPUrl] $server_url = undef, |
| class { 'pabawi': | ||
| bolt_enable => true, | ||
| puppetdb_enable => true, | ||
| integrations => { | ||
| 'terraform' => true, | ||
| 'custom' => true, | ||
| }, | ||
| integrations => ['bolt', 'puppetdb', 'hiera'], | ||
| } | ||
|
|
||
| # Configure Bolt integration via Hiera or class parameters | ||
| class { 'pabawi::integrations::bolt': | ||
| project_path => '/opt/bolt-project', | ||
| bolt_settings => { | ||
| 'timeout' => 300, | ||
| 'concurrency' => 10, | ||
| }, | ||
| project_path => '/opt/bolt-project', | ||
| command_whitelist => ['plan run', 'task run'], | ||
| execution_timeout => 300000, | ||
| manage_package => false, | ||
| } |
There was a problem hiding this comment.
This example declares class { 'pabawi': integrations => [...] }, which will include each integration class, and then later declares those same integration classes again with parameters. In Puppet this results in a class redeclaration/parameter conflict. To keep the example runnable, either configure integrations via Hiera (and don’t redeclare the classes here) or remove them from the integrations array and declare the integration classes explicitly once.
|
@alvagante I've opened a new pull request, #2, to work on those changes. Once the pull request is ready, I'll request review from you. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@alvagante I've opened a new pull request, #3, to work on those changes. Once the pull request is ready, I'll request review from you. |
…abled is true Co-authored-by: alvagante <283804+alvagante@users.noreply.github.com>
|
@alvagante I've opened a new pull request, #4, to work on those changes. Once the pull request is ready, I'll request review from you. |
|
@alvagante I've opened a new pull request, #5, to work on those changes. Once the pull request is ready, I'll request review from you. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…y/ssl_ca examples Co-authored-by: alvagante <283804+alvagante@users.noreply.github.com>
Co-authored-by: alvagante <283804+alvagante@users.noreply.github.com>
Co-authored-by: alvagante <283804+alvagante@users.noreply.github.com>
Make inventory_path and playbook_path mandatory when enabled is true
Fix ssl_cert/ssl_key/ssl_ca examples to use file paths instead of file:// URIs
Update unit specs to match refactored integrations interface
Co-authored-by: alvagante <283804+alvagante@users.noreply.github.com>
Restrict integrations to explicit allowlist and deduplicate entries
No description provided.