A collection of task oriented solutions in Puppet

 

Hide sensitive values

Challenge

You want to hide sensitive values from puppet output

Solution

class filer {
  # this is the important part
  $secret = Sensitive('Peter Parker')

  notice($secret)

  file { '/tmp/spider-man':
    ensure  => 'present',
    content => $secret,
  }
}

include filer

$ puppet apply -v filer.pp

...snip...

Notice: Scope(Class[Filer]): Sensitive [value redacted]

...snip...

Notice: /Stage[main]/Filer/File[/tmp/spider-man]/content:
  changed [redacted] to [redacted]

# and then verify the secret was written
$ cat /tmp/spider-man
Peter Parker

Explanation

Managing secrets will eventually become part of each and every puppet installation. Whether it's passwords, passphrases or something similar there are a few steps you'll need to take to ensure your private data doesn't become public knowledge. In this recipe we'll focus on how to avoid displaying data in your puppet runs.

By default any values you use can be seen in many places in a standard puppet run. In the example below they're exposed in a notify or notice used for debugging or as part of the diff when a files content changes.

class filer {
  $secret = 'Peter Parker'

  notice($secret)

  file { '/tmp/spider-man':
    ensure  => 'present',
    content => $secret,
  }
}

include filer

$ puppet apply -v filer.pp

...snip...
# this is bad. We don't want this exposed
Notice: Scope(Class[Filer]): Peter Parker
...snip...

From Puppet 4.6 you can obscure these secret values by wrapping them with the Sensitive type. This helps protect from unintentional exposure while still allowing their use in resources. Let's see that in action:

class filer {
  # this is the important part
  $secret = Sensitive('Peter Parker')

  notice($secret)

  file { '/tmp/spider-man':
    ensure  => 'present',
    content => $secret,
  }
}

include filer

$ puppet apply -v filer.pp

...snip...

Notice: Scope(Class[Filer]): Sensitive [value redacted]

...snip...

Notice: /Stage[main]/Filer/File[/tmp/spider-man]/content:
  changed [redacted] to [redacted]

# and then verify the secret was written
$ cat /tmp/spider-man
Peter Parker

As you can see from the output we no longer display our literal secrets. Instead, puppet protects us from casual viewing and shows [value redacted] and [redacted] in its place. It's important to note that this recipe is only one part of a secure process. You'll also need to investigate a number of other areas including:

  • Encrypted hiera backends
  • Possible leaks via report processors
  • How PuppetDB stores your resources (unencrypted by default)

See also