Add Deferred for the mysql::password function

Question

Add Deferred for the mysql::password function

tuxmaster5000 opened this issue 2 years ago · 5 comments

Use Case

The puppet deferred construct allow to get values from outside of puppet.
For example Hashicorp Vault using
https://forge.puppet.com/modules/puppet/vault_lookup

Describe the Solution You Would Like

That an call to:
mysql::password(Deferred('',[])) will work.
Until not only the error:
'mysql::password' parameter 'password' expects a value of type String or Sensitive[String], got Deferred
will reported.

Answer 1 · 2023-07-11T15:34:21.000Z

Are you also deferring the call to mysql::password?

Answer 2 · 2023-07-11T15:36:29.000Z

What do you mean? I have used the sample code above.

Answer 3 · 2023-07-11T15:42:34.000Z

If the call to mysql::password itself isn't deferred, how would it produce an output when compiled on the puppet server?

So does something like...

Deferred('mysql::password', [
  Deferred('vault_lookup::lookup', ["secret/test", 'https://vault.docker:8200'])
])

work?

Answer 4 · 2023-07-11T16:07:13.000Z

I will test it next weekend.

Answer 5 · 2023-07-14T10:20:36.000Z

Hi @alexjfisher , to day I tested it, and this works.
So it will be nice, when the usage will be noted in the documentation, because Deferred is used more and more, because the puppet code is often hold in git repos, where clear passwords or hashes are big problems. Here my used code for an full example:

mysql_user { "${name}@${host}":
password_hash => Deferred('mysql::password', [Deferred('',[)])
}