Puppet: Making a custom function depend on a resource

Question

I have a Puppet custom function that returns information about a user defined in OpenStack's Keystone identity service. Usage is something along the lines of:

$tenant_id = lookup_tenant_by_name($username, $password, "mytenant")

The problem is that the credentials used in this query ($username) are supposed to be created by another resource during the Puppet run (a Keystone_user resource from puppet-keystone). As far as I can tell, the call to the lookup_tenant_by_name function is being evaluated before any resource ordering happens, because no amount of dependencies in the calling code is able to force the credentials to be created prior to this function being executed.

In general, it is possible to write custom functions -- or place them appropriately in a manifest -- such that they will not be executed by Puppet until after some specified resource has been instantiated?

Answer 1

Short answer: You cannot make your manifest's behavior depend on resources declared inside of it.

Long answer: Parser functions are called during the compilation phase (on the master if you use one, or the agent if you use puppet apply). In neither case can it ever run before any resource is synced, because that will happen after the compiler has done all its work (including invocation of your functions).

To query information from the agent machine, you generally want to use custom facts. Still, those will be populated before even the compiler run.

Likely the best approach in this situation is to make the manifest tolerate the absence of the information, so that anything that depends on the value that your lookup_tenant_by_name function returns will only be evaluated if that value is available. This will usually be during the second Puppet run.

if $tenant_id == "" {
  notify { "cannot yet find tenant $username": }
}
else {
  # your code using the tenant ID
}