Forge Home


Plan for Puppet enterprise to update trusted facts on nodes.


251 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.0.0 (latest)
  • 0.2.0
  • 0.1.0
released Jun 8th 2023
This version is compatible with:
  • Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
  • Puppet >= 6.0.0 < 9.0.0
  • , , , , , , ,
  • confirm_primary_server
  • set_csr_attributes

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'benjaminrobertson-update_trusted_facts', '1.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add benjaminrobertson-update_trusted_facts
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install benjaminrobertson-update_trusted_facts --version 1.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



benjaminrobertson/update_trusted_facts — version 1.0.0 Jun 8th 2023


Module containing a plan to update trusted facts on nodes via the Puppet Enterprise console.

Table of Contents

  1. Description
  2. Setup - The basics of getting started with update_trusted_facts
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module


The built in method to update trusted facts in Puppet enterprise requires root shell access to the Puppet primary server. This level of access is generally not available to most users in an organisation and provides significant more access than required for this task.

By using this module, fine grained access can be granted to specific users to update trusted facts via the update_trusted_facts plan from the console.

Furthermore this plan preserves all existing facts on an agent certificate and does not rely on the csr_attributes.yaml file being present on a host.


What update_trusted_facts affects

This module affects the following

  • Updates the csr_attributes.yaml file on systems. Taking the existing trusted facts from agent certificate and merging the proposed changes set in the plan. Existing values in csr_attributes.yaml will be replaced during this process This also occurs when the plan is run in noop
  • Regenerates the agent certificate using the puppet infrastructure run regenerate_agent_certificate Does not perform this step in noop

Beginning with update_trusted_facts

Include the module within your Puppetfile.


Run the plan update_trusted_facts::update_trusted_facts from the Puppet Enterprise console.

Note: If you restrict access to plans via RBAC and only grant users permission to run this plan; you will also need to grant users access to enterprise_tasks::agent_cert_regen plan.

Required parameters

  • pe_primary_server (FQDN)
  • targets (TargetSpec - see here)

Targets can be specified as a comma separated list to run the plan on multiple host at a time.

Optional parameters

  • preserve_existing_facts (Boolean - whether to keep existing facts. If set to false all existing facts will be wiped and replace with those set in the plan)
  • ignore_infra_status_error (Boolean - Ignore errors from puppet infrastructure status command. May allow the plan to operate if some Puppet infrastructure components are failing)
  • noop (Boolean - Run the plan in noop. csr_attributes.yaml will still generated however certificates will not be resigned.)

Trusted facts supported The following trusted facts are supported by the plan. All are optional parameters, set as required. All accept String as input.

  • pp_role
  • pp_uuid
  • pp_environment
  • pp_apptier
  • pp_department
  • pp_datacenter
  • pp_instance_id
  • pp_image_name
  • pp_preshared_key
  • pp_cost_center
  • pp_product
  • pp_project
  • pp_application
  • pp_service
  • pp_employee
  • pp_created_by
  • pp_software_version
  • pp_cluster
  • pp_provisioner
  • pp_region
  • pp_zone
  • pp_network
  • pp_securitypolicy
  • pp_cloudplatform
  • pp_hostname


Tested with the following combinations. Expected to work for all Windows, Enterprise Linux, Debian, Ubuntu versions.

Puppet Enterprise

  • 2021.7.2

Puppet Nodes

  • Windows 2019
  • RHEL 8

To support legacy version of Puppet Enterprise (Before changing naming standard to Primary server from master.) You must set the support_legacy_pe parameter to true.


If you find any issues with this module, please log them in the issues register of the GitHub project. Issues