Forge Home

hiera

Deploy hiera.yaml with hierarchy, and datadir

1,114,229 downloads

789 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 6.0.0 (latest)
  • 5.0.1
  • 4.0.0
  • 3.4.1
  • 3.4.0
  • 3.3.4
  • 3.3.3
  • 3.3.2
  • 3.3.1
  • 3.3.0
  • 3.2.0
  • 3.1.0
  • 3.0.0
  • 2.4.0
  • 2.3.0
  • 2.2.0
  • 2.1.2
  • 2.1.1
  • 2.1.0
released Aug 13th 2024
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 8.0.0
  • , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppet-hiera', '6.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppet-hiera
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppet-hiera --version 6.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

puppet/hiera — version 6.0.0 Aug 13th 2024

Hiera module for Puppet

Build Status Code Coverage Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Setup - The basics of getting started with hiera
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Limitations - OS compatibility, etc.
  7. Development - Guide for contributing to the module

Module Description

This module configures Hiera for Puppet.

Setup

What hiera affects

  • Hiera yaml file
  • Hiera datadir
  • hiera-eyaml package
  • keys/ directory for eyaml
  • /etc/hiera.yaml for symlink

Setup requirements

To use the eyaml backend with the modern puppetserver, you will need the puppetlabs-puppetserver_gem module.

Beginning with hiera

Declaring the class with a given hierarchy is a pretty good starting point:

This class will write out a hiera.yaml file in either /etc/puppetlabs/puppet/hiera.yaml or /etc/puppet/hiera.yaml (depending on if the node is running Puppet Enterprise or not).

class { 'hiera':
  hierarchy => [
    '%{environment}/%{calling_class}',
    '%{environment}',
    'common',
  ],
}

For Hiera version 5

class { 'hiera':
          hiera_version   =>  '5',
          hiera5_defaults =>  {"datadir" => "data", "data_hash" => "yaml_data"},
          hierarchy       =>  [
                                {"name" =>  "Virtual yaml", "path"  =>  "virtual/%{virtual}.yaml"},
                                {"name" =>  "Nodes yaml", "paths" =>  ['nodes/%{trusted.certname}.yaml', 'nodes/%{osfamily}.yaml']},
                                {"name" =>  "Default yaml file", "path" =>  "common.yaml"},
                              ],
}

Note: For Hiera version 5 when calling the class, please remember to pass '5' to 'hiera_version' as in the example above. Also please note that 'hierarchy' is an array of hash in version 5.

The resulting output in /etc/puppet/hiera.yaml:

---
:backends:
  - yaml
:logger: console
:hierarchy:
  - "%{environment}/%{calling_class}"
  - "%{environment}"
  - common

:yaml:
   :datadir: /etc/puppet/hieradata

Resulting output for Hiera 5

# hiera.yaml Managed by Puppet
version: 5
defaults:
  datadir: data
  data_hash: yaml_data
hierarchy:

  - name: "Virtual yaml"
    path: "virtual/%{virtual}.yaml"

  - name: "Nodes yaml"
    paths:
      - "nodes/%{trusted.certname}.yaml"
      - "nodes/%{osfamily}.yaml"

  - name: "Default yaml file"
    path: "common.yaml"

Usage

Reference

This module will also allow you to configure different options for logger and merge_behavior. The default behavior is to set logger to console and merge behavior to native.

For details and valid options see Configuring Hiera.

class { 'hiera':
  hierarchy      => [
    '%{environment}/%{calling_class}',
    '%{environment}',
    'common',
  ],
  logger         => 'console',
  merge_behavior => 'deeper'
}

For Hiera version 5 please see the example above in beginning with Hiera.

The resulting output in /etc/puppet/hiera.yaml:

---
:backends:
  - yaml
:logger: console
:hierarchy:
  - "%{environment}/%{calling_class}"
  - "%{environment}"
  - common

:yaml:
   :datadir: /etc/puppet/hieradata

:merge_behavior: deeper

Hiera-Eyaml-GPG

The default PKCS#7 encryption scheme used by hiera-eyaml is perfect if only simple encryption and decryption is needed.

However, if you are in a sizable team it helps to encrypt and decrypt data with multiple keys. This means that each team member can hold their own private key and so can the puppetmaster. Equally, each puppet master can have their own key if desired and when you need to rotate keys for either users or puppet masters, re-encrypting your files and changing the key everywhere does not need to be done in lockstep.

Requirements

Note: This module will create a /gpg sub-directory in the $keysdir.

  1. The GPG keyring must be passphraseless on the on the PuppetServer(Master).
  2. The GPG keyring must live in the /gpg sub-directory in the $keysdir.
  3. The GPG keyring must be owned by the Puppet user. ex: pe-puppet

GPG Keyring Creation Tips

RNG-TOOLS

When generating a GPG keyring the system requires a good amount of entropy. To help generate entropy to speed up the process then rng-tools package on RHEL based systems or equivilent can be used. Note: Update the /etc/sysconfig/rngd or equivilent file to set the EXTRAOPTIONS to EXTRAOPTIONS="-r /dev/urandom -o /dev/random -t 5"

Keyring Generation

Below is a sample GPG answers file that will assist in generating a passphraseless key

cat << EOF >> /tmp/gpg_answers
%echo Generating a Puppet Hiera GPG Key
Key-Type: RSA
Key-Length: 4096
Subkey-Type: ELG-E
Subkey-Length: 4096
Name-Real: Hiera Data
Name-Comment: Hiera Data Encryption
Name-Email: puppet@$(hostname -d)
Expire-Date: 0
%no-ask-passphrase
# Do a commit here, so that we can later print "done" :-)
# %commit
# %echo done
EOF

You can then use the GPG answer file to generate your keyring within the /gpg sub-directory in the $keysdir

gpg --batch --homedir /etc/puppetlabs/puppet/keys/gpg --gen-key /tmp/gpg_answers

Usage

class { 'hiera':
  hierarchy            => [
    'nodes/%{clientcert}',
    'locations/%{location}',
    'environments/%{applicationtier}',
    'common',
  ],
  eyaml                => true,
  eyaml_gpg            => true,
  eyaml_gpg_recipients => 'sihil@example.com,gtmtech@example.com,tpoulton@example.com',
}

The resulting output in /etc/puppet/hiera.yaml:

---
:backends:
  - eyaml
  - yaml
:logger: console
:hierarchy:
  - "nodes/%{clientcert}"
  - "locations/%{location}"
  - "environments/%{applicationtier}"
  - common

:yaml:
   :datadir: /etc/puppet/hieradata


:eyaml:
   :datadir: /etc/puppet/hieradata
   :pkcs7_private_key: /etc/puppet/keys/private_key.pkcs7.pem
   :pkcs7_public_key:  /etc/puppet/keys/public_key.pkcs7.pem
   :encrypt_method: "gpg"
   :gpg_gnupghome: "/etc/puppet/keys/gpg"
   :gpg_recipients: "sihil@example.com,gtmtech@example.com,tpoulton@example.com"

Classes

Public Classes

  • hiera: Main class to configure hiera

Private Classes

  • hiera::params: Handles variable conditionals
  • hiera::eyaml: Handles eyaml configuration

Limitations

The eyaml_version parameter does not currently modify the eyaml version of the command-line gem on pe-puppetserver.

Development

Pull requests on github! If someone wrote spec tests, that would be awesome.