Forge Home

account

A simple module for managing user and group accounts

Zach Leslie

zleslie

9,338 downloads

932 latest version

3.8 quality score

Version information

  • 1.2.0 (latest)
  • 1.1.5
  • 1.1.2
  • 1.1.1
  • 1.1.0 (deleted)
  • 1.0.0
  • 0.3.0
  • 0.2.0
  • 0.1.1
  • 0.1.0
released May 2nd 2020

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this declaration to your Puppetfile:

mod 'zleslie-account', '1.2.0'
Learn more about managing modules with a Puppetfile

Add this module to a Bolt project:

bolt module add zleslie-account
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install zleslie-account --version 1.2.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

zleslie/account — version 1.2.0 May 2nd 2020

Puppet-account

Puppet Forge Build Status

Usage Overview

The account module serves as a wrapper around the core resources to manage the creation of users and groups, and handle group membership.

The usage pattern of this module is as follows:

  • Virtual resources for account::group are created for every potential managed group on a system.
  • Virtual resources for every account::user are created for every potential managed user on a system.
  • account::group resources are selectively realized based on requirements.
  • Realizing the account::group also realizes the account::user resources matching the members of the given account::group.

Given the above, the approach this module assumes is one where users are not snowflakes, and that all users are members of a group. It is the creation of a group that creates the required users.

Lets have an example.

Example environment

For the sake of discussion, lets say you have a data source that contains all the information you require about your users. Whether this is YAML or a database that you can query from a Puppet function, ultimately, you end up with a Hash containing the group information that might look like the following.

$posix_groups = {
  'humans' => {
    gid => '1234',
    members => ['sally','parker','ian'],
    exclusive => true,
  },
  'robots' => {
    gid => '1235',
    members => ['monitorbot','backupbot'],
    exclusive => true,
  }
}

Now that we have the group data stored in a hash, we can iterate over it in Puppet to generate a virtual resource for each group.

class virtual::groups (Hash $posix_groups){
  include virtual::users
  $posix_groups.each |$group_name, $params| {
    @account::group { $group_name:
      ensure    => present,
      gid       => $gid,
      members   => $members,
      exclusive => $exclusive,
    }
  }
}

Each member of the group will require that a virtual resource for account::user is created for them. So, again, we have a data blob that falls from the sky, containing the information for each user under management.

$posix_users = {
  'sally' => {
    uid => '1234',
    shell => '/bin/ksh',
  },
  'parker' => {
    uid => '1235',
    shell => '/bin/zsh',
  },
  'ian' => {
    uid => '1236',
    shell => '/bin/bash',
  },
}

Then to create the virtual users, same story again; loop over the user data, passing in the values. If you wish to omit certain data from the user hash, just check the values before you assign them to apply reasonable defaults.

class virtual::users (Hash $posix_users) {
  $posix_users.each |$user_name, $params| {
    if $params['shell'] {
      $shell = $params['shell']
    } else {
      $shell = '/bin/bash'
    }

    @account::user { $user_name:
      ensure    => present,
      shell     => $shell,
      uid       => $params['uid'],
    }
  }
}

Now that we have account::group and account::user virtual resources available, we only need to realize them in order to deploy a group and its members to a given system.

include virtual::groups
Realize(Group['humans'])

This will realize the 'humans' group and all of its members. If exclusive => true is set on the account::group resources, any members that are not listed will be removed. This can help enforce that only Puppet specified members are of members of a group.