Migrate ERB templates to Puppet code

.puppet-lint.rc

@@ -8,7 +8,6 @@
 --relative
 --no-class_inherits_from_params_class-check
 --no-140chars-check
---no-trailing_comma-check
 --no-params-empty-string-assignment-check
 # This is here because the code can't handle lookups in parameters and SIMP
 # modules have a LOT of those

CHANGELOG

@@ -1,3 +1,6 @@
+* Tue Sep 23 2025 Steven Pritchard <[email protected]> - 8.0.0
+- Migrate ERB templates to EPP (#152)
+
 * Wed Jun 11 2025 Chris Tessmer <[email protected]> - 7.13.1
 - Fix rubocop issues
 

REFERENCE.md

@@ -436,11 +436,11 @@ The following parameters are available in the `sssd::install::client` class:
 
 ##### <a name="-sssd--install--client--ensure"></a>`ensure`
 
-Data type: `Any`
+Data type: `String`
 
 Ensure setting for 'sssd-client' package
 
-Default value: `$::sssd::install::package_ensure`
+Default value: `$sssd::install::package_ensure`
 
 ### <a name="sssd--pki"></a>`sssd::pki`
 
@@ -1302,7 +1302,7 @@ The content of the target file
 
 Data type: `Integer[0]`
 
-
+The order in which the file should be processed
 
 Default value: `50`
 
@@ -1729,16 +1729,19 @@ Default value: `undef`
 
 Data type: `Optional[String]`
 
+
+
+Default value: `undef`
+
 ##### <a name="-sssd--domain--custom_options"></a>`custom_options`
 
 Data type: `Optional[Hash]`
 
 If defined, this hash will be used to create the service
 section instead of the parameters.  You must provide all options
 in the section you want to add.  Each entry in the hash will be
-added as a simple init pair
-key = value
-under the section in the sssd.conf file.
+added as a simple init pair key = value under the section in
+the sssd.conf file.
 No error checking will be performed.
 
 Default value: `undef`

manifests/config.pp

@@ -13,8 +13,8 @@
 # @author https://github.com/simp/pupmod-simp-sssd/graphs/contributors
 #
 class sssd::config (
-  Boolean $authoritative = pick(getvar("${module_name}::authoritative"), false)
-){
+  Boolean $authoritative = pick(getvar("${module_name}::authoritative"), false),
+) {
   assert_private()
 
   include $module_name
@@ -52,27 +52,93 @@
 
   file { '/etc/sssd':
     ensure => 'directory',
-    mode   => 'go-rw'
+    mode   => 'go-rw',
   }
 
   file { '/etc/sssd/conf.d':
     ensure  => 'directory',
     purge   => $authoritative,
-    recurse => true
+    recurse => true,
   }
 
   unless $authoritative {
     tidy { '/etc/sssd/conf.d':
       matches => '*_puppet_*.conf',
-      recurse => true
+      recurse => true,
     }
   }
 
+  # Build configuration lines in order (matching expected test output)
+  # Services configuration - sudo has to be started by the socket
+  $filtered_services = Array($_services) - ['sudo']
+  $services_line = $_services.empty ? {
+    true => [],
+    false => $filtered_services.empty ? { true => [], false => ["services = ${filtered_services.join(',')}"] }
+  }
+
+  # Basic configuration
+  $description_line = $_description ? { undef => [], default => ["description = ${_description}"] }
+
+  # Domains configuration
+  $domains_line = $_domains.empty ? { true => [], false => ["domains = ${Array($_domains).join(', ')}"] }
+
+  # Required configuration parameters
+  $config_file_version_line = ["config_file_version = ${_config_file_version}"]
+  $reconnection_retries_line = ["reconnection_retries = ${_reconnection_retries}"]
+
+  # Optional string parameters
+  $re_expression_line = $_re_expression ? { undef => [], default => ["re_expression = ${_re_expression}"] }
+  $full_name_format_line = $_full_name_format ? { undef => [], default => ["full_name_format = ${_full_name_format}"] }
+
+  # Optional boolean parameters (special undef checking)
+  $try_inotify_line = $_try_inotify ? { undef => [], default => ["try_inotify = ${_try_inotify}"] }
+  $enable_files_domain_line = $_enable_files_domain ? { undef => [], default => ["enable_files_domain = ${_enable_files_domain}"] }
+
+  # Optional directory and user parameters
+  $krb5_rcache_dir_line = $_krb5_rcache_dir ? { undef => [], default => ["krb5_rcache_dir = ${_krb5_rcache_dir}"] }
+  $user_line = $_user ? { undef => [], default => ["user = ${_user}"] }
+  $default_domain_suffix_line = $_default_domain_suffix ? { undef => [], default => ["default_domain_suffix = ${_default_domain_suffix}"] }
+  $override_space_line = $_override_space ? { undef => [], default => ["override_space = ${_override_space}"] }
+
+  # Debug configuration
+  $debug_level_line = $_debug_level ? { undef => [], default => ["debug_level = ${_debug_level}"] }
+  $debug_timestamps_line = ["debug_timestamps = ${_debug_timestamps}"]
+  $debug_microseconds_line = ["debug_microseconds = ${_debug_microseconds}"]
+
+  # Combine all lines in order
+  $config_lines = (
+    $services_line +
+    $description_line +
+    $domains_line +
+    $config_file_version_line +
+    $reconnection_retries_line +
+    $re_expression_line +
+    $full_name_format_line +
+    $try_inotify_line +
+    $krb5_rcache_dir_line +
+    $user_line +
+    $default_domain_suffix_line +
+    $override_space_line +
+    $enable_files_domain_line +
+    $debug_level_line +
+    $debug_timestamps_line +
+    $debug_microseconds_line
+  )
+
+  # Join all configuration lines
+  $content = (['# sssd::config'] + $config_lines).join("\n")
+
   file { '/etc/sssd/sssd.conf':
     owner   => 'root',
     group   => 'root',
     mode    => '0600',
-    content => template("${module_name}/sssd.conf.erb"),
-    notify  => Class["${module_name}::service"]
+    content => epp(
+      "${module_name}/generic.epp",
+      {
+        'title'   => 'sssd',
+        'content' => $content,
+      },
+    ),
+    notify  => Class["${module_name}::service"],
   }
 }

manifests/config/entry.pp

@@ -7,11 +7,13 @@
 #
 # @param content
 #   The content of the target file
+# @param order
+#   The order in which the file should be processed
 #
-define sssd::config::entry(
+define sssd::config::entry (
   String     $content,
-  Integer[0] $order    = 50
-){
+  Integer[0] $order = 50,
+) {
   assert_private()
 
   if $title =~ /\// {
@@ -28,6 +30,6 @@
     group   => 'root',
     mode    => '0600',
     content => $content,
-    notify  => Class["${module_name}::service"]
+    notify  => Class["${module_name}::service"],
   }
 }

manifests/config/ipa_domain.pp

@@ -18,13 +18,12 @@
       autofs_provider   => 'ipa',
       min_id            => $sssd::min_id,
       enumerate         => $sssd::enumerate_users,
-      cache_credentials => $sssd::cache_credentials
+      cache_credentials => $sssd::cache_credentials,
     }
 
     sssd::provider::ipa { $_ipa_domain:
       ipa_domain => $_ipa_domain,
-      ipa_server => [ $_ipa_server ]
+      ipa_server => [$_ipa_server],
     }
   }
 }
-

manifests/domain.pp

@@ -121,10 +121,140 @@
   Optional[String]                           $proxy_pam_target             = undef,
   Optional[String]                           $proxy_lib_name               = undef,
   Optional[String]                           $ldap_user_search_filter      = undef,
-  Optional[Hash]                             $custom_options               = undef
+  Optional[Hash]                             $custom_options               = undef,
 ) {
+  # Build configuration lines in order (matching expected test output)
+  # Debug settings
+  $debug_level_line = $debug_level ? { undef => [], default => ["debug_level = ${debug_level}"] }
+  $debug_timestamps_line = ["debug_timestamps = ${debug_timestamps}"]
+  $debug_microseconds_line = ["debug_microseconds = ${debug_microseconds}"]
+
+  # Description and basic settings
+  $description_line = $description ? { undef => [], default => ["description = ${description}"] }
+  $min_id_line = ["min_id = ${min_id}"]
+  $max_id_line = ["max_id = ${max_id}"]
+  $enumerate_line = ["enumerate = ${enumerate}"]
+
+  # Subdomain and timeout settings
+  $subdomain_enumerate_line = $subdomain_enumerate ? { false => [], default => ["subdomain_enumerate = ${subdomain_enumerate}"] }
+  $force_timeout_line = $force_timeout ? { undef => [], default => ["force_timeout = ${force_timeout}"] }
+
+  # Entry cache timeout settings
+  $entry_cache_timeout_line = $entry_cache_timeout ? { undef => [], default => ["entry_cache_timeout = ${entry_cache_timeout}"] }
+  $entry_cache_user_timeout_line = $entry_cache_user_timeout ? { undef => [], default => ["entry_cache_user_timeout = ${entry_cache_user_timeout}"] }
+  $entry_cache_group_timeout_line = $entry_cache_group_timeout ? { undef => [], default => ["entry_cache_group_timeout = ${entry_cache_group_timeout}"] }
+  $entry_cache_netgroup_timeout_line = $entry_cache_netgroup_timeout ? { undef => [], default => ["entry_cache_netgroup_timeout = ${entry_cache_netgroup_timeout}"] }
+  $entry_cache_service_timeout_line = $entry_cache_service_timeout ? { undef => [], default => ["entry_cache_service_timeout = ${entry_cache_service_timeout}"] }
+  $entry_cache_sudo_timeout_line = $entry_cache_sudo_timeout ? { undef => [], default => ["entry_cache_sudo_timeout = ${entry_cache_sudo_timeout}"] }
+  $entry_cache_autofs_timeout_line = $entry_cache_autofs_timeout ? { undef => [], default => ["entry_cache_autofs_timeout = ${entry_cache_autofs_timeout}"] }
+  $entry_cache_ssh_host_timeout_line = $entry_cache_ssh_host_timeout ? { undef => [], default => ["entry_cache_ssh_host_timeout = ${entry_cache_ssh_host_timeout}"] }
+  $refresh_expired_interval_line = $refresh_expired_interval ? { undef => [], default => ["refresh_expired_interval = ${refresh_expired_interval}"] }
+
+  # Cache settings
+  $cache_credentials_line = ["cache_credentials = ${cache_credentials}"]
+  $account_cache_expiration_line = ["account_cache_expiration = ${account_cache_expiration}"]
+  $pwd_expiration_warning_line = $pwd_expiration_warning ? { undef => [], default => ["pwd_expiration_warning = ${pwd_expiration_warning}"] }
+
+  # Naming settings
+  $use_fully_qualified_names_line = ["use_fully_qualified_names = ${use_fully_qualified_names}"]
+  $ignore_group_members_line = ["ignore_group_members = ${ignore_group_members}"]
+
+  # Provider settings (id_provider is required, others optional)
+  $id_provider_line = ["id_provider = ${id_provider}"]
+  $auth_provider_line = $auth_provider ? { undef => [], default => ["auth_provider = ${auth_provider}"] }
+  $access_provider_line = $access_provider ? { undef => [], default => ["access_provider = ${access_provider}"] }
+  $chpass_provider_line = $chpass_provider ? { undef => [], default => ["chpass_provider = ${chpass_provider}"] }
+  $sudo_provider_line = $sudo_provider ? { undef => [], default => ["sudo_provider = ${sudo_provider}"] }
+  $selinux_provider_line = $selinux_provider ? { undef => [], default => ["selinux_provider = ${selinux_provider}"] }
+  $subdomains_provider_line = $subdomains_provider ? { undef => [], default => ["subdomains_provider = ${subdomains_provider}"] }
+  $autofs_provider_line = $autofs_provider ? { undef => [], default => ["autofs_provider = ${autofs_provider}"] }
+  $hostid_provider_line = $hostid_provider ? { undef => [], default => ["hostid_provider = ${hostid_provider}"] }
+
+  # Pattern and formatting settings
+  $re_expression_line = $re_expression ? { undef => [], default => ["re_expression = ${re_expression}"] }
+  $full_name_format_line = $full_name_format ? { undef => [], default => ["full_name_format = ${full_name_format}"] }
+  $lookup_family_order_line = $lookup_family_order ? { undef => [], default => ["lookup_family_order = ${lookup_family_order}"] }
+
+  # DNS settings
+  $dns_resolver_timeout_line = ["dns_resolver_timeout = ${dns_resolver_timeout}"]
+  $dns_discovery_domain_line = $dns_discovery_domain ? { undef => [], default => ["dns_discovery_domain = ${dns_discovery_domain}"] }
+
+  # Override and case sensitivity settings
+  $override_gid_line = $override_gid ? { undef => [], default => ["override_gid = ${override_gid}"] }
+  $case_sensitive_line = ["case_sensitive = ${case_sensitive}"]
+  $proxy_fast_alias_line = ["proxy_fast_alias = ${proxy_fast_alias}"]
+
+  # Optional provider-specific settings
+  $realmd_tags_line = $realmd_tags ? { undef => [], default => ["realmd_tags = ${realmd_tags}"] }
+  $ldap_user_search_filter_line = $ldap_user_search_filter ? { undef => [], default => ["ldap_user_search_filter = ${ldap_user_search_filter}"] }
+  $proxy_pam_target_line = $proxy_pam_target ? { undef => [], default => ["proxy_pam_target = ${proxy_pam_target}"] }
+  $proxy_lib_name_line = $proxy_lib_name ? { undef => [], default => ["proxy_lib_name = ${proxy_lib_name}"] }
+
+  # Custom options processing
+  $custom_options_lines = $custom_options ? {
+    undef => [],
+    default => $custom_options.keys.sort.map |$opt| { "${opt} = ${custom_options[$opt]}" }
+  }
+
+  # Combine all lines in order
+  $config_lines = (
+    $debug_level_line +
+    $debug_timestamps_line +
+    $debug_microseconds_line +
+    $description_line +
+    $min_id_line +
+    $max_id_line +
+    $enumerate_line +
+    $subdomain_enumerate_line +
+    $force_timeout_line +
+    $entry_cache_timeout_line +
+    $entry_cache_user_timeout_line +
+    $entry_cache_group_timeout_line +
+    $entry_cache_netgroup_timeout_line +
+    $entry_cache_service_timeout_line +
+    $entry_cache_sudo_timeout_line +
+    $entry_cache_autofs_timeout_line +
+    $entry_cache_ssh_host_timeout_line +
+    $refresh_expired_interval_line +
+    $cache_credentials_line +
+    $account_cache_expiration_line +
+    $pwd_expiration_warning_line +
+    $use_fully_qualified_names_line +
+    $ignore_group_members_line +
+    $id_provider_line +
+    $auth_provider_line +
+    $access_provider_line +
+    $chpass_provider_line +
+    $sudo_provider_line +
+    $selinux_provider_line +
+    $subdomains_provider_line +
+    $autofs_provider_line +
+    $hostid_provider_line +
+    $re_expression_line +
+    $full_name_format_line +
+    $lookup_family_order_line +
+    $dns_resolver_timeout_line +
+    $dns_discovery_domain_line +
+    $override_gid_line +
+    $case_sensitive_line +
+    $proxy_fast_alias_line +
+    $realmd_tags_line +
+    $ldap_user_search_filter_line +
+    $proxy_pam_target_line +
+    $proxy_lib_name_line +
+    $custom_options_lines
+  )
+
+  # Join all configuration lines
+  $content = (["# sssd::domain ${name}"] + $config_lines).join("\n")
 
   sssd::config::entry { "puppet_domain_${name}":
-    content => template('sssd/domain.erb')
+    content => epp(
+      "${module_name}/generic",
+      {
+        'title'   => "domain/${name}",
+        'content' => $content,
+      },
+    ),
   }
 }

manifests/init.pp

@@ -121,7 +121,7 @@
   Stdlib::Absolutepath          $app_pki_cert_source   = simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509'}),
   Stdlib::Absolutepath          $app_pki_dir           = '/etc/pki/simp_apps/sssd/x509',
   Boolean                       $auto_add_ipa_domain   = true,
-  Optional[String[1]]           $custom_config         = undef
+  Optional[String[1]]           $custom_config         = undef,
 ) {
   include 'sssd::install'
   include 'sssd::config'
@@ -135,7 +135,7 @@
   if $custom_config {
     sssd::config::entry { 'puppet_custom':
       content => $custom_config,
-      order   => 99999
+      order   => 99999,
     }
   }
 
@@ -153,7 +153,7 @@
     include 'auditd'
 
     auditd::rule { 'sssd':
-      content => '-w /etc/sssd/ -p wa -k CFG_sssd'
+      content => '-w /etc/sssd/ -p wa -k CFG_sssd',
     }
   }