Rework letsencrypt::certonly to allow deprovisioning

+ Added $ensure attribute
+ Renamed $ensure_cron back to $manage_cron
+ Returned $manage_cron back to a Boolean value
+ Made execute of "letsencrypt certonly ${title}" conditional to $ensure == 'present'
+ Added cleanup of directory for domain certs when $ensure == 'absent'
+ Used global $ensure to signal desired state of cronjobs

Author: cFire

README.md

@@ -189,7 +189,7 @@ letsencrypt::certonly { 'foo':
 
 #### Cron
 
-* `ensure_cron` can be used to automatically renew the certificate
+* `manage_cron` can be used to automatically renew the certificate
 * `cron_success_command` can be used to run a shell command on a successful renewal
 * `cron_before_command` can be used to run a shell command before a renewal
 * `cron_monthday` can be used to specify one or multiple days of the month to run the cron job (defaults to every day)
@@ -200,7 +200,7 @@ letsencrypt::certonly { 'foo':
 ```puppet
 letsencrypt::certonly { 'foo':
   domains              => ['foo.example.com', 'bar.example.com'],
-  ensure_cron          => 'present',
+  manage_cron          => true,
   cron_hour            => [0,12],
   cron_minute          => '30',
   cron_before_command  => 'service nginx stop',
@@ -209,6 +209,21 @@ letsencrypt::certonly { 'foo':
 }
 ```
 
+#### Deprovisioning
+
+If a domain needs to be removed for any reason this can be done by setting
+`ensure` to 'absent', this will remove the certificates for this domain from
+the server. If `manage_cron` is set to true, the certificate renewal cronjob
+and shell scripts for the domain will also be removed.
+
+```puppet
+letsencrypt::certonly { 'foo':
+  ensure      => 'absent',
+  domains     => ['foo.example.com', 'bar.example.com'],
+  manage_cron => true,
+}
+```
+
 ## Development
 
 1. Fork it

manifests/certonly.pp

@@ -5,6 +5,11 @@
 #
 # === Parameters:
 #
+# [*ensure*]
+#   Intended state of the resource. Accepts either 'present' or 'absent'.
+#   Default: 'present'.
+#   Will remove certificates for specified domains if set to 'absent'. Will
+#   also remove cronjobs and renewal scripts if `manage_cron` is set to 'true'.
 # [*domains*]
 #   Namevar. An array of domains to include in the CSR.
 # [*custom_plugin*]
@@ -23,9 +28,8 @@
 #   `letsencrypt-auto` command.
 # [*environment*]
 #   An optional array of environment variables (in addition to VENV_PATH).
-# [*ensure_cron*]
-#   Intended state of the cron and helper script resources. Accepts either
-#   'present' or 'absent'. Default: 'absent'
+# [*manage_cron*]
+#   Boolean indicating whether or not to schedule cron job for renewal. Default: 'false'.
 #   Runs daily but only renews if near expiration, e.g. within 10 days.
 # [*cron_before_command*]
 #   String representation of a command that should be run before renewal command
@@ -40,6 +44,7 @@
 #   e.g. 0 or '00' or [0,30].  Default - seeded random minute.
 #
 define letsencrypt::certonly (
+  Enum['present','absent']                  $ensure               = 'present',
   Array[String[1]]                          $domains              = [$title],
   Boolean                                   $custom_plugin        = false,
   Letsencrypt::Plugin                       $plugin               = 'standalone',
@@ -48,7 +53,7 @@
   Integer[2048]                             $key_size             = $letsencrypt::key_size,
   Array[String[1]]                          $additional_args      = [],
   Array[String[1]]                          $environment          = [],
-  Enum['present','absent']                  $ensure_cron          = 'absent',
+  Boolean                                   $manage_cron          = false,
   Boolean                                   $suppress_cron_output = false,
   Optional[String[1]]                       $cron_before_command  = undef,
   Optional[String[1]]                       $cron_success_command = undef,
@@ -62,10 +67,14 @@
     fail("The 'webroot_paths' parameter must be specified when using the 'webroot' plugin")
   }
 
-  if ($custom_plugin) {
-    $command_start = "${letsencrypt_command} --text --agree-tos --non-interactive certonly --rsa-key-size ${key_size} "
+  if $ensure == 'present' {
+    if ($custom_plugin) {
+      $command_start = "${letsencrypt_command} --text --agree-tos --non-interactive certonly --rsa-key-size ${key_size} "
+    } else {
+      $command_start = "${letsencrypt_command} --text --agree-tos --non-interactive certonly --rsa-key-size ${key_size} -a ${plugin} "
+    }
   } else {
-    $command_start = "${letsencrypt_command} --text --agree-tos --non-interactive certonly --rsa-key-size ${key_size} -a ${plugin} "
+    $command_start = "${letsencrypt_command} --text --agree-tos --non-interactive delete "
   }
 
   case $plugin {
@@ -93,10 +102,13 @@
     }
 
     default: {
-      $_command_domains = join($domains, ' -d ')
-      $command_domains  = "--cert-name ${title} -d ${_command_domains}"
+      if $ensure == 'present' {
+        $_command_domains = join($domains, ' -d ')
+        $command_domains  = "--cert-name ${title} -d ${_command_domains}"
+      } else {
+        $command_domains = "--cert-name ${title}"
+      }
     }
-
   }
 
   if empty($additional_args) {
@@ -106,29 +118,35 @@
     $command_end = join(['',] + $additional_args, ' ')
   }
 
-  $command = "${command_start}${command_domains}${command_end}"
-
   # certbot uses --cert-name to generate the file path
   $live_path_certname = regsubst($title, '^\*\.', '')
   $live_path = "${config_dir}/live/${live_path_certname}/cert.pem"
 
   $execution_environment = [ "VENV_PATH=${letsencrypt::venv_path}", ] + $environment
   $verify_domains = join(unique($domains), ' ')
+
+  if $ensure == 'present' {
+    $exec_ensure = { 'unless' => "/usr/local/sbin/letsencrypt-domain-validation ${live_path} ${verify_domains}" }
+  } else {
+    $exec_ensure = { 'onlyif' => "/usr/local/sbin/letsencrypt-domain-validation ${live_path} ${verify_domains}" }
+  }
+
   exec { "letsencrypt certonly ${title}":
-    command     => $command,
+    command     => "${command_start}${command_domains}${command_end}",
+    *           => $exec_ensure,
     path        => $facts['path'],
     environment => $execution_environment,
-    unless      => "/usr/local/sbin/letsencrypt-domain-validation ${live_path} ${verify_domains}",
     provider    => 'shell',
     require     => [
       Class['letsencrypt'],
       File['/usr/local/sbin/letsencrypt-domain-validation'],
     ],
   }
 
-  if $ensure_cron  == 'present' {
+  if $manage_cron {
     $maincommand = "${command_start}--keep-until-expiring ${command_domains}${command_end}"
-    $cron_script_ensure = 'file'
+    $cron_script_ensure = $ensure ? { 'present' => 'file', default => 'absent' }
+    $cron_ensure = $ensure
 
     if $suppress_cron_output {
       $croncommand = "${maincommand} > /dev/null 2>&1"
@@ -145,25 +163,22 @@
     } else {
       $cron_cmd = $renewcommand
     }
-  } else {
-    $cron_script_ensure = 'absent'
-  }
 
-  file { "${letsencrypt::cron_scripts_path}/renew-${title}.sh":
-    ensure  => $cron_script_ensure,
-    mode    => '0755',
-    owner   => 'root',
-    group   => $letsencrypt::cron_owner_group,
-    content => template('letsencrypt/renew-script.sh.erb'),
-  }
+    file { "${letsencrypt::cron_scripts_path}/renew-${title}.sh":
+      ensure  => $cron_script_ensure,
+      mode    => '0755',
+      owner   => 'root',
+      group   => $letsencrypt::cron_owner_group,
+      content => template('letsencrypt/renew-script.sh.erb'),
+    }
 
-  cron { "letsencrypt renew cron ${title}":
-    ensure   => $ensure_cron,
-    command  => "\"${letsencrypt::cron_scripts_path}/renew-${title}.sh\"",
-    user     => root,
-    hour     => $cron_hour,
-    minute   => $cron_minute,
-    monthday => $cron_monthday,
+    cron { "letsencrypt renew cron ${title}":
+      ensure   => $cron_ensure,
+      command  => "\"${letsencrypt::cron_scripts_path}/renew-${title}.sh\"",
+      user     => root,
+      hour     => $cron_hour,
+      minute   => $cron_minute,
+      monthday => $cron_monthday,
+    }
   }
-
 }