Querying DNS in Puppet code

January 6, 2021 – Samuli Seppänen

I recently had to add access control rules to OpenVPN Access Server to permit certain groups to access certain IP addresses. As we manage our Access Server configurations with Puppet using puppet-openvpnas (by the author), we needed a way to parameterize the allowed IP addresses while keeping the Puppet code readable.

This is where puppet-dnsquery came really handy. It allows using data that's already available in DNS and using it in Puppet code. A simplistic example:

$servers = dns_lookup('server.example.org')

This will return an Array, for example ['10.50.6.1']. Keep that in mind if the DNS record is supposed to contain only one entry you should use this instead:

$server = dns_lookup('server.example.org')[0]

Alternatively you can loop through all the returned entries and do something useful with them.

The downside is the dns_* functions is that they do not fail if nothing useful is returned. So, parameter validation needs to be done using assert_type:

$server = assert_type(Stdlib::IP::Address::V4, dns_lookup('server.example.org')[0])

If you have the DNS entries such as hostnames in Hiera you probably should not hardcode the values like above. Instead:

$server = assert_type(Stdlib::IP::Address::V4, dns_lookup(lookup('server_hostname', String))[0]) 

Check puppet-dnsquery and assert_type documentation for more details.

Did you like the article? Share it with others!
Categories
#aad #Access #acl #alertmanager #ansible #ansible module development #Apache #API #augeas #authentication #authorization #automation #automatization #aws #azure #backup #bash #bitbucket #buildbot #cache #centos #cloud #cloud-init #cloudflare #cloudfront #cluster #connectionsJpa #control repo #custom fact #database #debian #devops #digital sovereignty #DNS #docker #domain mode #duplo #edenred #ejabberd #email #encryption #erb #europe #eyaml #fabric #facter #facts #fargate #fedora #file #finnish #foreman #freeipa #git #github #gitlab #gnome #google #grafana #hammer #hiera #IAM #import #infinispan #Infrastructure as Code #ipmi #irc #jboss #jdk #jenkins #JMESPath #json #kanban #keycloak #letsencrypt #librarian-puppet #librenms #linkedin #Linux #Location #loop #marketing #mautic #Mellon #mfa #microsoft #monitoring #mysql #nagios #network-manager #oauth #oauth2 #office365 #oidc #openshift #open source #openvpn #oxygen #packer #paranormal #pdk #people #php #pkcs7 #pomodoro #Powershell #preseed #presentation #profiles #prometheus #provisioning #puppet #puppet-bolt #puppet-litmus #puppetboard #puppetdb #Puppetfile #puppetserver #puppet types and providers #pxeboot #qemu #quality #r10k #rds #recruitment #redirect #Restrict #Reverse Proxy #robotframework #roles #rspec #ruby #SAML #selinux #sem #shell #showsql #snmp #snmpd #software developement #spam #ssh #sso #standardization #systemd #systemd-resolved #teams #terraform #twilio #ubuntu #user-data #vagrant #vanity awards #variable #vim #virtualbox #visualstudio #webdevelopment #wildfly #Windows #wireguard #wordpress #workflow #x11 #xmpp #zimbra
We are
 Puppeteers
menucross-circle