module-puppetdb/manifests/server/firewall.pp

class puppetdb::server::firewall(
    $port                   = '',
    $http_port              = $puppetdb::params::listen_port,             
    $open_http_port         = $puppetdb::params::open_listen_port,
    $ssl_port               = $puppetdb::params::ssl_listen_port,
    $open_ssl_port          = $puppetdb::params::open_ssl_listen_port,
    $manage_redhat_firewall = $puppetdb::params::manage_redhat_firewall,
) inherits puppetdb::params {
  # TODO: figure out a way to make this not platform-specific; debian and ubuntu
  # have an out-of-the-box firewall configuration that seems trickier to manage.
  # TODO: the firewall module should be able to handle this itself
  if ($puppetdb::params::firewall_supported) {

    if ($manage_redhat_firewall != undef) {
      notify {'Deprecation notice: `$manage_redhat_firewall` is deprecated in the `puppetdb::service::firewall` class and will be removed in a future version. Use `open_http_port` and `open_ssl_port` instead.':}

      if ($open_ssl_port != undef) {
        fail('`$manage_redhat_firewall` and `$open_ssl_port` cannot both be specified.')
      }
    }

    exec { 'puppetdb-persist-firewall':
      command     => $puppetdb::params::persist_firewall_command,
      refreshonly => true,
    }

    Firewall {
      notify => Exec['puppetdb-persist-firewall']
    }
    
    if ($port) {
      notify { 'Deprecation notice: `port` parameter will be removed in future versions of the puppetdb module. Please use ssl_port instead.': }
    }

    if ($port and $ssl_port) {
      fail('`port` and `ssl_port` cannot both be defined. `port` is deprecated in favor of `ssl_port`')
    }
    
    if ($open_http_port) {
      firewall { "${http_port} accept - puppetdb":
        port   => $http_port,
        proto  => 'tcp',
        action => 'accept',
      }
    }

    # This technically defaults to 'true', but in order to preserve backwards
    # compatibility with the deprecated 'manage_redhat_firewall' parameter, we
    # had to specify 'undef' as the default so that we could tell whether or
    # not the user explicitly specified a value. Here's where we're resolving
    # that and setting the 'real' default.  We should be able to get rid of
    # this block when we remove `manage_redhat_firewall`.
    if ($open_ssl_port != undef) {
      $final_open_ssl_port = $open_ssl_port
    } else {
      $final_open_ssl_port = true
    }

    if ($open_ssl_port or $manage_redhat_firewall) {
      if ($ssl_port) {
        $final_ssl_port = $ssl_port
      } else {
        $final_ssl_port = $port
      }
      firewall { "${final_ssl_port} accept - puppetdb":
        port   => $final_ssl_port,
        proto  => 'tcp',
        action => 'accept',
      }
    }
  }
}
Add support for opening puppetdb port in firewall 2012-09-18 02:06:48 +02:00			`class puppetdb::server::firewall(`
17594 - PuppetDB - Add ability to set standard host listen address and open firewall to standard port Prior to this commit the module did not provide a way to set a bind address for the HTTP port. This commit allows users to not only bind to an address and port other than localhost and 8080, but it also opens the firewall if explicitly requested. 2012-11-13 21:38:38 +01:00			`$port = '',`
			`$http_port = $puppetdb::params::listen_port,`
			`$open_http_port = $puppetdb::params::open_listen_port,`
			`$ssl_port = $puppetdb::params::ssl_listen_port,`
			`$open_ssl_port = $puppetdb::params::open_ssl_listen_port,`
Add support for opening puppetdb port in firewall 2012-09-18 02:06:48 +02:00			`$manage_redhat_firewall = $puppetdb::params::manage_redhat_firewall,`
			`) inherits puppetdb::params {`
			`# TODO: figure out a way to make this not platform-specific; debian and ubuntu`
			`# have an out-of-the-box firewall configuration that seems trickier to manage.`
			`# TODO: the firewall module should be able to handle this itself`
17594 - PuppetDB - Add ability to set standard host listen address and open firewall to standard port Prior to this commit the module did not provide a way to set a bind address for the HTTP port. This commit allows users to not only bind to an address and port other than localhost and 8080, but it also opens the firewall if explicitly requested. 2012-11-13 21:38:38 +01:00			`if ($puppetdb::params::firewall_supported) {`

Fix deprecation warnings around manage_redhat_firewall 2013-01-17 02:52:11 +01:00			`if ($manage_redhat_firewall != undef) {`
17594 - PuppetDB - Add ability to set standard host listen address and open firewall to standard port Prior to this commit the module did not provide a way to set a bind address for the HTTP port. This commit allows users to not only bind to an address and port other than localhost and 8080, but it also opens the firewall if explicitly requested. 2012-11-13 21:38:38 +01:00			notify {'Deprecation notice: `$manage_redhat_firewall` is deprecated in the `puppetdb::service::firewall` class and will be removed in a future version. Use `open_http_port` and `open_ssl_port` instead.':}

Fix deprecation warnings around manage_redhat_firewall 2013-01-17 02:52:11 +01:00			`if ($open_ssl_port != undef) {`
17594 - PuppetDB - Add ability to set standard host listen address and open firewall to standard port Prior to this commit the module did not provide a way to set a bind address for the HTTP port. This commit allows users to not only bind to an address and port other than localhost and 8080, but it also opens the firewall if explicitly requested. 2012-11-13 21:38:38 +01:00			fail('`$manage_redhat_firewall` and `$open_ssl_port` cannot both be specified.')
			`}`
			`}`
Add support for opening puppetdb port in firewall 2012-09-18 02:06:48 +02:00
Pass 'manage_redhat_firewall' param through to postgres Prior to this commit, if you allowed the puppetdb module to manage postgres for you, it would always try to manage the firewall for the postgres port on redhat systems. This commit exposes that as a parameter in a few more spots, and passes it through to the postgres module. 2012-09-21 19:17:42 +02:00			`exec { 'puppetdb-persist-firewall':`
complies with style guide 2012-09-20 23:46:26 +02:00			`command => $puppetdb::params::persist_firewall_command,`
			`refreshonly => true,`
			`}`
Add support for opening puppetdb port in firewall 2012-09-18 02:06:48 +02:00
complies with style guide 2012-09-20 23:46:26 +02:00			`Firewall {`
Pass 'manage_redhat_firewall' param through to postgres Prior to this commit, if you allowed the puppetdb module to manage postgres for you, it would always try to manage the firewall for the postgres port on redhat systems. This commit exposes that as a parameter in a few more spots, and passes it through to the postgres module. 2012-09-21 19:17:42 +02:00			`notify => Exec['puppetdb-persist-firewall']`
complies with style guide 2012-09-20 23:46:26 +02:00			`}`
17594 - PuppetDB - Add ability to set standard host listen address and open firewall to standard port Prior to this commit the module did not provide a way to set a bind address for the HTTP port. This commit allows users to not only bind to an address and port other than localhost and 8080, but it also opens the firewall if explicitly requested. 2012-11-13 21:38:38 +01:00
			`if ($port) {`
			notify { 'Deprecation notice: `port` parameter will be removed in future versions of the puppetdb module. Please use ssl_port instead.': }
			`}`

			`if ($port and $ssl_port) {`
			fail('`port` and `ssl_port` cannot both be defined. `port` is deprecated in favor of `ssl_port`')
			`}`

			`if ($open_http_port) {`
			`firewall { "${http_port} accept - puppetdb":`
			`port => $http_port,`
			`proto => 'tcp',`
			`action => 'accept',`
			`}`
Fix deprecation warnings around manage_redhat_firewall 2013-01-17 02:52:11 +01:00			`}`

Fix backward compatibility of `manage_redhat_firewall` parameter Prior to this commit, the deprecated `manage_redhat_firewall` param was not actually backward compatible because there were several cases where we couldn't tell the difference between the user explicitly specifying `false` for that parameter as opposed to not specifying it at all. This commit is a bit ugly because it sets some defaults to `undef` in order to allow us to tell the difference between the two cases, but it should resolve backwards compatibility issues. 2013-01-17 18:56:01 +01:00			`# This technically defaults to 'true', but in order to preserve backwards`
			`# compatibility with the deprecated 'manage_redhat_firewall' parameter, we`
			`# had to specify 'undef' as the default so that we could tell whether or`
			`# not the user explicitly specified a value. Here's where we're resolving`
			`# that and setting the 'real' default. We should be able to get rid of`
			# this block when we remove `manage_redhat_firewall`.
Fix deprecation warnings around manage_redhat_firewall 2013-01-17 02:52:11 +01:00			`if ($open_ssl_port != undef) {`
			`$final_open_ssl_port = $open_ssl_port`
			`} else {`
			`$final_open_ssl_port = true`
			`}`
complies with style guide 2012-09-20 23:46:26 +02:00
17594 - PuppetDB - Add ability to set standard host listen address and open firewall to standard port Prior to this commit the module did not provide a way to set a bind address for the HTTP port. This commit allows users to not only bind to an address and port other than localhost and 8080, but it also opens the firewall if explicitly requested. 2012-11-13 21:38:38 +01:00			`if ($open_ssl_port or $manage_redhat_firewall) {`
17594 - Fixes suggested by cprice-puppet 2012-11-29 14:46:05 +01:00			`if ($ssl_port) {`
			`$final_ssl_port = $ssl_port`
			`} else {`
			`$final_ssl_port = $port`
			`}`
			`firewall { "${final_ssl_port} accept - puppetdb":`
			`port => $final_ssl_port,`
17594 - PuppetDB - Add ability to set standard host listen address and open firewall to standard port Prior to this commit the module did not provide a way to set a bind address for the HTTP port. This commit allows users to not only bind to an address and port other than localhost and 8080, but it also opens the firewall if explicitly requested. 2012-11-13 21:38:38 +01:00			`proto => 'tcp',`
			`action => 'accept',`
			`}`
complies with style guide 2012-09-20 23:46:26 +02:00			`}`
Add support for opening puppetdb port in firewall 2012-09-18 02:06:48 +02:00			`}`
			`}`