Puppet supports the concept of resource dependencies where one resource will not by synced until another is synced first. For example, the following Puppet fragment will create the user user1 and the group group1 but it will create the group first:
group { 'group1':
ensure => present
}
user { 'user1':
ensure => present,
gid => 'group1',
require => Group['group1']
}
My question is: how do dependencies work when the ensure parameter is changed from "present" to "absent":
group { 'group1':
ensure => absent
}
user { 'user1':
ensure => absent,
gid => 'group1',
require => Group['group1']
}
What does Puppet do in a case like this? Does it remove the group first, or the user first? Or perhaps the order is not defined?
In general, how would you ensure that one resource is not present only when some other resource is already not present.
You can remove "require => Group['group1']" from the user resource and the resources will still be created properly. You can then use a conditional to change the relationship between User and Group when trying to "ensure => absent".
Here is an existing bug report:
http://projects.puppetlabs.com/issues/9622
I'm fairly sure it removes the group first.
This sort of situation usually comes up in definitions. What I normally do is something along the lines of:
It's ugly but it works. There may be a better way.
Also, I believe it doesn't actually matter if Puppet removes the group first in this sort of case, so you could just leave the dependencies alone and not worry about it. The user will be in a non-existent group for as long as they still exist, which won't be long. Probably not much harm done.