Browse files

Begin documenting what should not go in the Puppet repo

  • Loading branch information...
1 parent 5a7a5e3 commit ceee07e6e53c2df9f9f1ba33de4990449aa0e77c @samjsharpe samjsharpe committed Feb 17, 2013
Showing with 26 additions and 0 deletions.
  1. +26 −0
@@ -5,6 +5,32 @@
- Run `rake spec` and `rake lint` to run the tests and lint before
checking in.
+## Things that should not be in the Puppet Repo
+- **Secrets.** It is bad practise to embed your secret data (passwords,
+ tokens) within Puppet. To do so means that even if you specify that a
+ secret applies to one particular environment it is available on the
+ PuppetMaster for every environment. It is good practise to store
+ secrets in `alphagov/deployment/puppet/extdata/${environment}.csv`.
+ Please make sure where necessary you have different secrets for each
+ value.
+- **Per Environment switches**. The puppet repo should not know the
+ specifics of each environment. By switching on platform or environment
+ variables, you make it difficult to add new platforms and hard to ensure
+ that consistent behaviour is applied across all environments. To apply a
+ catalog item to a subset of environments you should:
+ 1. Add a feature toggle to extdata (default goes in `common.csv`, per
+ environment value goes in `${environment}.csv`. Be aware that
+ extdata for environments is in the `deployment` repo, but extdata for
+ `development` is in the development repo. `common.csv` exists in both
+ repos.
+ 2. Switch on resources based on the feature toggle in extdata:
+ [puppet/modules/govuk/manifests/node/s_base.pp#LC25]
+ (
+ 3. Where possible, create your switches at the machine manifest level (as
+ above) rather than within a module.
## Dependency management
- Prefer `require` to `before`.

0 comments on commit ceee07e

Please sign in to comment.