.sync.yml

@@ -29,6 +29,7 @@
 spec/spec_helper.rb:
   coverage_report: true
   minimum_code_coverage_percentage: 100
+  hiera_config: spec/hiera.yaml
 appveyor.yml:
   delete: true
 .gitlab-ci.yml:

CHANGELOG.md

@@ -2,11 +2,23 @@
 
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).
 
+## [v4.2.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v4.2.0) (2023-07-17)
+
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v4.1.0...v4.2.0)
+
+### Added
+
+- Ensure limits\_fragments\_hiera\_merge is using proper lookup function [\#263](https://github.com/ghoneycutt/puppet-module-pam/pull/263) ([treydock](https://github.com/treydock))
+
+### Merged pull requests:
+
+- Remove support for Vagrant [\#264](https://github.com/ghoneycutt/puppet-module-pam/pull/264) ([ghoneycutt](https://github.com/ghoneycutt))
+
 ## [v4.1.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v4.1.0) (2023-07-17)
 
 [Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v4.0.0...v4.1.0)
 
-### Merged pull requests:
+### Added
 
 - add parameter to control manamgent of access.conf [\#262](https://github.com/ghoneycutt/puppet-module-pam/pull/262) ([treydock](https://github.com/treydock))
 

README.md

@@ -145,6 +145,26 @@ This would create `/etc/security/limits.d/custom.conf` with content
 * hard cpu 1440
 ```
 
+The parameter `pam::limits_fragments_hiera_merge` can be set to `true` to allow Hiera to define and merge limits from multiple locations.  Example:
+
+```yaml
+# data/common.yaml
+---
+pam::limits_fragments_hiera_merge: true
+pam::limits_fragments:
+  custom:
+    list:
+      - '* soft nofile 2048'
+      - '* hard nofile 8192'
+# data/os/RedHat/8.yaml
+---
+pam::limits_fragments:
+  custom:
+    list:
+      - '* soft as 3145728'
+      - '* hard as 4194304'
+```
+
 #### Specifying the content of a service
 Manage PAM file for specific service.
 

manifests/init.pp

@@ -325,7 +325,7 @@
 
   if $limits_fragments {
     if $limits_fragments_hiera_merge {
-      $limits_fragments_real = hiera_hash('pam::limits_fragments')
+      $limits_fragments_real = lookup('pam::limits_fragments', Hash, 'deep', {})
     } else {
       $limits_fragments_real = $limits_fragments
     }

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-pam",
-  "version": "4.1.0",
+  "version": "4.2.0",
   "author": "ghoneycutt",
   "summary": "Manage PAM",
   "license": "Apache-2.0",
@@ -96,7 +96,7 @@
     }
   ],
   "description": "Manages PAM, including specifying users and groups in access.conf, limits.conf, and limits fragments",
-  "pdk-version": "2.6.0",
+  "pdk-version": "3.0.0",
   "template-url": "https://github.com/tailored-automation/pdk-templates#main",
-  "template-ref": "heads/main-0-g37b4517"
+  "template-ref": "heads/main-0-g53868f7"
 }

spec/classes/init_spec.rb

@@ -95,7 +95,24 @@
 
       it { is_expected.to contain_class('nsswitch') }
       it { is_expected.to have_pam__service_resource_count(0) }
-      it { is_expected.to have_pam__limits__fragment_resource_count(0) }
+      it { is_expected.to have_pam__limits__fragment_resource_count(1) }
+      it do
+        is_expected.to contain_pam__limits__fragment('test').with(
+          list: ['* soft as 3145728', '* hard as 4194304'],
+        )
+      end
+      # Validate presence to ensure coverage stays 100%
+      it { is_expected.to contain_file('/etc/security/limits.d/test.conf') }
+
+      context 'when limits_fragments_hiera_merge => true' do
+        let(:params) { { limits_fragments_hiera_merge: true } }
+
+        it do
+          is_expected.to contain_pam__limits__fragment('test').with(
+            list: ['* soft nofile 2048', '* hard nofile 8192', '* soft as 3145728', '* hard as 4194304'],
+          )
+        end
+      end
 
       context "with login_pam_access set to valid string sufficient on OS #{os}" do
         let(:params) { { login_pam_access: 'sufficient' } }

spec/classes/limits_spec.rb

@@ -149,6 +149,8 @@
         it { is_expected.to contain_exec('mkdir_p-/testing.d') }
         it { is_expected.to contain_file('limits_d').with_path('/testing.d') }
         it { is_expected.to contain_file('limits_d').that_requires('Exec[mkdir_p-/testing.d]') }
+        # Included by default due to unit testing Hiera adding to tests-only common.yaml
+        it { is_expected.to contain_file('/testing.d/test.conf') }
       end
 
       context 'with limits_d_dir_mode set to a valid string' do

spec/fixtures/data/common.yaml

@@ -0,0 +1,6 @@
+---
+pam::limits_fragments:
+  test:
+    list:
+      - '* soft nofile 2048'
+      - '* hard nofile 8192'

spec/fixtures/data/test.yaml

@@ -0,0 +1,6 @@
+---
+pam::limits_fragments:
+  test:
+    list:
+      - '* soft as 3145728'
+      - '* hard as 4194304'

spec/hiera.yaml

@@ -0,0 +1,10 @@
+---
+version: 5
+defaults:
+  datadir: fixtures/data
+  data_hash: yaml_data
+hierarchy:
+  - name: testing
+    path: test.yaml
+  - name: common
+    path: common.yaml

spec/spec_helper.rb

@@ -38,6 +38,7 @@
 
 RSpec.configure do |c|
   c.default_facts = default_facts
+  c.hiera_config = 'spec/hiera.yaml'
   c.before :each do
     # set to strictest setting for testing
     # by default Puppet runs at warning level