Modulefile

@@ -1,5 +1,5 @@
 name    'ghoneycutt-ssh'
-version '3.16.0'
+version '3.17.0'
 source 'git://github.com/ghoneycutt/puppet-module-ssh.git'
 author 'ghoneycutt'
 license 'Apache License, Version 2.0'

manifests/init.pp

@@ -366,22 +366,6 @@
     validate_array($sshd_config_macs)
   }
 
-  if $sshd_config_denyusers != undef {
-    validate_array($sshd_config_denyusers)
-  }
-
-  if $sshd_config_denygroups != undef {
-    validate_array($sshd_config_denygroups)
-  }
-
-  if $sshd_config_allowusers != undef {
-    validate_array($sshd_config_allowusers)
-  }
-
-  if $sshd_config_allowgroups != undef {
-    validate_array($sshd_config_allowgroups)
-  }
-
   if $ssh_config_hash_known_hosts_real != undef {
     validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
   }
@@ -499,6 +483,35 @@
   $supported_loglevel_vals=['QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE']
   validate_re($sshd_config_loglevel, $supported_loglevel_vals)
 
+  #enable hiera merging for allow groups and allow users
+  if $hiera_merge_real == true {
+    $sshd_config_denygroups_real  = hiera_array('ssh::sshd_config_denygroups',  undef)
+    $sshd_config_denyusers_real   = hiera_array('ssh::sshd_config_denyusers',  undef)
+    $sshd_config_allowgroups_real = hiera_array('ssh::sshd_config_allowgroups',  undef)
+    $sshd_config_allowusers_real  = hiera_array('ssh::sshd_config_allowusers',  undef)
+  } else {
+    $sshd_config_denygroups_real  = $sshd_config_denygroups
+    $sshd_config_denyusers_real   = $sshd_config_denyusers
+    $sshd_config_allowgroups_real = $sshd_config_allowgroups
+    $sshd_config_allowusers_real  = $sshd_config_allowusers
+  }
+
+  if $real_sshd_config_denyusers != undef {
+    validate_array($real_sshd_config_denyusers)
+  }
+
+  if $real_sshd_config_denygroups != undef {
+    validate_array($real_sshd_config_denygroups)
+  }
+
+  if $real_sshd_config_allowusers != undef {
+    validate_array($real_sshd_config_allowusers)
+  }
+
+  if $real_sshd_config_allowgroups != undef {
+    validate_array($real_sshd_config_allowgroups)
+  }
+
   package { $packages_real:
     ensure    => installed,
     source    => $ssh_package_source_real,

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-ssh",
-  "version": "3.16.0",
+  "version": "3.17.0",
   "author": "ghoneycutt",
   "summary": "Manages SSH",
   "license": "Apache License, Version 2.0",

templates/sshd_config.erb

@@ -167,14 +167,14 @@ Ciphers <%= @sshd_config_ciphers.join(',') %>
 MACs <%= @sshd_config_macs.join(',') %>
 <% end -%>
 <% if @sshd_config_denyusers -%>
-DenyUsers <%= @sshd_config_denyusers.join(' ') %>
+DenyUsers <%= @sshd_config_denyusers_real.join(' ') %>
 <% end -%>
 <% if @sshd_config_denygroups -%>
-DenyGroups <%= @sshd_config_denygroups.join(' ') %>
+DenyGroups <%= @sshd_config_denygroups_real.join(' ') %>
 <% end -%>
 <% if @sshd_config_allowusers -%>
-AllowUsers <%= @sshd_config_allowusers.join(' ') %>
+AllowUsers <%= @sshd_config_allowusers_real.join(' ') %>
 <% end -%>
 <% if @sshd_config_allowgroups -%>
-AllowGroups <%= @sshd_config_allowgroups.join(' ') %>
+AllowGroups <%= @sshd_config_allowgroups_real.join(' ') %>
 <% end -%>