Fixes for ensuring /etc/enroll exists if /etc/enroll/firewall is to be created

2026-06-19 20:18:19 +10:00 · 2026-06-19 20:18:19 +10:00 · d6371ccccd
commit d6371ccccd
parent 5644062040
4 changed files with 100 additions and 18 deletions
--- a/enroll/puppet.py
+++ b/enroll/puppet.py
@ -832,15 +832,14 @@ def _collect_puppet_roles(
            str(p).strip() for p in (fw.get("packages") or []) if str(p).strip()
        ]
        if has_fw or packages or fw.get("notes"):
-            if has_fw:
-                runtime_role = ensure_role("enroll_runtime")
-                runtime_role.add_managed_dir(
-                    "/etc/enroll",
-                    owner="root",
-                    group="root",
-                    mode="0750",
-                    reason="enroll_runtime",
-                )
+            runtime_role = ensure_role("enroll_runtime")
+            runtime_role.add_managed_dir(
+                "/etc/enroll",
+                owner="root",
+                group="root",
+                mode="0750",
+                reason="enroll_runtime",
+            )
            role_name = str(fw.get("role_name") or "firewall_runtime")
            prole = ensure_role(role_name)
            prole.add_firewall_runtime_snapshot(
--- a/enroll/salt.py
+++ b/enroll/salt.py
@ -888,15 +888,14 @@ def _collect_salt_roles(
            str(p).strip() for p in (fw.get("packages") or []) if str(p).strip()
        ]
        if has_fw or packages or fw.get("notes"):
-            if has_fw:
-                runtime_role = ensure_role("enroll_runtime")
-                runtime_role.add_managed_dir(
-                    "/etc/enroll",
-                    user="root",
-                    group="root",
-                    mode="0750",
-                    reason="enroll_runtime",
-                )
+            runtime_role = ensure_role("enroll_runtime")
+            runtime_role.add_managed_dir(
+                "/etc/enroll",
+                user="root",
+                group="root",
+                mode="0750",
+                reason="enroll_runtime",
+            )
            role_name = str(fw.get("role_name") or "firewall_runtime")
            srole = ensure_role(role_name)
            srole.add_firewall_runtime_snapshot(
--- a/tests/test_manifest_puppet.py
+++ b/tests/test_manifest_puppet.py
@ -798,3 +798,46 @@ def test_manifest_puppet_renders_firewall_runtime_resources(tmp_path: Path):
    ).read_text(encoding="utf-8")
    assert "Hash $firewall_runtime = {}" in fqdn_pp
    assert "$firewall_runtime['ipset_restore_cmd']" in fqdn_pp
+
+
+def test_manifest_puppet_includes_enroll_runtime_for_firewall_notes_only(
+    tmp_path: Path,
+):
+    bundle = tmp_path / "bundle"
+    out = tmp_path / "puppet"
+    state = {
+        "schema_version": 3,
+        "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"},
+        "inventory": {"packages": {}},
+        "roles": {
+            "firewall_runtime": {
+                "role_name": "firewall_runtime",
+                "packages": [],
+                "ipset_save": None,
+                "ipset_sets": [],
+                "iptables_v4_save": None,
+                "iptables_v6_save": None,
+                "notes": [
+                    "not running as root; live firewall runtime was not captured"
+                ],
+            }
+        },
+    }
+    _write_state(bundle, state)
+
+    manifest.manifest(str(bundle), str(out), target="puppet")
+
+    site_pp = (out / "manifests" / "site.pp").read_text(encoding="utf-8")
+    assert "include enroll_runtime" in site_pp
+    assert "include firewall_runtime" in site_pp
+    assert site_pp.index("include enroll_runtime") < site_pp.index(
+        "include firewall_runtime"
+    )
+    runtime_pp = (
+        out / "modules" / "enroll_runtime" / "manifests" / "init.pp"
+    ).read_text(encoding="utf-8")
+    firewall_pp = (
+        out / "modules" / "firewall_runtime" / "manifests" / "init.pp"
+    ).read_text(encoding="utf-8")
+    assert "file { '/etc/enroll':" in runtime_pp
+    assert "require => File['/etc/enroll']," in firewall_pp
--- a/tests/test_manifest_salt.py
+++ b/tests/test_manifest_salt.py
@ -624,3 +624,44 @@ def test_manifest_salt_renders_firewall_runtime_states(tmp_path: Path):
        fqdn_out / "states" / "roles" / "firewall_runtime" / "init.sls"
    ).read_text(encoding="utf-8")
    assert "firewall_runtime.get('ipset_restore_cmd')" in fqdn_sls
+
+
+def test_manifest_salt_includes_enroll_runtime_for_firewall_notes_only(tmp_path: Path):
+    bundle = tmp_path / "bundle"
+    out = tmp_path / "salt"
+    state = {
+        "schema_version": 3,
+        "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"},
+        "inventory": {"packages": {}},
+        "roles": {
+            "firewall_runtime": {
+                "role_name": "firewall_runtime",
+                "packages": [],
+                "ipset_save": None,
+                "ipset_sets": [],
+                "iptables_v4_save": None,
+                "iptables_v6_save": None,
+                "notes": [
+                    "not running as root; live firewall runtime was not captured"
+                ],
+            }
+        },
+    }
+    _write_state(bundle, state)
+
+    manifest.manifest(str(bundle), str(out), target="salt")
+
+    top = yaml.safe_load((out / "states" / "top.sls").read_text(encoding="utf-8"))
+    assert "roles.enroll_runtime" in top["base"]["*"]
+    assert "roles.firewall_runtime" in top["base"]["*"]
+    assert top["base"]["*"].index("roles.enroll_runtime") < top["base"]["*"].index(
+        "roles.firewall_runtime"
+    )
+    runtime_sls = (out / "states" / "roles" / "enroll_runtime" / "init.sls").read_text(
+        encoding="utf-8"
+    )
+    firewall_sls = (
+        out / "states" / "roles" / "firewall_runtime" / "init.sls"
+    ).read_text(encoding="utf-8")
+    assert '"/etc/enroll":' in runtime_sls
+    assert '- file: "/etc/enroll"' in firewall_sls