puppet module: prevent running match call if a preassignment failed (#17175)

for #16954 # Checklist for submitter If some of the following don't apply, delete the relevant line.  - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2026-05-23 17:08:53 +00:00 · 2024-02-28 19:15:41 -03:00 · 2024-02-28 19:15:41 -03:00 · 456bc3c9a9
commit 456bc3c9a9
parent 4751e6652a
4 changed files with 77 additions and 7 deletions
--- a/.github/workflows/test-puppet.yml
+++ b/.github/workflows/test-puppet.yml
@ -7,7 +7,7 @@ on:
      - patch-*
  pull_request:
    paths:
-      - 'ee/tools/puppet/fleetdm/*.*'
+      - 'ee/tools/puppet/fleetdm/**'
      - '.github/workflows/test-puppet.yml'
  workflow_dispatch: # Manual

--- a/ee/tools/puppet/fleetdm/lib/puppet/reports/fleetdm.rb
+++ b/ee/tools/puppet/fleetdm/lib/puppet/reports/fleetdm.rb
@ -8,15 +8,21 @@ Puppet::Reports.register_report(:fleetdm) do

  def process
    return if noop
-    client = Puppet::Util::FleetClient.instance
+
    node_name = Puppet[:node_name_value]
+    if resource_statuses.any? { |r| r.include?('error pre-setting fleetdm::profile') }
+      Puppet.err("Some resources failed to be assigned, not matching profiles for #{node_name}")
+      return
+    end
+
+    client = Puppet::Util::FleetClient.instance
    run_identifier = "#{catalog_uuid}-#{node_name}"
    response = client.match_profiles(run_identifier, environment)
-
    if response['error'].empty?
      Puppet.info("Successfully matched #{node_name} with a team containing configuration profiles")
-    else
-      Puppet.err("Error matching node #{node_name} with a team containing configuration profiles: #{response['error']}")
+      return
    end
+
+    Puppet.err("Error matching node #{node_name} with a team containing configuration profiles: #{response['error']}")
  end
 end
--- a/ee/tools/puppet/fleetdm/manifests/profile.pp
+++ b/ee/tools/puppet/fleetdm/manifests/profile.pp
@ -47,13 +47,13 @@ define fleetdm::profile (
    $changed = $response['resource_changed']

    if $err != '' {
-      notify { "error pre-setting profile ${name} as ${ensure}: ${err}":
+      notify { "error pre-setting fleetdm::profile ${name} as ${ensure}: ${err}":
        loglevel => 'err',
      }
    } elsif $changed {
      # NOTE: sending a notification also marks the
      # 'fleetdm::profile' as changed in the reports.
-      notify { "successfully pre-set profile ${name} as ${ensure}": }
+      notify { "successfully pre-set fleetdm::profile ${name} as ${ensure}": }
    }
  }
 }
--- a/ee/tools/puppet/fleetdm/spec/unit/reports/fleetdm_spec.rb
+++ b/ee/tools/puppet/fleetdm/spec/unit/reports/fleetdm_spec.rb
@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'puppet/reports'
+require_relative '../../../lib/puppet/reports/fleetdm.rb'
+
+describe 'Puppet::Reports::Fleetdm' do
+  let(:fleet_client_mock) { instance_double('Puppet::Util::FleetClient') }
+  let(:catalog_uuid) { '827a74c8-cf98-44da-9ff7-18c5e4bee41e' }
+  let(:node_name) { Puppet[:node_name_value] }
+  let(:report) do
+    report = Puppet::Transaction::Report.new('apply')
+    report.extend(Puppet::Reports.report(:fleetdm))
+    report
+  end
+
+  before(:each) do
+    Puppet[:reports] = 'fleetdm'
+    Puppet::Util::Log.level = :warning
+    Puppet::Util::Log.newdestination(:console)
+
+    fleet_client_class = class_spy('Puppet::Util::FleetClient')
+    stub_const('Puppet::Util::FleetClient', fleet_client_class)
+    allow(fleet_client_class).to receive(:instance) { fleet_client_mock }
+    allow(SecureRandom).to receive(:uuid).and_return(catalog_uuid)
+  end
+
+  it 'does not process in noop mode' do
+    allow(report).to receive(:noop).and_return(true)
+    expect(fleet_client_mock).not_to receive(:match_profiles)
+    report.process
+  end
+
+  it 'logs an error if resources failed to be assigned' do
+    allow(report).to receive(:resource_statuses).and_return({ 'myresource' => 'error pre-setting fleetdm::profile' })
+    expect(Puppet).to receive(:err).with(%r{Some resources failed to be assigned})
+    expect(fleet_client_mock).not_to receive(:match_profiles)
+    report.process
+  end
+
+  it 'successfully matches profiles when there are no errors' do
+    allow(report).to receive(:noop).and_return(false)
+    allow(report).to receive(:resource_statuses).and_return({})
+    allow(fleet_client_mock).to receive(:match_profiles).and_return({ 'error' => '' })
+    allow(report).to receive(:catalog_uuid).and_return(catalog_uuid)
+
+    expect(fleet_client_mock).to receive(:match_profiles).with("#{catalog_uuid}-#{node_name}", anything)
+    expect(Puppet).to receive(:info).with("Successfully matched #{node_name} with a team containing configuration profiles")
+
+    report.process
+  end
+
+  it 'logs an error when matching profiles fails' do
+    allow(report).to receive(:noop).and_return(false)
+    allow(report).to receive(:resource_statuses).and_return({})
+    allow(fleet_client_mock).to receive(:match_profiles).and_return({ 'error' => 'Some error' })
+    allow(report).to receive(:catalog_uuid).and_return(catalog_uuid)
+
+    expect(fleet_client_mock).to receive(:match_profiles).with("#{catalog_uuid}-#{node_name}", anything)
+    expect(Puppet).to receive(:err).with("Error matching node #{node_name} with a team containing configuration profiles: Some error")
+
+    report.process
+  end
+end