puppet attribute valdiate_cmd in concat fragment

Question

I am trying to implement valdiate cmd attribute in the concat fragment but unable to get desire result.

Overall goal is after the concatenation of files, execute valdiate_cmd which is basically validation for file order 01 (tls_cert_file1) if the script returns 0 then deploy concat files otherwise stop the further action.

In the below manifest, Problem is validation (valdiate_cmd) performs first then concatenation of files, but my requirement is to first finish the concatenation of files then execute valdiate_cmd, reason is first fetching changes from the source concat it then run validation. Basically validation is only for tls_cert_file1. Problem with this is first validation perform with existing cert which is already in the client and returns 0 then concatenation happening which found changes in the source.

# Verification script
file { 'tls_verification_script':
  ensure  => file,
  path    => "${config}/tls_verification",
  owner   => 'nagios',
  group   => 'nagios',
  content => template('nagios/tls_verification.erb'),
}

# Concatenation of certificates
concat { 'tls_cert':
  ensure => present,
  path   => $tls_path,
  owner  => 'nagios',
  group  => 'nagios',
  validate_cmd => "/usr/bin/python3 ${config}/tls_verification",
  
}

# Fragment for tls_cert_file1
concat::fragment { 'tls_cert_file1':
  target => 'tls_cert',
  source => "puppet:///module/xxxxxxxxxxxx",
  order  => '01',
}

# Fragment for tls_cert_file2
concat::fragment { 'tls_cert_file2':
  target => 'tls_cert',
  source => "puppet:///modules/xxxxxxxxxxxx",
  order  => '02',
}

I tried validation attribute in concat fragmenet, but it seems concat::fragment not parameter for valdiate_cmd.

error: Error: Could not retrieve catlog from remote server. Evaluation Error: while evaluating a Resource Statement, concat::fragment { 'tls_cert_file1': has no parameter named 'valdiate_cmd'

# Verification script
file { 'tls_verification_script':
  ensure  => file,
  path    => "${config}/tls_verification",
  owner   => 'nagios',
  group   => 'nagios',
  content => template('nagios/tls_verification.erb'),
}

# Concatenation of certificates
concat { 'tls_cert':
  ensure => present,
  path   => $tls_path,
  owner  => 'nagios',
  group  => 'nagios', 
}

# Fragment for tls_cert_file1
concat::fragment { 'tls_cert_file1':
  target => 'tls_cert',
  source => "puppet:///module/xxxxxxxxxxxx",
  order  => '01',
  validate_cmd => "/usr/bin/python3 ${config}/tls_verification",
}

# Fragment for tls_cert_file2
concat::fragment { 'tls_cert_file2':
  target => 'tls_cert',
  source => "puppet:///modules/xxxxxxxxxxxx",
  order  => '02',
}

Answer 1

In the below manifest, Problem is validation (valdiate_cmd) performs first then concatenation of files

Not plausible. It's not how validation works in puppetlabs/concat. The provided validate_cmd parameter is ultimately used to configure a File resource, which has this effect:

A command for validating the file's syntax before replacing it. If Puppet would need to rewrite a file due to new source or content, it will check the new content's validity first. If validation fails, the file resource will fail.

The "new content" in this case is that obtained by concatenating the fragments. (It can't be anything else, because that's what the File must install to satisfy its specifications.)

Puppet cannot and does not execute the validation command before concatenating the fragments. You should be asking yourself, however: if the new content is validated before being put into place, then how can the validation script know where to find it? The File docs go on to answer that:

This command must have a fully qualified path, and should contain a percent (%) token where it would expect an input file. It must exit 0 if the syntax is correct, and non-zero otherwise. The command will be run on the target system while applying the catalog, not on the primary Puppet server.

That is, your script must accept the name of the file to validate as a command-line argument, and the command string associated with the validate_cmd parameter must contain a % as a placeholder to tell Puppet where in the command to insert that filename.