[Puppet Users] Exported resources applied on exporting host - EL7 only

[treydock]

I have noticed a very strange problem on CentOS 7 nodes where they are 
collecting and/or applying their exported resources.  I have a class called 
"brazos::firewall" that's used internally to export a firewall rule that is 
then collected by "brazos::gw" to allow specific systems through the 
gateway server's NAT.  Below are the actual classes.  I've found that on 
CentOS 6 systems, the resource is correctly exported (NOT applied by 
exporting host) and collected by the gw server.  On CentOS 7 systems the 
resource is exported, and also applied by the exporting host when it's not 
supposed to be.

All systems are running Puppet 3.6.2.  I have tested this issue using the 
Pupppetlabs yum repo version of Puppet as well as the EPEL7 version, both 
show this issue.

How can this behavior be debugged?

I have looked in /var/lib/puppet/state/classes.txt on the nodes incorrectly 
applying their exported resource and the "brazos::gw" class is not listed. 
 I have no idea WHY the Firewall resource is being applied when it should 
be exported.

I am using Hiera to assign classes and set parameters and Foreman to set 
the environment and provide various top-scope variables.  The only thing 
applied to EL7 systems that's different than EL6 systems in my Hiera 
configuration is the path to EPEL repos, paths to a few commands (like 
mco), and the Puppet version.  No separate classes are applied that differ 
from EL6 systems.

Thanks
- Trey


brazos::firewall:

class brazos::firewall (
  $allow_forward = false,
) inherits brazos::params {

  validate_bool($allow_forward)

  if $allow_forward {
    @@firewall { "050 allow forward ${::fqdn}":
      ensure      => 'present',
      chain       => 'FORWARD',
      action      => 'accept',
      proto       => 'all',
      source      => $::fqdn,
      destination => '0.0.0.0/0',
      tag         => 'allow_forward',
    }
  }

}

brazos::gw:

class brazos::gw (
  $private_interface = 'UNSET',
  $private_subnet = '192.168.200.0/22',
  $ib_interface = 'ib0',
  $ib_subnet = '192.168.208.0/22',
  $public_interface = 'UNSET',
) inherits brazos::params {

<snip>

  Firewall <<| tag == 'allow_forward' |>>

<snip>

}

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/15ce31eb-07bd-4076-bc75-4f51f577162f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.