We're using the vault_lookup[1] module to retrieve secrets from Vault via mTLS. It works fairly well when grabbing secrets within a manifest.
However it feels like an anti-pattern by forcing lookups into our manifests when we want to keep that in Hiera. I found a previous related thread[2] where Henrik suggested writing a custom backend for Hiera and return a Deferred. However after doing what I thought was the correct thing, and returning a Deferred in our custom backend, the value in the file ends up being the literal string 'Deferred ...' and not being evaluated. I even wrote a quick manifest to check if a Deferred is being returned by Hiera/APL and it does not seem to be the case -- Hiera is returning a String representation of it. So my question is -- is it possible to actually return a Deferred via a Hiera lookup_key backend and if so, what might I be doing wrong? Sanitized code / outputs / etc provided[3] for mocking. Versions: puppet: 7.20.0 puppetserver: 7.8.0 puppetlabs/stdlib: 8.30 Thanks! Aaron [1] https://forge.puppet.com/modules/puppet/vault_lookup [2] https://groups.google.com/g/puppet-users/c/E-Q-ok-B0gQ/m/h-tYJFPdBwAJ [3] https://gist.github.com/arusso/9eed3cac93e02aa270b6811b560b2093 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e5e12ede-e33f-440a-b13f-ccd221110f9dn%40googlegroups.com.