diff --git a/REFERENCE.md b/REFERENCE.md
index df2287ba..7aef694b 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -64,6 +64,7 @@
* [`download`](#download): Download a file using curl
* [`enable_replica`](#enable_replica): Execute the enable replica puppet command
* [`filesize`](#filesize): Return the size of a file in bytes
+* [`get_group_rules`](#get_group_rules): Run on a PE primary node to return the rules currently applied to the PE Infrastructure Agent group
* [`get_peadm_config`](#get_peadm_config): Run on a PE primary node to return the currently configured PEAdm parameters
* [`get_psql_version`](#get_psql_version): Run on a PE PSQL node to return the major version of the PSQL server currently installed
* [`infrastatus`](#infrastatus): Runs puppet infra status and returns the output
@@ -1185,6 +1186,12 @@ Data type: `String`
Path to the file to return the size of
+### `get_group_rules`
+
+Run on a PE primary node to return the rules currently applied to the PE Infrastructure Agent group
+
+**Supports noop?** false
+
### `get_peadm_config`
Run on a PE primary node to return the currently configured PEAdm parameters
diff --git a/plans/convert.pp b/plans/convert.pp
index e697e87d..2642ccd7 100644
--- a/plans/convert.pp
+++ b/plans/convert.pp
@@ -261,6 +261,10 @@
# the existing groups are correct enough to function until the upgrade is
# performed.
if (versioncmp($pe_version, '2019.7.0') >= 0) {
+ $rules = run_task('peadm::get_group_rules', $primary_target).first.value['_output']
+ $rules_formatted = stdlib::to_json_pretty(parsejson($rules))
+ out::message("WARNING: The following existing rules on the PE Infrastructure Agent group will be overwritten with default values:\n ${rules_formatted}")
+
apply($primary_target) {
class { 'peadm::setup::node_manager_yaml':
primary_host => $primary_target.peadm::certname(),
diff --git a/plans/upgrade.pp b/plans/upgrade.pp
index 63375829..5d061e0d 100644
--- a/plans/upgrade.pp
+++ b/plans/upgrade.pp
@@ -326,6 +326,10 @@
default => $primary_postgresql_target.peadm::certname(),
}
+ $rules = run_task('peadm::get_group_rules', $primary_target).first.value['_output']
+ $rules_formatted = stdlib::to_json_pretty(parsejson($rules))
+ out::message("WARNING: The following existing rules on the PE Infrastructure Agent group will be overwritten with default values:\n ${rules_formatted}")
+
apply($primary_target) {
class { 'peadm::setup::node_manager_yaml':
primary_host => $primary_target.peadm::certname(),
diff --git a/spec/plans/convert_spec.rb b/spec/plans/convert_spec.rb
index ae738f2f..39ec7367 100644
--- a/spec/plans/convert_spec.rb
+++ b/spec/plans/convert_spec.rb
@@ -20,6 +20,7 @@
expect_task('peadm::cert_data').return_for_targets('primary' => trustedjson)
expect_task('peadm::read_file').always_return({ 'content' => '2021.7.9' })
+ expect_task('peadm::get_group_rules').return_for_targets('primary' => { '_output' => '{"rules": []}' })
# For some reason, expect_plan() was not working??
allow_plan('peadm::modify_certificate').always_return({})
diff --git a/spec/plans/upgrade_spec.rb b/spec/plans/upgrade_spec.rb
index b3536a9e..640e7c04 100644
--- a/spec/plans/upgrade_spec.rb
+++ b/spec/plans/upgrade_spec.rb
@@ -22,6 +22,7 @@ def allow_standard_non_returning_calls
it 'minimum variables to run' do
allow_standard_non_returning_calls
+ expect_task('peadm::get_group_rules').return_for_targets('primary' => { '_output' => '{"rules": []}' })
expect_task('peadm::read_file')
.with_params('path' => '/opt/puppetlabs/server/pe_build')
@@ -36,6 +37,7 @@ def allow_standard_non_returning_calls
it 'runs with a primary, compilers, but no replica' do
allow_standard_non_returning_calls
+ expect_task('peadm::get_group_rules').return_for_targets('primary' => { '_output' => '{"rules": []}' })
expect_task('peadm::read_file')
.with_params('path' => '/opt/puppetlabs/server/pe_build')
@@ -92,6 +94,7 @@ def allow_standard_non_returning_calls
.always_return({ 'content' => installed_version })
expect_task('peadm::cert_data').return_for_targets('primary' => trusted_primary)
+ expect_task('peadm::get_group_rules').return_for_targets('primary' => { '_output' => '{"rules": []}' })
end
it 'updates pe.conf if r10k_known_hosts is set' do
diff --git a/tasks/get_group_rules.json b/tasks/get_group_rules.json
new file mode 100644
index 00000000..994d8683
--- /dev/null
+++ b/tasks/get_group_rules.json
@@ -0,0 +1,5 @@
+{
+ "description": "Run on a PE primary node to return the rules currently applied to the PE Infrastructure Agent group",
+ "parameters": { },
+ "input_method": "stdin"
+}
diff --git a/tasks/get_group_rules.rb b/tasks/get_group_rules.rb
new file mode 100755
index 00000000..a4f675fa
--- /dev/null
+++ b/tasks/get_group_rules.rb
@@ -0,0 +1,42 @@
+#!/opt/puppetlabs/puppet/bin/ruby
+# frozen_string_literal: true
+
+require 'json'
+require 'net/http'
+require 'puppet'
+
+# GetInfrastructureAgentGroupRules task class
+class GetInfrastructureAgentGroupRules
+ def execute!
+ infrastructure_agent_group = groups.find { |obj| obj['name'] == 'PE Infrastructure Agent' }
+ if infrastructure_agent_group
+ puts JSON.pretty_generate(infrastructure_agent_group['rule'])
+ else
+ puts JSON.pretty_generate({ 'error' => 'PE Infrastructure Agent group does not exist' })
+ end
+ end
+
+ def groups
+ net = https(4433)
+ res = net.get('/classifier-api/v1/groups')
+ JSON.parse(res.body)
+ end
+
+ def https(port)
+ https = Net::HTTP.new(Puppet.settings[:certname], port)
+ https.use_ssl = true
+ https.cert = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
+ https.key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
+ https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+ https.ca_file = Puppet.settings[:localcacert]
+ https
+ end
+end
+
+# Run the task unless an environment flag has been set, signaling not to. The
+# environment flag is used to disable auto-execution and enable Ruby unit
+# testing of this task.
+unless ENV['RSPEC_UNIT_TEST_MODE']
+ Puppet.initialize_settings
+ GetInfrastructureAgentGroupRules.new.execute!
+end