Puppet lookup fails with expects a Sensitive value, got String

I'm attempting to implement encrypted values in yaml in Hiera 5 to inject passwords securely into Puppet (enterprise) 5.3 via automatic lookup. There's excellent guidance from the Puppet blog and PUP-7284 on the necessary setup.

However, I can't seem to get lookup_options correct to ensure conversion to a Sensitive type (to match the class parameters).

Asserting with the puppet lookup command fails with:

[user@rhel7 ~]$ puppet lookup my_module::db_pass --environment test --type Sensitive[String]
Error: Could not run: Found value has wrong type, expects a Sensitive value, got String 

It also appears the lookup_options are being found and they look sensible:

[user@rhel7 ~]$ puppet lookup my_module::db_pass --environment test --explain-options
Hierarchy entry "Passwords"
        Path "/etc/puppetlabs/code/environments/test/modules/my_module/data/secrets.eyaml"
          Original path: "secrets.eyaml"
          Found key: "lookup_options" value: {
            "^my_module::.*pass$" => {
              "convert_to" => "Sensitive"
            }
          }

Decryption works just fine (unfortunately to cleartext -- not sure if that's expected?)

[user@rhel7 ~]$ puppet lookup my_module::db_pass --environment test
Found key: "my_module::db_pass" value: "password_is_taco"

The setup is as follows:

[user@rhel7 /etc/puppetlabs/puppet/environment/test/modules/my_module]$ cat hiera.eyaml
---
version: 5
defaults:
  data_hash: yaml_data
  datadir: data

hierarchy:
  - name: "Passwords"
    lookup_key: eyaml_lookup_key
    paths:
      - "secrets.eyaml"
    options:
        pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
        pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"

[user@rhel7 /etc/puppetlabs/puppet/environment/test/modules/my_module]$ cat ./data/secrets.eyaml
---
lookup_options:
  '^my_module::.*pass$':
    convert_to: "Sensitive"

my_module::db_pass: >
    ENC[PKCS7,MIIBqQYJKoZ...snip]

I've also been unsuccessful with different regexes and/or just using keys directly:

lookup_options:
  my_module::db_pass:
    convert_to: "Sensitive"

Apologies in advance for any minor copy-paste issues with obfuscated code :)

I never quite figured out why the specific test setup above I tried never worked, but here's what I ultimately ended up implementing:

---
lookup_options:
  "^my_module::.*(password|token)$":
    convert_to: Sensitive

The pattern match will appropriately cast any of the following to Sensitive[String]:

my_module::password
my_module::service_password
my_module::api_token
my_module::any_number::of_subclasses::token_or_password

If you're considering going through this same process, you might consider:

• instead of hard-coding your passwords, try leveraging new Puppet6+ features that avoid obfuscation altogether (by NOT putting credentials in catalogs):
  • https://puppet.com/blog/agent-side-functions-in-puppet-6
  • https://www.hashicorp.com/resources/agent-side-lookups-with-hashicorp-vault-puppet-6
• If that's not feasible, follow the recommended process (and don't forget to restart the Puppet Server)
• make liberal use of the puppet lookup utility, especially with the --explain-options and type Sensitive[String]