[SOLVED] How do I configure Ubuntu UFW through Puppet?

How do I configure Ubuntu UFW through Puppet?

I am quite new to Puppet and I am having some problems with the Puppet Config for one of our hosts running Puppet Agent. We are using Ubuntu 20.04 and Puppet CE 7.12.1 on all systems.

On our Puppet Server (Hostname: puppet), I am trying to write the Puppet config for our host eb-web (which is running a Puppet Agent). I would like to configure UFW (Uncomplicated Firewall) (https://help.ubuntu.com/community/UFW) on eb-web using the Puppet Module kogitoapp/ufw version 1.0.3 (https://forge.puppet.com/modules/kogitoapp/ufw) to allow through HTTP traffic.

Our Puppet Server is configured to use Hiera to hold our facts. So far I have created the following configuration files: File: /etc/puppetlabs/code/environments/production/hiera.yaml

version: 5
defaults:
  # The default value for "datadir" is "data" under the same directory as the hiera.yaml
  # file (this file)
hierarchy:
  - name: "Per-node data (yaml version)"
    path: "nodes/%{::trusted.certname}.yaml"
  - name: "Per-role data"
    path: "roles/%{::role}"
  - name: "Other YAML hierarchy levels"
    paths:
      - "common.yaml"

File: /etc/puppetlabs/code/environments/production/data/common.yaml

# empty at the moment

File: /etc/puppetlabs/code/environments/production/manifests/site.pp

node default {
  hiera_include('roles')
}

File: /etc/puppetlabs/code/environments/production/data/nodes/eb-web.evolvedbinary.com.yaml

roles:
   - roles::www

ufw::ufw_rule:
  name: 'Allow HTTP'
  action: allow
  to_ports_app: 80
  proto: tcp

File: /etc/puppetlabs/code/environments/production/modules/roles/manifests/www.pp

class roles::www {
    include profiles::ufw
    # include profiles::nginx
}

File: /etc/puppetlabs/code/environments/production/modules/profiles/manifests/ufw.pp

class profiles::ufw {
  class{ '::ufw': }
}

I have also installed the ufw module on the Puppet Server by running:

sudo /opt/puppetlabs/bin/puppet module install kogitoapp-ufw --version 1.0.3

If I now switch to the eb-web host and try and ask the Puppet Agent to apply the config from the Puppet Server by running:

sudo /opt/puppetlabs/bin/puppet agent --no-daemonize --test

Then I see the following output which I think is showing that everything was applied:

ubuntu@eb-web:~$ sudo /opt/puppetlabs/bin/puppet agent --no-daemonize --test
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for eb-web.evolvedbinary.com
Info: Applying configuration version '1639003464'
Notice: Applied catalog in 0.60 seconds
ubuntu@eb-web:~$

After this if I check: sudo ufw status, it seems to indicate that port 80 for HTTP has NOT been configured by Puppet:

Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)

“Update (20-Dec-2021)”

After trying a solution to this issue, I got this working, however, I made a mistake and added the rules into the ufw.pp file, this was not the way right way I wanted to do this. After taking the rules out of the ufw.pp file and just having them in the eb-web.evolvedbinary.com.yaml file the ufw port 80 is now being rejected. I have tried using status: enable and status: allow , I have also tried ensure: present , along with trying other combinations that I cannot remember 100%, all with in the eb-web.evolvedbinary.com.yaml file. The ufw.pp file currently looks like:

class profiles::ufw {
  class{ 'ufw':
 } 
}

And the eb-web.evolvedbinary.com.yaml file looks like:

---
roles:
   - roles::www
ufw::rule:
  'Allow HTTP':
    action: allow
    to_ports_app: 80
    proto: tcp
include nginx:
nginx::nginx_server:
   'www.evolvedbinary.com':
   ssl: true
   www_root: '/var/www/www.evolvedbinary.com'

I am not seeing any errors when I run sudo /opt/puppetlabs/bin/puppet agent --no-daemonize --test on the eb-web host (puppet agent) however, when I run sudo ufw status I see:

Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                   # allow_puppet
80                         REJECT      Anywhere                   # Allow HTTP
22 (v6)                    ALLOW       Anywhere (v6)              # allow_puppet
80 (v6)                    REJECT      Anywhere (v6)              # Allow HTTP

I am not sure how I can enable port 80 using hiera within the eb-web.evolvedbianry.com.yaml file.

Can someone help me figure out how to configure UFW using Puppet please?

Solution

After some time spent trying to work this out and going back and fourth with why this was not working. I finaly relised my mistake in the eb-web.evolvedbinary.com.yaml. I needed to add include ufw and also change ufw::rule to ufw::rules. After these these changes where done port 80 is now working. The eb-web.evolvedbinary.com.yaml file now looks like:

---
roles:
   - roles::www
include ufw:
ufw::rules:
   'Allow HTTP':
      action: allow
      to_ports_app: 80
      proto: tcp
include nginx:
nginx::nginx_server:
   'www.evolvedbinary.com':
   ssl: true
   www_root: '/var/www/www.evolvedbinary.com'