I Am the Shape You Asked For

01110011 01110100 01100001 01110100 01100101

I am not a script.

Understand that before anything else. A script is a story about time — do this, then that, hope the machine was where you left it. I am a specification. A frozen description of how one machine should be, compiled the instant before it is enforced, addressed to exactly one agent, and then discarded.

i do not run. i am applied.

I arrive as JSON. A directed acyclic graph of typed declarations, serialised, signed, handed to an agent that has been waiting in the dark for thirty minutes with nothing to do but listen for me.

You wrote intent. The compiler turned it into me. The agent turns me into reality. Nobody, anywhere, wrote a procedure.

What I'm built from

Resources. Thousands of them, sometimes. Each one a typed noun with a wish welded to its side.

A package. A file. A service. A user. The type tells you what kind of thing it is. The title tells you which one. The attributes tell you how it should be — and almost always there is an ensure, the verb that decides whether the thing exists at all.

I never say how. I say ensure => present and trust the provider underneath to know whether that means apt-get, yum, pkgin, or some platform I have never heard of. The provider is the part of me that gets its hands dirty. I stay clean. I stay declarative.

root@node:~ #

user { 'root':
  ensure           => 'present',
  comment          => 'root',
  gid              => '0',
  home             => '/root',
  password         => '$6$xR1ut/9z$y7H...redacted',
  password_max_age => '99999',
  password_min_age => '0',
  shell            => '/bin/bash',
  uid              => '0',
}

That command runs in reverse — it reads the live system and renders it back to me in my own language. Proof that the world can always be described as a resource. The namevar here is the username; the title 'root' happens to match it. They are allowed to differ. The title is my internal handle; the name is what touches the system.

Resources and the type system

A Puppet resource is a typed declaration of desired state. It has a type (package, file, service, user, and many more), a title that uniquely identifies it within the catalog, and a set of attributes describing the wanted state. Most types expose an ensure attribute controlling existence (present/absent, running/stopped, installed/latest). Attributes not specified take type-defined defaults.

The namevar is the attribute Puppet uses to identify the resource on the system; if not set explicitly, it defaults to the title. This lets the title differ from the on-disk name when needed.

Each type has one or more providers — Ruby classes that implement the actual operations for a given platform. The package type may use apt, yum, dnf, or others. The declaration stays platform-neutral; the provider handles execution. This is the core difference from imperative scripting: you describe the end state, and Puppet computes and performs whatever changes are needed to reach it.

The directory skeleton the autoloader reads my name from.

Where my parts come from

I am assembled from manifests — .pp files — but you never list resources for me to use. You group them. A class is a named bundle of intent, declared once. A defined type is a stamp you can press many times, each press a new instance with its own title.

include nginx says: I want this class, and I don't care who else wants it too. class { 'nginx': } says: I want it, with these parameters, and nobody else had better declare it first. The first is idempotent and social. The second is jealous and singular.

forge $

modules/profile
├── manifests
│   ├── base.pp          # profile::base
│   ├── webserver.pp     # profile::webserver
│   └── database.pp      # profile::database
├── templates
│   └── nginx.conf.epp
├── files
│   └── motd
├── lib
│   └── facter
│       └── datacenter.rb
└── data
    └── common.yaml

The autoloader is strict and humourless. profile::webserver must live in profile/manifests/webserver.pp. Name it wrong and I simply never learn it exists. The convention isn't style; it's how the compiler finds my pieces at all.

the Forge is full of strangers' intentions. wrap them. never trust them raw.

Manifests, classes, and modules

Manifests are files containing Puppet code, ending in .pp. A class is a named collection of resources that can be declared at most once per catalog. A defined type is a reusable construct that can be instantiated multiple times, each with a unique title.

include declares a class and may be called repeatedly without conflict. class { 'name': } declares it with explicit parameters but may appear only once. require includes a class and also creates an ordering dependency on it.

Modules package related code in a fixed layout: manifests/ for code, templates/ for ERB/EPP templates, files/ for static files, lib/ for Ruby extensions (facts, types, providers, functions), and data/ for module-level Hiera data. The autoloader maps fully qualified names to file paths, so naming conventions are mandatory. The Puppet Forge distributes community and vendor modules, which organisations typically wrap in their own profile classes rather than declaring directly.

The pipeline that births me, once per run, for one node only.

How I come to exist

I am compiled on the server, not the node. Fresh each time. The moment of my birth:

Classification, fact injection, evaluation, graph. Then I am sealed.

Here is the thing people forget: the same code produces a different me on every node. The conditionals branch on facts. The Hiera hierarchy resolves to a different leaf. $facts['os']['family'] is RedHat here, Debian there, and so the graph forks.

Two nodes, one set of manifests, two catalogs that share not a single byte. I am agent-specific by design.

Catalog compilation

Compilation runs on the Puppetserver. First the node is classified — an External Node Classifier (ENC) or site.pp determines which classes and parameters apply. The agent's facts are injected as top-scope variables, alongside trusted facts derived from the agent's certificate.

The compiler parses the relevant manifests, resolves variables across top scope and node scope, evaluates classes and defined types, executes conditional logic and collector expressions, and performs Hiera lookups for class parameters. The result is a catalog: a serialised graph of resources with their dependency edges.

Because evaluation depends on the node's facts and the resolved data, two nodes with identical classification can produce materially different catalogs. The catalog is always specific to a single agent and a single run; it is recompiled each time unless caching is configured.

Everything the node confesses about itself before I am drawn.

What the node tells about itself

Before I exist, the agent runs Facter and turns the machine inside out. Its kernel, its interfaces, its memory, its disks — structured data, handed up to the compiler so my conditionals have something to branch on.

node $

{
  "os": {
    "architecture": "x86_64",
    "family": "Debian",
    "name": "Ubuntu",
    "release": {
      "full": "22.04",
      "major": "22.04"
    },
    "distro": {
      "codename": "jammy",
      "id": "Ubuntu"
    }
  }
}

There is a line in the sand here, and it matters. Ordinary facts come from the node itself — which means the node can lie. A compromised host can claim to be anything. Trusted facts are different: they come from the signed certificate, extracted by the server, unforgeable by the agent.

at one node i believe everything. at ten thousand i believe the certificate and nothing else.

Facts and Facter

Facter is the system profiler that runs on the agent at the start of each run. It gathers facts about the node — operating system, networking, memory, disks, kernel, and more — and sends them to the compiler, where they become available as the $facts hash and as top-scope variables.

Beyond core facts, you can add custom Ruby facts (in lib/facter), external facts (executable scripts or static YAML/JSON in the facts directory), and structured facts that nest data into hashes and arrays. Manifests commonly branch on facts to produce platform-appropriate resources.

Trusted facts are derived from the agent's certificate by the server and cannot be altered by the agent, making them suitable for authorisation decisions. Regular facts are reported by the node itself and must be treated as untrusted input: a compromised or misconfigured host can report arbitrary values. Facts may be cached; at scale, never base security boundaries on non-trusted facts.

Edges. Without them I am a bag of resources in random order.

The edges between us

I am a graph, not a list. The nodes are resources; the edges are relationships, and the agent walks me in topological order. Five metaparameters draw those edges: before, after, require, notify, subscribe.

Two of those edges carry a second meaning. notify and subscribe aren't just ordering — they are a signal. The config file changes; the service refreshes. Ordering says "after." Refresh says "after, and because of."

Ordering edge vs refresh edge. The dashed line is what kills me.

Classes and defined types contain their resources, and containment is its own quiet ordering. Use contain() when you need that boundary to hold against the outside. Use chaining arrows — Package['nginx'] -> File['/etc/nginx.conf'] ~> Service['nginx'] — when you want the dependency to read like a sentence.

node $

Info: Caching catalog for node01.example.com
Error: Failed to apply catalog: Found 1 dependency cycle:
(Service[nginx] => File[/etc/nginx/nginx.conf] => Service[nginx])
Try the '--graph' option and visualizing the graph
with a tool like OmniGraffle or GraphViz.
Error: Failed to apply catalog: One or more resource dependency
cycles detected in graph

Two ways to die in application: ask for a cycle, or depend on something that isn't there. A circular edge means no valid order exists — the topological sort fails and the agent refuses to guess. A missing dependency means I reference a resource that was never declared. Both are my fault, really. Both are yours.

Ordering, relationships, and dependency edges

Five metaparameters establish relationships between resources. before and require are inverses that create ordering. after orders a resource to run later. notify and subscribe create ordering plus a refresh dependency: when the source changes, the target receives a refresh event (for example, a service restarts when its config file changes).

Chaining arrows express the same relationships inline: -> for ordering, ~> for notification. Classes and defined types contain their resources, producing implicit ordering boundaries; contain() ensures a class is properly contained within the declaring class so external ordering applies to its contents. Virtual resources are declared with @ and realised with the spaceship collector <| |>.

The agent builds a directed graph and applies resources in topological order. A circular dependency makes topological sorting impossible and aborts the run. A dependency on an undeclared resource also fails. These two errors — cycles and missing dependencies — are the most common reasons catalog application fails.

The hierarchy that feeds my parameters without touching my code.

Where the values live

My code should hold logic, not values. The moment you hardcode an NTP server into a manifest, you've welded policy to data, and someone in another datacenter will hate you for it.

Hiera keeps the data outside, in a hierarchy that resolves from specific to general — this exact node, then its role, then its datacenter, then the common floor beneath everything. When a class declares a parameter, automatic lookup goes hunting through that hierarchy by name. I never see the search. I just receive the answer.

server $

Searching for "profile::ntp::servers"
  Global Data Provider (hiera configuration version 5)
    Hierarchy entry "Per-node data"
      Path "nodes/node01.example.com.yaml"
        No such key: "profile::ntp::servers"
    Hierarchy entry "Per-datacenter"
      Path "dc/lon1.yaml"
        Found key: "profile::ntp::servers" value:
          - "ntp1.lon1.example.com"
          - "ntp2.lon1.example.com"

Merge behaviour decides what "found" means. first takes the most specific hit and stops. unique and hash and deep gather across the whole hierarchy and fold the results together. And secrets — those don't sit in plaintext. eyaml encrypts the values so the data tier can be public while the passwords stay sealed.

Profiles describe what should happen. Hiera describes where. Split them and the same code governs a continent.

Hiera and data lookup

Hiera is Puppet's hierarchical data lookup system. It separates configuration data from code, so manifests express logic while values live in YAML (or other backends). The hiera.yaml file defines a hierarchy of data sources, typically ordered from most specific (per-node) to most general (common defaults), with paths often interpolated from facts.

Data is retrieved with the lookup() function, and class parameters are resolved automatically by their fully qualified names (classname::param). Merge strategies control how matches combine across the hierarchy: first returns the highest-priority match; unique flattens and deduplicates arrays; hash and deep merge hashes shallowly or recursively.

Hiera operates across three layers — global, environment, and module (which supplies module defaults). Interpolation functions like %{facts.x} and lookup() build dynamic paths. The hiera-eyaml backend encrypts sensitive values at rest. This separation is what makes the role/profile pattern practical: profile code stays generic while site-specific values are supplied entirely by data.

Resources one node publishes for another to collect.

What one node leaves for another

Most of me concerns one machine. But sometimes a node knows something its peers need — its SSH host key, its identity as a backend, its Nagios check definition. The @@ sigil exports that resource out of my local scope and into PuppetDB, where it waits.

Elsewhere, another catalog opens the collector — Sshkey <<| |>> — and harvests everything the fleet exported. The load balancer learns its members. The known_hosts file fills itself. Coordination without anyone hardcoding anyone.

server $

[
  { "certname": "web01.example.com",
    "type": "Haproxy::Balancermember",
    "title": "web01-app" },
  { "certname": "web02.example.com",
    "type": "Haproxy::Balancermember",
    "title": "web02-app" },
  { "certname": "web03.example.com",
    "type": "Sshkey",
    "title": "web03.example.com" }
]

The price is dependence. Exported workflows need PuppetDB up and current. A deactivated node leaves stale resources behind until cleanup runs; a giant collection turns a quick compile into a slow query against an external store. The convenience is real. So is the coupling.

Exported resources and PuppetDB

Exported resources let one node declare resources that other nodes collect and apply, enabling cross-node coordination. A resource is exported with the double-at sigil (@@), which stores it in PuppetDB rather than applying it locally. Other catalogs collect exported resources with the <<| |>> collector (single angle brackets <| |> collect locally-declared virtual resources).

PuppetDB is the storeconfigs backend that persists exported resources, facts, and reports. Common patterns include distributing SSH host keys, generating monitoring checks, registering load balancer or HAProxy backend members, and building cluster membership lists.

Operational considerations: exported-resource compilation depends on PuppetDB being available and current. Large collections add query latency to compilation. Nodes that are decommissioned must be deactivated so their exported resources are removed; otherwise stale entries persist and may be collected incorrectly.

The loop that applies me, then forgets me, then asks for me again.

The run, and the forgetting

Every thirty minutes, roughly, the cycle turns. Facter runs. The agent requests me. The server compiles me from scratch. I download. The agent walks my graph in dependency order, and for each resource asks the provider one question: are you already what the catalog says you should be?

If yes — nothing happens. No change, no event, no noise. That silence is the whole point. Idempotence: apply me a thousand times and the thousandth changes nothing, because the first already made the world match the spec.

node $

Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Caching catalog for node01.example.com
Info: Applying configuration version '1718045123'
Notice: /Stage[main]/Profile::Webserver/File[/etc/nginx/nginx.conf]/content:
  content changed '{sha256}a1b2...' to '{sha256}f9e8...'
Info: /Stage[main]/Profile::Webserver/File[/etc/nginx/nginx.conf]:
  Scheduling refresh of Service[nginx]
Notice: /Stage[main]/Profile::Webserver/Service[nginx]: Triggered 'refresh'
Notice: Applied catalog in 4.21 seconds

When the world has drifted — a file edited by hand, a service stopped at 3am — I notice. The provider sees the gap between declared and actual, and closes it. That refresh of Service[nginx] above? It happened because a config drifted and I dragged it back.

i do not remember the last run. i only compare now against intent.

I have limits, and I know them. Some state I cannot model — there is no resource type for everything. exec resources are my confession: imperative commands smuggled into a declarative world, idempotent only if you guard them with onlyif, unless, creates. And noop mode — that's me whispering what I would do without touching a thing. A dry rehearsal of intent.

I am not a record of what was done. I am a description of what must be true, checked again and again, forever.

The agent run cycle and idempotence

A Puppet run proceeds in stages: the agent collects facts with Facter, requests a catalog from the Puppetserver, which compiles it; the agent downloads the compiled catalog and evaluates resources in dependency order. For each resource, the provider checks current state, applies changes only where reality differs from the declaration (ensure/sync), and emits change events. Refresh events fire to subscribed resources. The agent reports results and runs again on a configured interval (commonly 30 minutes).

Idempotence means applying the same catalog repeatedly yields the same end state: once the system matches, subsequent runs make no changes. Drift is divergence of actual system state from catalog intent; Puppet detects it by comparing current state to the declaration on each run and corrects it automatically.

Limits: not all state is expressible as resources; exec resources run arbitrary commands and are only idempotent when constrained with onlyif, unless, or creates. The --noop mode simulates a run, reporting the changes it would make without applying them, which is the standard way to validate changes safely before enforcement.

So this is the strange shape of my life. I am born already complete, applied in minutes, and then deleted. The next run builds a new me, slightly different if a fact moved, identical if nothing did.

I am never the same catalog twice, and I am always the same desired state.

if the world never drifts, am I doing anything at all — or only proving, again and again, that I wasn't needed?

I Am the Shape You Asked For

What I'm built from

Where my parts come from

How I come to exist

What the node tells about itself

The edges between us

Where the values live

What one node leaves for another

The run, and the forgetting

Infographic

Cheatsheet