Liquid Templates in Puppet - Initial Release

Puppet has always supported templating via ERB and while it’s a powerful, flexible templating engine the ability to use any arbitrary ruby code inside a template that’s run on the puppet master sometimes raises some eyebrows. As part of a security architecture review the concept of replacing the templating engine with something that still allows looping and text manipulation without allowing too much else was discussed and led to the idea of allowing templates to be written in Liquid.

Liquid is a ‘Ruby library for rendering safe templates which cannot affect the security of the server they are rendered on.’ That sounds like what we want so let’s install the module and write a small test template

# required dependency
$ sudo gem install liquid

# install the function
$ puppet module install deanwilson/liquidtemplates

# create the test module structure
$ mkdir -p liquidtest/{manifests,templates}

# create the test class
$ cat << 'EOC' > liquidtest/manifests/init.pp
class liquidtest {

  file { '/tmp/liquidtest':
    ensure  => 'file',
    content => liquid_template('liquidtest/test.liquid'),
  }

}
EOC

# and the test template
$ cat << 'EOC' > liquidtest/templates/test.liquid
SELinux is {{ selinux_config_mode | upcase }} on {{ fqdn }}
EOC

$ puppet apply -v -e 'include liquidtest'
 ... snip pretty coloured output ...

$ cat /tmp/liquidtest
SELinux is ENFORCING on kvm06.udlabs

There is additional overhead in writing your templates in a language that’s not puppets default but for situations where you have a number of different people writing your templates, changing to something like Liquid can provide another layer of protection for your puppetmasters. This is an initial proof of concept and while it’s enough to keep our conversation going you may not want to move everything to it just yet.