Why does puppet think my custom fact is a string?

Question

I am trying to create a custom fact I can use as the value for a class parameter in a hiera yaml file.

I am using the openstack/puppet-keystone module and I want to use fernet-keys. According to the comments in the module I can use this parameter.

# [*fernet_keys*]
#   (Optional) Hash of Keystone fernet keys
#   If you enable this parameter, make sure enable_fernet_setup is set to True.
#   Example of valid value:
#   fernet_keys:
#     /etc/keystone/fernet-keys/0:
#       content: c_aJfy6At9y-toNS9SF1NQMTSkSzQ-OBYeYulTqKsWU=
#     /etc/keystone/fernet-keys/1:
#       content: zx0hNG7CStxFz5KXZRsf7sE4lju0dLYvXdGDIKGcd7k=
#   Puppet will create a file per key in $fernet_key_repository.
#   Note: defaults to false so keystone-manage fernet_setup will be executed.
#   Otherwise Puppet will manage keys with File resource.
#   Defaults to false

So wrote this custom fact ...

[root@puppetmaster modules]# cat keystone_fernet/lib/facter/fernet_keys.rb
Facter.add(:fernet_keys) do
  setcode do
    fernet_keys = {}

    puts ( 'Debug keyrepo is /etc/keystone/fernet-keys' )
    Dir.glob('/etc/keystone/fernet-keys/*').each do |fernet_file|
      data = File.read(fernet_file)
      if data
    content = {}
        puts ( "Debug Key file #{fernet_file} contains #{data}" )
        fernet_keys[fernet_file] = { 'content' => data }
      end
    end
    fernet_keys
  end
end

Then in my keystone.yaml file I have this line:

keystone::fernet_keys: '%{::fernet_keys}'

But when I run puppet agent -t on my node I get this error:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, "{\"/etc/keystone/fernet-keys/1\"=>{\"content\"=>\"xxxxxxxxxxxxxxxxxxxx=\"}, \"/etc/keystone/fernet-keys/0\"=>{\"content\"=>\"xxxxxxxxxxxxxxxxxxxx=\"}}" is not a Hash.  It looks to be a String at /etc/puppetlabs/code/environments/production/modules/keystone/manifests/init.pp:1144:7 on node mgmt-01

I had assumed that I had formatted the hash correctly because facter -p fernet_keys output this on the agent:

{
  /etc/keystone/fernet-keys/1 => {
    content => "xxxxxxxxxxxxxxxxxxxx="
  },
  /etc/keystone/fernet-keys/0 => {
    content => "xxxxxxxxxxxxxxxxxxxx="
  }
}

The code in the keystone module looks like this (with line numbers)

1142
1143   if $fernet_keys {
1144       validate_hash($fernet_keys)
1145       create_resources('file', $fernet_keys, {
1146           'owner'     => $keystone_user,
1147           'group'     => $keystone_group,
1148           'subscribe' => 'Anchor[keystone::install::end]',
1149         }
1150       )
1151     } else {

Answer 1

Puppet does not necessarily think your fact value is a string -- it might do, if the client is set to stringify facts, but that's actually beside the point. The bottom line is that Hiera interpolation tokens don't work the way you think. Specifically:

Hiera can interpolate values of any of Puppet's data types, but the value will be converted to a string .

(Emphasis added.)