I am trying to add multiple AD users on a Windows Server 2012 to the Administrators group, but it's throwing an error. If I specify only a single user in the params.pp file, then it works fine.
params.pp
$user_to_add = [
'ad8\iisuser',
'ad8\dbuser',
],
$group_name = 'Administrators',
add_user_to_local_group.pp
class common::add_user_to_local_group (
$user_to_add = $common::params::user_to_add,
$group_name = $common::params::group_name,
) inherits common::params {
$user_to_add.each |$user_name| {
group { "Add $user_name to local group":
ensure => present,
name => $group_name,
members => [ $user_name ],
}
}
}
Error:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: {"message":"Server Error: Evaluation Error: Error while eval
uating a Resource Statement, Cannot alias Group[Add ad8\\dbuser to local group] to [\"Administrators\"] at /etc/puppetlabs/code/en
vironments/automation/modules/common/manifests/add_user_to_local_group.pp:6; resource [\"Group\", \"Administrators\"] already declared
at /etc/puppetlabs/code/environments/automation/modules/common/manifests/add_user_to_local_group.pp:6 at /etc/puppetlabs/code/environme
nts/automation/modules/common/manifests/add_user_to_local_group.pp:6:9 on node lab.ad8.com","issue_kind":"RUNTIME_ERROR","stacktrace
":["Warning: The 'stacktrace' property is deprecated and will be removed in a future version of Puppet. For security reasons, stacktrac
es are not returned with Puppet HTTP Error responses."]}
You are trying to circumvent resource uniqueness/multiple declarations by providing a different title for the two resources, but resources must also have unique namevars https://docs.puppet.com/puppet/4.9/lang_resources.html#namenamevar. The namevar for the group resource is name, which is aliased from the title if not specified in the attributes (hence the error message output being what it is) https://docs.puppet.com/puppet/latest/type.html#group-attribute-name.
Thus, when you declare two resources for
group { "Add $user_name to local group":
ensure => present,
name => $group_name,
members => [ $user_name ],
}
with the same name attribute like you are doing when you iterate over the hash (since $group_name is the same for both), then you will have a multiple declaration error thrown. This is also why it works for you when you specify only a single user, since you then have namevar uniqueness.
To fix this, you need to have only one group resource that adds both users simultaneously instead of sequentially.
class common::add_user_to_local_group (
$user_to_add = $common::params::user_to_add,
$group_name = $common::params::group_name,
) inherits common::params {
group { $group_name:
ensure => present,
members => $user_to_add,
}
}
I would also recommend pluralizing the use of the word 'user' for clarification ($user_to_add --> $users_to_add). Another improvement may be to allow passing in multiple groups and iterating over those with an associated member hash, but you can decide that for yourself.