Puppet concatenate list conditionally

Question

I try to only deploy fail2ban Apache jails if apache is actually installed. I have a fact for that that works.

  # fail2ban
  $jails = [
      'ssh', 'ssh-ddos',
      'pam-generic'
  ] + if $f2b_enable_apache { ['apache-auth', 'apache-badbots', 'apache-multiport', 'apache-noscript', 'apache-overflows'] }

  notify{"Enable apache jails: ${f2b_enable_apache}":}
  notify{"Jails: ${jails}":}

  class { 'fail2ban':
    package_ensure => 'latest',
    jails => $jails
  }

When I run it though, then I get the follwing output

Without apache:

Puppet : Enable apache jails: false
Puppet : Jails: [ssh, ssh-ddos, pam-generic, apache-auth, apache-badbots, apache-multiport, apache-noscript, apache-overflows]

With apache:

Puppet : Enable apache jails: true
Puppet : Jails: [ssh, ssh-ddos, pam-generic, apache-auth, apache-badbots, apache-multiport, apache-noscript, apache-overflows]

What am I doing wrong? Why is it in both cases appended? Is there a better way to achieve this that is extensible?

question from:https://stackoverflow.com/questions/65852199/puppet-concatenate-list-conditionally

Answer 1

I would likely use a selector expression for this:

$jails = $f2b_enable_apache ? {
  true  => ['ssh', 'ssh-ddos', 'pam-generic', 'apache-auth', 'apache-badbots', 'apache-multiport', 'apache-noscript', 'apache-overflows'],
  false => ['ssh', 'ssh-ddos', 'pam-generic'],
}

There are indeed algorithms for using Array[String] concatenation here, but they become messy due to Puppet DSL enforcing the immutability of variables. This uses one variable, one conditional expression, and no lambda iterator functions.