Puppet

So, to (hopefully) avoid my having the same conversation again: when we audit something in the agent, we are really just storing the state of things on local disk. There is absolutely no comparison against anything, which is why this is the right change to make; the state of the server could only possibly be relevant if we did compare things.

On investigation, this turns out to be a confluence of painful things. Specifically, the file type is invoked and managed in the inspect application in a way that results in fetching the data from the server using code that is absolutely common with the apply code path.

Specifically, when loaded and transformed for auditing, the file type will initialize :owner, :mode, :group, :checksum, :ensure, :target if they are missing and applicable, which results in fetching the content from the server. Theoretically, if you supplied all of those it would work, but that isn’t exactly possible for, eg, :checksum.

Unfortunately, that code is a ways down the stack and has no context to match that this is for inspection rather than application.

The short term fix is either to encode into file that it shouldn’t fetch when inspecting, or into inspect that it should hack around this limitation of the file type. Of those two, the later is the least worst choice for an immediate-term fix. That would be deleting the :source from the ral_resource before we transform it.

In the longer term we probably want to rewrite the inspect application so that it doesn’t go through this path; it should reasonably be able to correlate the catalog items and data fetched directly from the RAL without the intermediate transformations along the way. That would skip the fetch stage, which is useful for catalogs and application, but not inspection.