Have Puppet remove a user when the associated class which created it is removed

[James Perry]

As I keep tweaking our Puppet/Foreman setup, I was wondering if it was somehow possible to auto-magically remove uses when the associated class is removed from the server.  All of our Puppet code is under source code management and requires a full change approval process to implement. 

I thought of doing custom facts and then checking them against all user classes, but that seemed like it would use a ton of overhead.  

Another idea was to do a define that had a default of absent for a user and then pass "present" as a parameter to have the user created, but that seemed like it would still need some "magic" that most likely end up getting really deep in coding to ensure that the user didn't get pulled off a box where it needed to exist. 

I'm not sure this is even possible other than how I have done it in the past where I created 2 users classes. One that adds it and another that removed it. The process is a bit clunky but it does work. 

Anyone had any success making something like this work? 

[John Gelnaw]

Sort of?  The problem is, my implementation is very different from yours.  I'm managing users via YAML.  You can manage users (including removing them) via the user resource, so I'm creating YAML data (on the fly, but that's not a requirement) that gets consumed by a create_resources call.  I do management by invoking:

  resources { user:
    purge              => true,
    unless_system_user => $auth_base
  }

where $auth_base is the highest possible uid for a system user (usually 999).  Then any users that aren't known to the puppet catalog are zorched.