Puppet: Referencing variables from a define in a template

Question

I have the following class and definition in puppet:

$certDirectory = "/var/lib/ssl/certs"

class openssl {
  package { "openssl":
    ensure => latest
  }
  file { "openssl":
    path => "/var/lib/ssl",
    ensure => directory,
    mode => 0644
  }
  file { "openssl-certs":
    path => "/var/lib/ssl/certs",
    ensure => directory,
    mode => 0644
  }
  define cert($ensure = present) {
    $certfile = "${certDirectory}/${name}.cert"
    $keyfile = "${certDirectory}/${name}.key"
    $pemfile = "${certDirectory}/${name}.pem"

    file { "${name}.cert":
      path => $certfile,
      source => "puppet:///openssl/${name}.cert",
      mode => 0640,
      ensure => $ensure,
    }
    file { "${name}.key":
      path => $keyfile,
      source => "puppet:///openssl/${name}.key",
      mode => 0640,
      ensure => $ensure,
    }
  }
}

I'm later (in a node) using this openssl::cert define to pass a cert to an apache vhost config:

openssl::cert { "rri":
  ensure=>present
}

apache2::site-config { "default":
  ip => "*",
  order => "000",
  docroot => '/home/support/public_html',
  cert => Openssl::Cert["rri"]
}

And inside of the apache2::site-config define:

  file { "site-config-$name":
    path => "/etc/apache2/sites-available/$name",
    owner => root,
    group => root,
    mode => 0644,
    content => template($template),
    notify => Exec["reload-apache2"],
  }

The question I'm having - how can I reference the $certfile / $keyfile from the cert variable in the .erb file located at $template?

I'd also be very interested to know if I'm approaching this the wrong way too - its my first time trying to get anything setup using puppet and just trying to play around with what I can do.

UPDATED - Semi Working Now Based on freiheit's answer - I made a few changes to my apache2::site-config

   define site-config (
    $ensure = 'present',
    $template = 'apache2/vhost.erb',
    $docroot,
    $ip='*',
    $order='000',
    $logs = "",
    $cert = false) {

      if $cert {
        File["site-config-$name"] { require=>Openssl::Cert[$cert] }
        $certfile = "${openssl::certDirectory}/${cert}.cert"
        $keyfile = "${openssl::certDirectory}/${cert}.key"
      }

      file { "site-config-$name":
        path => "/etc/apache2/sites-available/$name",
        owner => root,
        group => root,
        mode => 0644,
        content => template($template),
        notify => Exec["reload-apache2"],
      }

Then in the .erb

   SSLCertificateFile    <%= certfile %>
   SSLCertificateKeyFile <%= keyfile %>

This seems to be working fairly well - I was just hoping that in the event of me changing the cert naming conventions around at some point that I would be able to access the actual filenames from the reference to the Openssl::Cert resource. Still curious to know if there is a way to do that.

Answer 1

Something like this in $template.erb:

<VirtualHost <%= ip %>:443>
  Document Root <%= docroot %>
  SSLCertificateFile <%= cert %>
  # ...
</VirtualHost>

That is, any variable in puppet is available as a local variable in the ruby bits hiding in the .erb file.

Not sure why you have "$template" instead of a named .erb file (not seeing $template set anywhere, but willing to assume it's hiding somewhere)

And this seems wrong: cert => Openssl::Cert["rri"]. I'd expect something more like:

openssl::cert { "rri": }

And then the .erb would be more like:

<VirtualHost <%= ip %>:443>
  Document Root <%= docroot %>
  SSLCertificateFile <%= certDirectory %>/<%= name %>
  # ...
</VirtualHost>