puppetlabs
diff --git a/‎REFERENCE.md
+35-1 b/‎REFERENCE.md
+35-1
diff --git a/‎manifests/setup/legacy_compiler_group.pp
+26-27 b/‎manifests/setup/legacy_compiler_group.pp
+26-27
diff --git a/‎manifests/setup/node_manager.pp
+33-34 b/‎manifests/setup/node_manager.pp
+33-34
diff --git a/‎plans/add_compilers.pp
+6 b/‎plans/add_compilers.pp
+6
@@ -60,6 +60,7 @@
 * [`backup_classification`](#backup_classification): A task to call the classification api and write to file
 * [`cert_data`](#cert_data): Return certificate data related to the Puppet agent
 * [`cert_valid_status`](#cert_valid_status): Check primary for valid state of a certificate
+* [`check_pe_master_rules`](#check_pe_master_rules): Checks if the PE Master group rules have already been updated to support 'pe_compiler_legacy' as a pp_auth_role
 * [`classify_compilers`](#classify_compilers): Classify compilers as legacy or non-legacy
 * [`code_manager`](#code_manager): Perform various code manager actions
 * [`code_manager_enabled`](#code_manager_enabled): Run on a PE primary node to check if Code Manager is enabled.
@@ -74,6 +75,7 @@
 * [`infrastatus`](#infrastatus): Runs puppet infra status and returns the output
 * [`mkdir_p_file`](#mkdir_p_file): Create a file with the specified content at the specified location
 * [`mv`](#mv): Wrapper task for mv command
+* [`node_group_unpin`](#node_group_unpin): Unpins nodes from a specified PE node group
 * [`os_identification`](#os_identification): Return the operating system runnin gon the target as a string
 * [`pe_install`](#pe_install): Install Puppet Enterprise from a tarball
 * [`pe_ldap_config`](#pe_ldap_config): Set the ldap config in the PE console
@@ -90,6 +92,7 @@
 * [`ssl_clean`](#ssl_clean): Clean an agent's certificate
 * [`submit_csr`](#submit_csr): Submit a certificate signing request
 * [`transform_classification_groups`](#transform_classification_groups): Transform the user groups from a source backup to a list of groups on the target server
+* [`update_pe_master_rules`](#update_pe_master_rules): Updates the PE Master group rules to support 'pe_compiler_legacy' as a pp_auth_role
 * [`validate_rbac_token`](#validate_rbac_token): Check an RBAC token stored in a file is valid
 * [`wait_until_service_ready`](#wait_until_service_ready): Return when the orchestrator service is healthy, or timeout after 15 seconds
 
@@ -129,7 +132,6 @@ Supported use cases:
 * `peadm::subplans::modify_certificate`
 * `peadm::subplans::prepare_agent`
 * `peadm::uninstall`: Single-entry-point plan for uninstalling Puppet Enterprise
-* `peadm::update_compiler_extensions`
 * `peadm::util::code_sync_status`
 * `peadm::util::copy_file`
 * `peadm::util::db_disable_pglogical`
@@ -1110,6 +1112,12 @@ Data type: `String`
 
 The certifcate name to check validation of
 
+### <a name="check_pe_master_rules"></a>`check_pe_master_rules`
+
+Checks if the PE Master group rules have already been updated to support 'pe_compiler_legacy' as a pp_auth_role
+
+**Supports noop?** false
+
 ### <a name="classify_compilers"></a>`classify_compilers`
 
 Classify compilers as legacy or non-legacy
@@ -1326,6 +1334,26 @@ Data type: `String`
 
 New path of file
 
+### <a name="node_group_unpin"></a>`node_group_unpin`
+
+Unpins nodes from a specified PE node group
+
+**Supports noop?** false
+
+#### Parameters
+
+##### `node_certnames`
+
+Data type: `Array[String]`
+
+The certnames of the nodes to unpin
+
+##### `group_name`
+
+Data type: `String`
+
+The name of the node group to unpin the nodes from
+
 ### <a name="os_identification"></a>`os_identification`
 
 Return the operating system runnin gon the target as a string
@@ -1622,6 +1650,12 @@ Data type: `String`
 
 Location of target node group yaml file and where to create the transformed file
 
+### <a name="update_pe_master_rules"></a>`update_pe_master_rules`
+
+Updates the PE Master group rules to support 'pe_compiler_legacy' as a pp_auth_role
+
+**Supports noop?** false
+
 ### <a name="validate_rbac_token"></a>`validate_rbac_token`
 
 Check an RBAC token stored in a file is valid
 
@@ -1,20 +1,19 @@
 # @api private
 class peadm::setup::legacy_compiler_group (
   String[1] $primary_host,
-  Optional[String]                  $internal_compiler_a_pool_address = undef,
-  Optional[String]                  $internal_compiler_b_pool_address = undef,
+  Optional[String] $internal_compiler_a_pool_address = undef,
+  Optional[String] $internal_compiler_b_pool_address = undef,
 ) {
   Node_group {
     purge_behavior => none,
   }
 
   node_group { 'PE Legacy Compiler':
-    parent  => 'PE Master',
-    rule    => ['and',
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'true'],
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
-    ],
-    classes => {
+    ensure         => 'present',
+    parent         => 'PE Master',
+    purge_behavior => 'rule',
+    rule           => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
+    classes        => {
       'puppet_enterprise::profile::master'   => {
         'puppetdb_host' => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
         'puppetdb_port' => [8081],
@@ -23,50 +22,50 @@
   }
 
   node_group { 'PE Legacy Compiler Group A':
-    ensure  => 'present',
-    parent  => 'PE Legacy Compiler',
-    rule    => ['and',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
+    ensure         => 'present',
+    parent         => 'PE Legacy Compiler',
+    purge_behavior => 'rule',
+    rule           => ['and',
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'A'],
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'true'],
     ],
-    classes => {
-      'puppet_enterprise::profile::master'   => {
+    classes        => {
+      'puppet_enterprise::profile::master' => {
         'puppetdb_host' => [$internal_compiler_b_pool_address, $internal_compiler_a_pool_address].filter |$_| { $_ },
         'puppetdb_port' => [8081],
       },
     },
-    data    => {
-      # Workaround for GH-118
+    data           => {
       'puppet_enterprise::profile::master::puppetdb' => {
         'ha_enabled_replicas' => [],
       },
     },
   }
 
   node_group { 'PE Legacy Compiler Group B':
-    ensure  => 'present',
-    parent  => 'PE Legacy Compiler',
-    rule    => ['and',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
+    ensure         => 'present',
+    parent         => 'PE Legacy Compiler',
+    purge_behavior => 'rule',
+    rule           => ['and',
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'B'],
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'true'],
     ],
-    classes => {
-      'puppet_enterprise::profile::master'   => {
+    classes        => {
+      'puppet_enterprise::profile::master' => {
         'puppetdb_host' => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
         'puppetdb_port' => [8081],
       },
     },
-    data    => {
-      # Workaround for GH-118
+    data           => {
       'puppet_enterprise::profile::master::puppetdb' => {
         'ha_enabled_replicas' => [],
       },
     },
   }
 
   node_group { 'PE Compiler':
-    rule => ['and', ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'false']],
+    parent         => 'PE Master',
+    purge_behavior => 'rule',
+    rule           => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
   }
 }
@@ -81,8 +81,9 @@
 
   # PE Compiler group comes from default PE and already has the pe compiler role
   node_group { 'PE Compiler':
-    parent => 'PE Master',
-    rule   => ['and', ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'false']],
+    parent         => 'PE Master',
+    purge_behavior => 'rule',
+    rule           => ['and', ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler']],
   }
 
   # This group should pin the primary, and also map to any pe-postgresql nodes
@@ -116,14 +117,14 @@
   # Configure the A pool for compilers. There are up to two pools for DR, each
   # having an affinity for one "availability zone" or the other.
   node_group { 'PE Compiler Group A':
-    ensure  => 'present',
-    parent  => 'PE Compiler',
-    rule    => ['and',
+    ensure         => 'present',
+    purge_behavior => 'rule',
+    parent         => 'PE Compiler',
+    rule           => ['and',
       ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'A'],
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'false'],
     ],
-    classes => {
+    classes        => {
       'puppet_enterprise::profile::puppetdb' => {
         'database_host' => pick($postgresql_a_host, $notconf),
       },
@@ -134,7 +135,7 @@
         'puppetdb_port' => [8081],
       },
     },
-    data    => {
+    data           => {
       # Workaround for GH-118
       'puppet_enterprise::profile::master::puppetdb' => {
         'ha_enabled_replicas' => [],
@@ -175,14 +176,14 @@
   }
 
   node_group { 'PE Compiler Group B':
-    ensure  => 'present',
-    parent  => 'PE Compiler',
-    rule    => ['and',
+    ensure         => 'present',
+    purge_behavior => 'rule',
+    parent         => 'PE Compiler',
+    rule           => ['and',
       ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'B'],
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'false'],
     ],
-    classes => {
+    classes        => {
       'puppet_enterprise::profile::puppetdb' => {
         'database_host' => pick($postgresql_b_host, $notconf),
       },
@@ -193,7 +194,7 @@
         'puppetdb_port' => [8081],
       },
     },
-    data    => {
+    data           => {
       # Workaround for GH-118
       'puppet_enterprise::profile::master::puppetdb' => {
         'ha_enabled_replicas' => [],
@@ -202,12 +203,10 @@
   }
 
   node_group { 'PE Legacy Compiler':
-    parent  => 'PE Master',
-    rule    => ['and',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'true'],
-    ],
-    classes => {
+    parent         => 'PE Master',
+    purge_behavior => 'rule',
+    rule           => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
+    classes        => {
       'puppet_enterprise::profile::master'   => {
         'puppetdb_host' => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
         'puppetdb_port' => [8081],
@@ -218,20 +217,20 @@
   # Configure the A pool for legacy compilers. There are up to two pools for DR, each
   # having an affinity for one "availability zone" or the other.
   node_group { 'PE Legacy Compiler Group A':
-    ensure  => 'present',
-    parent  => 'PE Legacy Compiler',
-    rule    => ['and',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
+    ensure         => 'present',
+    parent         => 'PE Legacy Compiler',
+    purge_behavior => 'rule',
+    rule           => ['and',
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'A'],
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'true'],
     ],
-    classes => {
+    classes        => {
       'puppet_enterprise::profile::master'   => {
         'puppetdb_host' => [$internal_compiler_b_pool_address, $internal_compiler_a_pool_address].filter |$_| { $_ },
         'puppetdb_port' => [8081],
       },
     },
-    data    => {
+    data           => {
       # Workaround for GH-118
       'puppet_enterprise::profile::master::puppetdb' => {
         'ha_enabled_replicas' => [],
@@ -242,20 +241,20 @@
   # Configure the B pool for legacy compilers. There are up to two pools for DR, each
   # having an affinity for one "availability zone" or the other.
   node_group { 'PE Legacy Compiler Group B':
-    ensure  => 'present',
-    parent  => 'PE Legacy Compiler',
-    rule    => ['and',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
+    ensure         => 'present',
+    parent         => 'PE Legacy Compiler',
+    purge_behavior => 'rule',
+    rule           => ['and',
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'B'],
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'true'],
     ],
-    classes => {
+    classes        => {
       'puppet_enterprise::profile::master'   => {
         'puppetdb_host' => [$internal_compiler_a_pool_address, $internal_compiler_a_pool_address].filter |$_| { $_ },
         'puppetdb_port' => [8081],
       },
     },
-    data    => {
+    data           => {
       # Workaround for GH-118
       'puppet_enterprise::profile::master::puppetdb' => {
         'ha_enabled_replicas' => [],
 
@@ -16,6 +16,12 @@
   $compiler_targets          = peadm::get_targets($compiler_hosts)
   $primary_target            = peadm::get_targets($primary_host, 1)
 
+  # Check if PE Master rules have been updated to support pe_compiler_legacy
+  $rules_check = run_task('peadm::check_pe_master_rules', $primary_host).first.value
+  unless $rules_check['updated'] {
+    fail_plan('Please run the Convert plan to convert your Puppet infrastructure to be managed by this version of PEADM.')
+  }
+
   # Get current peadm config to determine where to setup additional rules for
   # compiler's secondary PuppetDB instances
   $peadm_config = run_task('peadm::get_peadm_config', $primary_target).first.value