I miss a feature that allows to assign roles to one of two kinds of groups.
Group one: e.g. webserver defines wich roles the server has.
- inherits multiple firewall roles of your choice
Group two defines to which roles the server is allowed to connect.
- e.g. the webservers are allowed to connect to the mysql-servers
- if a host is set up, he looks for every host which has the role(s) he is allowed to connect to. The firewall logic, automatically restricts access to other hosts.
There need to be dummy groups, e.g. for networkconnections which are not managed by puppet (e.g. Internet connection with fixed IP address)
these groups are exported to the master and make complex firewalling very easy.