Developments in Blockchain Security & Privacy

Puppet Releases New Impact Analysis Tool

Unlike Kubernetes or Docker, the DevOps Continuous Delivery (CD) tool Puppet is relatively low-profile. In part, that’s because this software configuration management tool is highly automated. However, IT teams must still discern what impact infrastructure code changes have on node behavior. Puppet saw this as eminently fixable.

“Imagine if every new pull request for a proposed Puppet change could tell you which nodes would be affected, and even which configurations would change. With this detail, you could better assess the potential impact of the new proposed code. You could quickly push through changes that only affect the infrastructure of the team that proposed the change and apply more scrutiny to changes with more broad affects.”

And Voila! Earlier this year, Puppet released a visual-based Impact Analysis tool in its Enterprise software edition. 

Impact Analysis Limitations

Impact Analysis allows an IT team to discern how a single code change can impact thousands of devices. Still, “there are certain circumstances in which we can’t reliably calculate the full impact of a code change. (puppet.com)” As a result, Puppet warns that their Impact Analysis tool states “should not be used as a substitute for more exhaustive testing.

Resolving Uncertainty

In large enterprises, IT teams are understandably skittish about making high-risk code changes to a Puppetfile. Puppet has a “no operation”(or noop) mode which reveals how code changes will impact a node (or nodes). Nonetheless, IT teams are left guessing what nodes Puppet should run on. This is particularly problematic when enterprises begin to scale, leaving them in a “phase of uncertainty, one in which their movement towards implementing DevOps begins to stall. “

Using Puppet, IT teams “configure how many node catalogs should be compiled in parallel for a given impact analysis report.” (note: catalog documents describe a node’s desired state and can specify ordered dependency information).* A report can then be generated describing how each proposed code change impacts each selected node (including changes that deviate from the desired state of a node).

Future Changes

In the near future, Puppet plans to have its software configured so that it only runs on nodes affected by code changes ( or at least those “that require approval if their scope is too large”). The company’s goal is to continue automating its software with every new edition

Finally, Puppet also intends to have its Impact Analysis tool cover Hiera data as well. This is data placed into external configuration files for the sake of creating reusable code. At present, the impact of code changes on Hiera data cannot be analyzed. Again, this goal is aligned with Puppet’s automation focus.


* The Enterprise edition features a node graph that can display “a node’s catalog (as of the last Puppet run) as an interactive visual map. The graph shows the desired state for each resource that [Puppet Enterprise] manages, as well as each resource’s status as of the last run, and helps you understand the dependencies between resources. It also allows you to visually identify complexity you may not need, and problematic dependencies that need your attention.” (puppet.com)