bolt 2.25.0 → 2.30.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8bfb8de382e2a2ab6931f43ffce1eb97187fda6e2e56036b20637afb8ae8da2d
-  data.tar.gz: 56cf9c3fda7f29434413feb8b7f2eb3b358c1ed4316f2d5f4e1e47875a6919c5
+  metadata.gz: c8ca2906e21e39d1da306c9a02ddb970f64955133fcab01574e4138c1e6e154e
+  data.tar.gz: 4c875d82bf7ff9d4117440eca9e1276c1b9c2fa842fda4669227ebb0ec56f170
 SHA512:
-  metadata.gz: ec5bf195ad19bac051942f2689e58a325982a8c47b12d8970e1ed6a6758e714d8f22ce5275dc3fb7160ea6d06e7ee63bf528b2f18d67ee754b9ae41c3e92a7c5
-  data.tar.gz: cc6a87ed720484d04c7bb2275cd6812ac211733e2efce265b69cfb5ee5614fa743122ce50369079697ad08374eccea6e9797e8398176d7669846887b0f0832aa
+  metadata.gz: bd8e4327ddfeb4d88fdd1f94ab4233bcf1f0d8ce1390769587197dec11bfa024a16889c5693ec4a4333565cd7553a8c13487b6674ba5427a63f9408961e6a3a7
+  data.tar.gz: f2bcbe28ba4c26bc36d3c52ab89a8bafa6a132c930c310a92e48b841d0274389022f2480d3ed397bcc4bcf1f77fb272da82697362d33feccfe05ab0ca203cf6c

data/Puppetfile

@@ -31,9 +31,10 @@ mod 'puppetlabs-ruby_plugin_helper', '0.1.0'
 mod 'puppetlabs-stdlib', '6.3.0'
 
 # Plugin modules
-mod 'puppetlabs-aws_inventory', '0.5.0'
-mod 'puppetlabs-azure_inventory', '0.3.0'
-mod 'puppetlabs-gcloud_inventory', '0.1.1'
+mod 'puppetlabs-aws_inventory', '0.5.2'
+mod 'puppetlabs-azure_inventory', '0.4.1'
+mod 'puppetlabs-gcloud_inventory', '0.1.3'
+mod 'puppetlabs-http_request', '0.1.0'
 mod 'puppetlabs-pkcs7', '0.1.1'
 mod 'puppetlabs-terraform', '0.5.0'
 mod 'puppetlabs-vault', '0.3.0'

data/bolt-modules/boltlib/lib/puppet/datatypes/result.rb

@@ -9,11 +9,12 @@ Puppet::DataTypes.create_type('Result') do
     functions => {
       error => Callable[[], Optional[Error]],
       message => Callable[[], Optional[String]],
+      sensitive => Callable[[], Optional[Sensitive[Data]]],
       action => Callable[[], String],
       status => Callable[[], String],
       to_data => Callable[[], Hash],
       ok => Callable[[], Boolean],
-      '[]' => Callable[[String[1]], Data]
+      '[]' => Callable[[String[1]], Variant[Data, Sensitive[Data]]]
     }
   PUPPET
 

data/bolt-modules/boltlib/lib/puppet/functions/download_file.rb

@@ -96,7 +96,7 @@ Puppet::Functions.create_function(:download_file, Puppet::Functions::InternalFun
 
     # Paths expand relative to the default downloads directory for the project
     # e.g. ~/.puppetlabs/bolt/downloads/
-    destination = Puppet.lookup(:bolt_project_data).downloads + destination
+    destination = Puppet.lookup(:bolt_project).downloads + destination
 
     # If the destination directory already exists, delete any existing contents
     if Dir.exist?(destination)

data/bolt-modules/dir/lib/puppet/functions/dir/children.rb

@@ -25,7 +25,7 @@ Puppet::Functions.create_function(:'dir::children', Puppet::Functions::InternalF
     full_mod_path = File.join(mod_path, subpath || '') if mod_path
 
     # Expand relative to the project directory if path is relative
-    project = Puppet.lookup(:bolt_project_data)
+    project = Puppet.lookup(:bolt_project)
     pathname = Pathname.new(dirname)
     full_dir = pathname.absolute? ? dirname : File.expand_path(File.join(project.path, dirname))
 

data/lib/bolt/analytics.rb

@@ -27,7 +27,7 @@ module Bolt
     }.freeze
 
     def self.build_client
-      logger = Logging.logger[self]
+      logger = Bolt::Logger.logger(self)
       begin
         config_file = config_path(logger)
         config = load_config(config_file, logger)
@@ -93,6 +93,10 @@ module Bolt
     def self.write_config(filename, config)
       FileUtils.mkdir_p(File.dirname(filename))
       File.write(filename, config.to_yaml)
+    rescue StandardError => e
+      Bolt::Logger.warn_once('unwriteable_file', "Could not write analytics configuration to #{filename}.")
+      # This will get caught by build_client and create a NoopClient
+      raise e
     end
 
     class Client
@@ -106,7 +110,7 @@ module Bolt
         require 'httpclient'
         require 'locale'
 
-        @logger = Logging.logger[self]
+        @logger = Bolt::Logger.logger(self)
         @http = HTTPClient.new
         @user_id = user_id
         @executor = Concurrent.global_io_executor
@@ -210,7 +214,7 @@ module Bolt
       attr_accessor :bundled_content
 
       def initialize
-        @logger = Logging.logger[self]
+        @logger = Bolt::Logger.logger(self)
         @bundled_content = []
       end
 

data/lib/bolt/applicator.rb

@@ -28,7 +28,7 @@ module Bolt
       @apply_settings = apply_settings || {}
 
       @pool = Concurrent::ThreadPoolExecutor.new(name: 'apply', max_threads: max_compiles)
-      @logger = Logging.logger[self]
+      @logger = Bolt::Logger.logger(self)
     end
 
     private def libexec
@@ -50,15 +50,15 @@ module Bolt
 
     def catalog_apply_task
       @catalog_apply_task ||= begin
-                                path = File.join(libexec, 'apply_catalog.rb')
-                                file = { 'name' => 'apply_catalog.rb', 'path' => path }
-                                metadata = { 'supports_noop' => true, 'input_method' => 'stdin',
-                                             'implementations' => [
-                                               { 'name' => 'apply_catalog.rb' },
-                                               { 'name' => 'apply_catalog.rb', 'remote' => true }
-                                             ] }
-                                Bolt::Task.new('apply_helpers::apply_catalog', metadata, [file])
-                              end
+        path = File.join(libexec, 'apply_catalog.rb')
+        file = { 'name' => 'apply_catalog.rb', 'path' => path }
+        metadata = { 'supports_noop' => true, 'input_method' => 'stdin',
+                     'implementations' => [
+                       { 'name' => 'apply_catalog.rb' },
+                       { 'name' => 'apply_catalog.rb', 'remote' => true }
+                     ] }
+        Bolt::Task.new('apply_helpers::apply_catalog', metadata, [file])
+      end
     end
 
     def query_resources_task
@@ -75,34 +75,35 @@ module Bolt
       end
     end
 
-    def compile(target, catalog_input)
+    def compile(target, scope)
       # This simplified Puppet node object is what .local uses to determine the
       # certname of the target
       node = Puppet::Node.from_data_hash('name' => target.name,
                                          'parameters' => { 'clientcert' => target.name })
       trusted = Puppet::Context::TrustedInformation.local(node)
-      catalog_input[:target] = {
+      target_data = {
         name: target.name,
         facts: @inventory.facts(target).merge('bolt' => true),
         variables: @inventory.vars(target),
         trusted: trusted.to_h
       }
+      catalog_request = scope.merge(target: target_data)
 
       bolt_catalog_exe = File.join(libexec, 'bolt_catalog')
       old_path = ENV['PATH']
       ENV['PATH'] = "#{RbConfig::CONFIG['bindir']}#{File::PATH_SEPARATOR}#{old_path}"
-      out, err, stat = Open3.capture3('ruby', bolt_catalog_exe, 'compile', stdin_data: catalog_input.to_json)
+      out, err, stat = Open3.capture3('ruby', bolt_catalog_exe, 'compile', stdin_data: catalog_request.to_json)
       ENV['PATH'] = old_path
 
       # If bolt_catalog does not return valid JSON, we should print stderr to
       # see what happened
       print_logs = stat.success?
       result = begin
-                 JSON.parse(out)
-               rescue JSON::ParserError
-                 print_logs = true
-                 { 'message' => "Something's gone terribly wrong! STDERR is logged." }
-               end
+        JSON.parse(out)
+      rescue JSON::ParserError
+        print_logs = true
+        { 'message' => "Something's gone terribly wrong! STDERR is logged." }
+      end
 
       # Any messages logged by Puppet will be on stderr as JSON hashes, so we
       # parse those and store them here. Any message on stderr that is not
@@ -183,17 +184,16 @@ module Bolt
                                                                        type_by_reference: true,
                                                                        local_reference: true)
 
-      bolt_project = @project if @project&.name
       scope = {
         code_ast: ast,
         modulepath: @modulepath,
-        project: bolt_project.to_h,
+        project: @project.to_h,
         pdb_config: @pdb_client.config.to_hash,
         hiera_config: @hiera_config,
         plan_vars: plan_vars,
         # This data isn't available on the target config hash
         config: @inventory.transport_data_get
-      }
+      }.freeze
       description = options[:description] || 'apply catalog'
 
       required_modules = options[:required_modules].nil? ? nil : Array(options[:required_modules])

data/lib/bolt/bolt_option_parser.rb

@@ -64,6 +64,24 @@ module Bolt
       when 'guide'
         { flags: OPTIONS[:global] + %w[format],
           banner: GUIDE_HELP }
+      when 'module'
+        case action
+        when 'add'
+          { flags: OPTIONS[:global] + %w[configfile project],
+            banner: MODULE_ADD_HELP }
+        when 'generate-types'
+          { flags: OPTIONS[:global] + OPTIONS[:global_config_setters],
+            banner: MODULE_GENERATETYPES_HELP }
+        when 'install'
+          { flags: OPTIONS[:global] + %w[configfile force project resolve],
+            banner: MODULE_INSTALL_HELP }
+        when 'show'
+          { flags: OPTIONS[:global] + OPTIONS[:global_config_setters],
+            banner: MODULE_SHOW_HELP }
+        else
+          { flags: OPTIONS[:global],
+            banner: MODULE_HELP }
+        end
       when 'plan'
         case action
         when 'convert'
@@ -169,6 +187,7 @@ module Bolt
           group             Show the list of groups in the inventory
           guide             View guides for Bolt concepts and features
           inventory         Show the list of targets an action would run on
+          module            Manage Bolt project modules
           plan              Convert, create, show, and run Bolt plans
           project           Create and migrate Bolt projects
           puppetfile        Install and list modules and generate type references
@@ -341,6 +360,87 @@ module Bolt
           Show the list of targets an action would run on.
     HELP
 
+    MODULE_HELP = <<~HELP
+      NAME
+          module
+      
+      USAGE
+          bolt module <action> [options]
+
+      DESCRIPTION
+          Manage Bolt project modules
+
+          The module command is only supported when a project is configured
+          with the 'modules' key.
+
+      ACTIONS
+          add                   Add a module to the project
+          generate-types        Generate type references to register in plans
+          install               Install the project's modules
+          show                  List modules available to the Bolt project
+    HELP
+
+    MODULE_ADD_HELP = <<~HELP
+      NAME
+          add
+      
+      USAGE
+          bolt module add <module> [options]
+
+      DESCRIPTION
+          Add a module to the project.
+
+          Module declarations are loaded from the project's configuration
+          file. Bolt will automatically resolve all module dependencies,
+          generate a Puppetfile, and install the modules.
+
+          The module command is only supported when a project is configured
+          with the 'modules' key.
+    HELP
+
+    MODULE_GENERATETYPES_HELP = <<~HELP
+      NAME
+          generate-types
+
+      USAGE
+          bolt module generate-types [options]
+
+      DESCRIPTION
+          Generate type references to register in plans.
+
+          The module command is only supported when a project is configured
+          with the 'modules' key.
+    HELP
+
+    MODULE_INSTALL_HELP = <<~HELP
+      NAME
+          install
+      
+      USAGE
+          bolt module install [options]
+
+      DESCRIPTION
+          Install the project's modules.
+
+          Module declarations are loaded from the project's configuration
+          file. Bolt will automatically resolve all module dependencies,
+          generate a Puppetfile, and install the modules.
+    HELP
+
+    MODULE_SHOW_HELP = <<~HELP
+      NAME
+          show
+
+      USAGE
+          bolt module show [options]
+
+      DESCRIPTION
+          List modules available to the Bolt project.
+
+          The module command is only supported when a project is configured
+          with the 'modules' key.
+    HELP
+
     PLAN_HELP = <<~HELP
       NAME
           plan
@@ -366,11 +466,11 @@ module Bolt
           bolt plan convert <path> [options]
 
       DESCRIPTION
-          Convert a YAML plan to a Bolt plan.
+          Convert a YAML plan to a Puppet language plan and print the converted plan to stdout.
 
           Converting a YAML plan may result in a plan that is syntactically
           correct but has different behavior. Always verify a converted plan's
-          functionality.
+          functionality. Note that the converted plan is not written to a file.
 
       EXAMPLES
           bolt plan convert path/to/plan/myplan.yaml
@@ -421,9 +521,9 @@ module Bolt
           the plan, including a list of available parameters.
 
       EXAMPLES
-          Display a list of available tasks
+          Display a list of available plans
             bolt plan show
-          Display documentation for the canary task
+          Display documentation for the aggregate::count plan
             bolt plan show aggregate::count
     HELP
 
@@ -678,7 +778,7 @@ module Bolt
              'For SSH, port defaults to `22`',
              'For WinRM, port defaults to `5985` or `5986` based on the --[no-]ssl setting') do |targets|
         @options[:targets] ||= []
-        @options[:targets] << get_arg_input(targets)
+        @options[:targets] << Bolt::Util.get_arg_input(targets)
       end
       define('-q', '--query QUERY', 'Query PuppetDB to determine the targets') do |query|
         @options[:query] = query
@@ -828,7 +928,7 @@ module Bolt
              "This option is experimental.") do |exec|
         @options[:'copy-command'] = exec
       end
-      define('--connect-timeout TIMEOUT', Integer, 'Connection timeout (defaults vary)') do |timeout|
+      define('--connect-timeout TIMEOUT', Integer, 'Connection timeout in seconds (defaults vary)') do |timeout|
         @options[:'connect-timeout'] = timeout
       end
       define('--[no-]tty', 'Request a pseudo TTY on targets that support it') do |tty|
@@ -838,6 +938,13 @@ module Bolt
         @options[:tmpdir] = tmpdir
       end
 
+      separator "\nMODULE OPTIONS"
+      define('--[no-]resolve',
+             'Use --no-resolve to install modules listed in the Puppetfile without resolving modules configured',
+             'in Bolt project configuration') do |resolve|
+        @options[:resolve] = resolve
+      end
+
       separator "\nDISPLAY OPTIONS"
       define('--filter FILTER', 'Filter tasks and plans by a matching substring') do |filter|
         unless /^[a-z0-9_:]+$/.match(filter)
@@ -864,9 +971,9 @@ module Bolt
       define('--modules MODULES',
              'A comma-separated list of modules to install from the Puppet Forge',
              'when initializing a project. Resolves and installs all dependencies.') do |modules|
-        @options[:modules] = modules.split(',')
+        @options[:modules] = modules.split(',').map { |mod| { 'name' => mod } }
       end
-      define('--force', 'Overwrite existing key pairs') do |_force|
+      define('--force', 'Force a destructive action') do |_force|
         @options[:force] = true
       end
 
@@ -917,27 +1024,10 @@ module Bolt
     end
 
     def parse_params(params)
-      json = get_arg_input(params)
+      json = Bolt::Util.get_arg_input(params)
       JSON.parse(json)
     rescue JSON::ParserError => e
       raise Bolt::CLIError, "Unable to parse --params value as JSON: #{e}"
     end
-
-    def get_arg_input(value)
-      if value.start_with?('@')
-        file = value.sub(/^@/, '')
-        read_arg_file(file)
-      elsif value == '-'
-        $stdin.read
-      else
-        value
-      end
-    end
-
-    def read_arg_file(file)
-      File.read(File.expand_path(file))
-    rescue StandardError => e
-      raise Bolt::FileError.new("Error attempting to read #{file}: #{e}", file)
-    end
   end
 end

data/lib/bolt/catalog.rb

@@ -57,8 +57,10 @@ module Bolt
 
     def compile_catalog(request)
       pdb_client = Bolt::PuppetDB::Client.new(Bolt::PuppetDB::Config.new(request['pdb_config']))
-      project = request['project'] || {}
-      bolt_project = Struct.new(:name, :path).new(project['name'], project['path']) unless project.empty?
+      project = request['project']
+      bolt_project = Struct.new(:name, :path, :load_as_module?).new(project['name'],
+                                                                    project['path'],
+                                                                    project['load_as_module?'])
       inv = Bolt::ApplyInventory.new(request['config'])
       puppet_overrides = {
         bolt_pdb_client: pdb_client,
@@ -95,7 +97,7 @@ module Bolt
       }
 
       with_puppet_settings(puppet_settings) do
-        Puppet::Pal.in_tmp_environment('bolt_catalog', env_conf) do |pal|
+        Puppet::Pal.in_tmp_environment('bolt_catalog', **env_conf) do |pal|
           Puppet.override(puppet_overrides) do
             Puppet.lookup(:pal_current_node).trusted_data = target['trusted']
             pal.with_catalog_compiler do |compiler|

data/lib/bolt/cli.rb

@@ -20,33 +20,37 @@ require 'bolt/logger'
 require 'bolt/outputter'
 require 'bolt/puppetdb'
 require 'bolt/plugin'
-require 'bolt/project_migrate'
+require 'bolt/project_migrator'
 require 'bolt/pal'
 require 'bolt/target'
 require 'bolt/version'
 require 'bolt/secret'
+require 'bolt/module_installer'
 
 module Bolt
   class CLIExit < StandardError; end
   class CLI
-    COMMANDS = { 'command' => %w[run],
-                 'script' => %w[run],
-                 'task' => %w[show run],
-                 'plan' => %w[show run convert new],
-                 'file' => %w[download upload],
-                 'puppetfile' => %w[install show-modules generate-types],
-                 'secret' => %w[encrypt decrypt createkeys],
-                 'inventory' => %w[show],
-                 'group' => %w[show],
-                 'project' => %w[init migrate],
-                 'apply' => %w[],
-                 'guide' => %w[] }.freeze
+    COMMANDS = {
+      'command'    => %w[run],
+      'script'     => %w[run],
+      'task'       => %w[show run],
+      'plan'       => %w[show run convert new],
+      'file'       => %w[download upload],
+      'puppetfile' => %w[install show-modules generate-types],
+      'secret'     => %w[encrypt decrypt createkeys],
+      'inventory'  => %w[show],
+      'group'      => %w[show],
+      'project'    => %w[init migrate],
+      'module'     => %w[add generate-types install show],
+      'apply'      => %w[],
+      'guide'      => %w[]
+    }.freeze
 
     attr_reader :config, :options
 
     def initialize(argv)
       Bolt::Logger.initialize_logging
-      @logger = Logging.logger[self]
+      @logger = Bolt::Logger.logger(self)
       @argv = argv
       @options = {}
     end
@@ -79,7 +83,7 @@ module Bolt
 
     # Wrapper method that is called by the Bolt executable. Parses the command and
     # then loads the project and config. Once config is loaded, it completes the
-    # setup process by configuring Bolt and issuing warnings.
+    # setup process by configuring Bolt and logging messages.
     #
     # This separation is needed since the Bolt::Outputter class that normally handles
     # printing errors relies on config being loaded. All setup that happens before
@@ -98,6 +102,10 @@ module Bolt
       # This part aims to handle both `bolt <mode> --help` and `bolt help <mode>`.
       remaining = handle_parser_errors { parser.permute(@argv) } unless @argv.empty?
       if @argv.empty? || help?(remaining)
+        # If the subcommand is not enabled, display the default
+        # help text
+        options[:subcommand] = nil unless COMMANDS.include?(options[:subcommand])
+
         # Update the parser for the subcommand (or lack thereof)
         parser.update
         puts parser.help
@@ -106,6 +114,11 @@ module Bolt
 
       options[:object] = remaining.shift
 
+      # Handle reading a command from a file
+      if options[:subcommand] == 'command' && options[:object]
+        options[:object] = Bolt::Util.get_arg_input(options[:object])
+      end
+
       # Only parse task_options for task or plan
       if %w[task plan].include?(options[:subcommand])
         task_options, remaining = remaining.partition { |s| s =~ /.+=/ }
@@ -167,25 +180,26 @@ module Bolt
       raise e
     end
 
-    # Completes the setup process by configuring Bolt and issuing warnings
+    # Completes the setup process by configuring Bolt and log messages
     def finalize_setup
       Bolt::Logger.configure(config.log, config.color)
       Bolt::Logger.analytics = analytics
 
-      # Logger must be configured before checking path case and project file, otherwise warnings will not display
+      # Logger must be configured before checking path case and project file, otherwise logs will not display
       config.check_path_case('modulepath', config.modulepath)
       config.project.check_deprecated_file
 
-      # Log the file paths for loaded config files
-      config_loaded
-
-      # Display warnings created during parser and config initialization
-      config.warnings.each { |warning| @logger.warn(warning[:msg]) }
+      # Log messages created during parser and config initialization
+      config.logs.each { |log| @logger.send(log.keys[0], log.values[0]) }
       @parser_deprecations.each { |dep| Bolt::Logger.deprecation_warning(dep[:type], dep[:msg]) }
       config.deprecations.each { |dep| Bolt::Logger.deprecation_warning(dep[:type], dep[:msg]) }
 
       warn_inventory_overrides_cli(options)
 
+      # Assert whether the puppetfile/module commands are available depending
+      # on whether 'modules' is configured.
+      assert_puppetfile_or_module_command(config.project.modules)
+
       options
     rescue Bolt::Error => e
       outputter.fatal_error(e)
@@ -233,12 +247,6 @@ module Bolt
         end
       end
 
-      if options[:subcommand] != 'file' && options[:subcommand] != 'script' &&
-         !options[:leftovers].empty?
-        raise Bolt::CLIError,
-              "Unknown argument(s) #{options[:leftovers].join(', ')}"
-      end
-
       if %w[task plan].include?(options[:subcommand]) && options[:action] == 'run'
         if options[:object].nil?
           raise Bolt::CLIError, "Must specify a #{options[:subcommand]} to run"
@@ -250,23 +258,6 @@ module Bolt
         end
       end
 
-      if options[:boltdir] && options[:configfile]
-        raise Bolt::CLIError, "Only one of '--boltdir', '--project', or '--configfile' may be specified"
-      end
-
-      if options[:noop] &&
-         !(options[:subcommand] == 'task' && options[:action] == 'run') && options[:subcommand] != 'apply'
-        raise Bolt::CLIError,
-              "Option '--noop' may only be specified when running a task or applying manifest code"
-      end
-
-      if options[:env_vars]
-        unless %w[command script].include?(options[:subcommand]) && options[:action] == 'run'
-          raise Bolt::CLIError,
-                "Option '--env-var' may only be specified when running a command or script"
-        end
-      end
-
       if options[:subcommand] == 'apply' && (options[:object] && options[:code])
         raise Bolt::CLIError, "--execute is unsupported when specifying a manifest file"
       end
@@ -289,6 +280,38 @@ module Bolt
         raise Bolt::CLIError, "Must specify a plan name."
       end
 
+      if options[:subcommand] == 'module' && options[:action] == 'add' && !options[:object]
+        raise Bolt::CLIError, "Must specify a module name."
+      end
+
+      if options[:subcommand] == 'module' && options[:action] == 'install' && options[:object]
+        raise Bolt::CLIError, "Invalid argument '#{options[:object]}'. To add a new module to "\
+                              "the project, run 'bolt module add #{options[:object]}'."
+      end
+
+      if options[:subcommand] != 'file' && options[:subcommand] != 'script' &&
+         !options[:leftovers].empty?
+        raise Bolt::CLIError,
+              "Unknown argument(s) #{options[:leftovers].join(', ')}"
+      end
+
+      if options[:boltdir] && options[:configfile]
+        raise Bolt::CLIError, "Only one of '--boltdir', '--project', or '--configfile' may be specified"
+      end
+
+      if options[:noop] &&
+         !(options[:subcommand] == 'task' && options[:action] == 'run') && options[:subcommand] != 'apply'
+        raise Bolt::CLIError,
+              "Option '--noop' may only be specified when running a task or applying manifest code"
+      end
+
+      if options[:env_vars]
+        unless %w[command script].include?(options[:subcommand]) && options[:action] == 'run'
+          raise Bolt::CLIError,
+                "Option '--env-var' may only be specified when running a command or script"
+        end
+      end
+
       if options.key?(:debug) && options.key?(:log)
         raise Bolt::CLIError, "Only one of '--debug' or '--log-level' may be specified"
       end
@@ -356,7 +379,7 @@ module Bolt
       # Initialize inventory and targets. Errors here are better to catch early.
       # options[:target_args] will contain a string/array version of the targetting options this is passed to plans
       # options[:targets] will contain a resolved set of Target objects
-      unless %w[project puppetfile secret guide].include?(options[:subcommand]) ||
+      unless %w[guide module project puppetfile secret].include?(options[:subcommand]) ||
              %w[convert new show].include?(options[:action])
         update_targets(options)
       end
@@ -382,7 +405,7 @@ module Bolt
                                   inventory_version: inventory.version)
       end
 
-      analytics.screen_view(screen, screen_view_fields)
+      analytics.screen_view(screen, **screen_view_fields)
 
       case options[:action]
       when 'show'
@@ -407,6 +430,8 @@ module Bolt
           end
         when 'group'
           list_groups
+        when 'module'
+          list_modules
         end
         return 0
       when 'show-modules'
@@ -435,9 +460,7 @@ module Bolt
         when 'init'
           code = initialize_project
         when 'migrate'
-          inv = config.inventoryfile
-          path = config.project.path
-          code = Bolt::ProjectMigrate.new(path, outputter, inv).migrate_project
+          code = Bolt::ProjectMigrator.new(config, outputter).migrate
         end
       when 'plan'
         case options[:action]
@@ -446,12 +469,25 @@ module Bolt
         when 'run'
           code = run_plan(options[:object], options[:task_options], options[:target_args], options)
         end
+      when 'module'
+        case options[:action]
+        when 'add'
+          code = add_project_module(options[:object], config.project)
+        when 'install'
+          code = install_project_modules(config.project, options[:force], options[:resolve])
+        when 'generate-types'
+          code = generate_types
+        end
       when 'puppetfile'
         case options[:action]
         when 'generate-types'
           code = generate_types
         when 'install'
-          code = install_puppetfile(config.puppetfile_config, config.puppetfile, config.modulepath)
+          code = install_puppetfile(
+            config.puppetfile_config,
+            config.puppetfile,
+            config.modulepath.first
+          )
         end
       when 'secret'
         code = Bolt::Secret.execute(plugins, outputter, options)
@@ -801,36 +837,39 @@ module Bolt
       old_config = project + 'bolt.yaml'
       config     = project + 'bolt-project.yaml'
       puppetfile = project + 'Puppetfile'
-      modulepath = [project + 'modules']
+      moduledir  = project + 'modules'
+
+      # Warn the user if the project directory already exists. We don't error
+      # here since users might not have installed any modules yet. If both
+      # bolt.yaml and bolt-project.yaml exist, this will just warn about
+      # bolt-project.yaml and subsequent Bolt actions will warn about both files
+      # existing.
+      if config.exist?
+        @logger.warn "Found existing project directory at #{project}. Skipping file creation."
+      elsif old_config.exist?
+        @logger.warn "Found existing #{old_config.basename} at #{project}. "\
+                    "#{old_config.basename} is deprecated, please rename to #{config.basename}."
+      end
 
-      # If modules were specified, first check if there is already a Puppetfile at the project
-      # directory, erroring if there is. If there is no Puppetfile, generate the Puppetfile
-      # content by resolving the specified modules and all their dependencies.
-      # We generate the Puppetfile first so that any errors in resolving modules and their
-      # dependencies are caught early and do not create a project directory.
+      # If modules were specified, first check if there is already a Puppetfile
+      # at the project directory, erroring if there is. If there is no
+      # Puppetfile, install the specified modules. The module installer will
+      # resolve dependencies, generate a Puppetfile, and install the modules.
       if options[:modules]
         if puppetfile.exist?
           raise Bolt::CLIError,
-                "Found existing Puppetfile at #{puppetfile}, unable to initialize project with "\
-                "#{options[:modules].join(', ')}"
-        else
-          puppetfile_specs = resolve_puppetfile_specs
+                "Found existing Puppetfile at #{puppetfile}, unable to initialize "\
+                "project with modules."
         end
+
+        installer = Bolt::ModuleInstaller.new(outputter, pal)
+        installer.install(options[:modules], puppetfile, moduledir)
       end
 
-      # Warn the user if the project directory already exists. We don't error here since users
-      # might not have installed any modules yet.
-      # If both bolt.yaml and bolt-project.yaml exist, this will just warn
-      # about bolt-project.yaml and subsequent Bolt actions will warn about
-      # both files existing
-      if config.exist?
-        @logger.warn "Found existing project directory at #{project}. Skipping file creation."
-      # This won't get called if bolt-project.yaml exists
-      elsif old_config.exist?
-        @logger.warn "Found existing #{old_config.basename} at #{project}. "\
-          "#{old_config.basename} is deprecated, please rename to #{config.basename}."
-      # Bless the project directory as a...wait for it...project
-      else
+      # If either bolt.yaml or bolt-project.yaml exist, the user has already
+      # been warned and we can just finish project creation. Otherwise, create a
+      # bolt-project.yaml with the project name in it.
+      unless config.exist? || old_config.exist?
         begin
           content = { 'name' => name }
           File.write(config.to_path, content.to_yaml)
@@ -840,109 +879,86 @@ module Bolt
         end
       end
 
-      # Write the generated Puppetfile to the fancy new project
-      if puppetfile_specs
-        File.write(puppetfile, puppetfile_specs.join("\n"))
-        outputter.print_message "Successfully created Puppetfile at #{puppetfile}"
-        # Install the modules from our shiny new Puppetfile
-        if install_puppetfile({}, puppetfile, modulepath)
-          outputter.print_message "Successfully installed #{options[:modules].join(', ')}"
-        else
-          raise Bolt::CLIError, "Could not install #{options[:modules].join(', ')}"
-        end
-      end
-
       0
     end
 
-    # Resolves Puppetfile specs from user-specified modules and dependencies resolved
-    # by the puppetfile-resolver gem.
-    def resolve_puppetfile_specs
-      require 'puppetfile-resolver'
-
-      # Build the document model from the module names, defaulting to the latest version of each module
-      model = PuppetfileResolver::Puppetfile::Document.new('')
-      options[:modules].each do |mod_name|
-        model.add_module(
-          PuppetfileResolver::Puppetfile::ForgeModule.new(mod_name).tap { |mod| mod.version = :latest }
-        )
-      end
-
-      # Make sure the Puppetfile model is valid
-      unless model.valid?
-        raise Bolt::ValidationError,
-              "Unable to resolve dependencies for #{options[:modules].join(', ')}"
-      end
-
-      # Create the resolver using the Puppetfile model. nil disables Puppet version restrictions.
-      resolver = PuppetfileResolver::Resolver.new(model, nil)
-
-      # Configure and resolve the dependency graph
-      result = resolver.resolve(
-        cache:                 nil,
-        ui:                    nil,
-        module_paths:          [],
-        allow_missing_modules: true
-      )
+    # Installs modules declared in the project configuration file.
+    #
+    def install_project_modules(project, force, resolve)
+      assert_project_file(project)
 
-      # Validate that the modules exist
-      missing_graph = result.specifications.select do |_name, spec|
-        spec.instance_of? PuppetfileResolver::Models::MissingModuleSpecification
+      unless project.modules
+        outputter.print_message "Project configuration file #{project.project_file} does not "\
+                                "specify any module dependencies. Nothing to do."
+        return 0
       end
 
-      if missing_graph.any?
-        titles = model.modules.each_with_object({}) do |mod, acc|
-          acc[mod.name] = mod.title
-        end
+      installer = Bolt::ModuleInstaller.new(outputter, pal)
 
-        names = titles.values_at(*missing_graph.keys)
-        plural = names.count == 1 ? '' : 's'
+      ok = installer.install(project.modules,
+                             project.puppetfile,
+                             project.managed_moduledir,
+                             force: force,
+                             resolve: resolve)
+      ok ? 0 : 1
+    end
 
-        raise Bolt::ValidationError,
-              "Unknown module name#{plural} #{names.join(', ')}"
-      end
+    # Adds a single module to the project.
+    #
+    def add_project_module(name, project)
+      assert_project_file(project)
+
+      modules   = project.modules || []
+      installer = Bolt::ModuleInstaller.new(outputter, pal)
+
+      ok = installer.add(name,
+                         modules,
+                         project.puppetfile,
+                         project.managed_moduledir,
+                         project.project_file)
+      ok ? 0 : 1
+    end
 
-      # Filter the dependency graph to only include module specifications
-      spec_graph = result.specifications.select do |_name, spec|
-        spec.instance_of? PuppetfileResolver::Models::ModuleSpecification
-      end
+    # Asserts that there is a project configuration file.
+    #
+    def assert_project_file(project)
+      unless project.project_file?
+        msg = if project.config_file.exist?
+                "Detected Bolt configuration file #{project.config_file}, unable to install "\
+                "modules. To update to a project configuration file, run 'bolt project migrate'."
+              else
+                "Could not find project configuration file #{project.project_file}, unable "\
+                "to install modules. To create a Bolt project, run 'bolt project init'."
+              end
 
-      # Map specification models to a Puppetfile specification
-      spec_graph.values.map do |spec|
-        "mod '#{spec.owner}-#{spec.name}', '#{spec.version}'"
+        raise Bolt::Error.new(msg, 'bolt/missing-project-config-error')
       end
     end
 
-    def install_puppetfile(config, puppetfile, modulepath)
-      require 'r10k/cli'
-      require 'bolt/r10k_log_proxy'
-
-      if puppetfile.exist?
-        moduledir = modulepath.first.to_s
-        r10k_opts = {
-          root: puppetfile.dirname.to_s,
-          puppetfile: puppetfile.to_s,
-          moduledir: moduledir
-        }
-
-        settings = R10K::Settings.global_settings.evaluate(config)
-        R10K::Initializers::GlobalInitializer.new(settings).call
-        install_action = R10K::Action::Puppetfile::Install.new(r10k_opts, nil)
-
-        # Override the r10k logger with a proxy to our own logger
-        R10K::Logging.instance_variable_set(:@outputter, Bolt::R10KLogProxy.new)
-
-        ok = install_action.call
-        outputter.print_puppetfile_result(ok, puppetfile, moduledir)
-        # Automatically generate types after installing modules
-        pal.generate_types
+    # Loads a Puppetfile and installs its modules.
+    #
+    def install_puppetfile(config, puppetfile, moduledir)
+      installer = Bolt::ModuleInstaller.new(outputter, pal)
+      ok = installer.install_puppetfile(puppetfile, moduledir, config)
+      ok ? 0 : 1
+    end
 
-        ok ? 0 : 1
-      else
-        raise Bolt::FileError.new("Could not find a Puppetfile at #{puppetfile}", puppetfile)
+    # Raises an error if the 'puppetfile install' command is deprecated due to
+    # modules being configured.
+    #
+    def assert_puppetfile_or_module_command(modules)
+      if modules && options[:subcommand] == 'puppetfile'
+        raise Bolt::CLIError,
+              "Unable to use command 'bolt puppetfile #{options[:action]}' when "\
+              "'modules' is configured in bolt-project.yaml. Use the 'module' command "\
+              "instead. For a list of available actions for the 'module' command, run "\
+              "'bolt module --help'."
+      elsif modules.nil? && options[:subcommand] == 'module'
+        raise Bolt::CLIError,
+              "Unable to use command 'bolt module #{options[:action]}'. To use "\
+              "this command, update your project configuration to manage module "\
+              "dependencies."
       end
-    rescue R10K::Error => e
-      raise PuppetfileError, e
     end
 
     def pal
@@ -958,17 +974,17 @@ module Bolt
     # Collects the list of Bolt guides and maps them to their topics.
     def guides
       @guides ||= begin
-                    root_path = File.expand_path(File.join(__dir__, '..', '..', 'guides'))
-                    files     = Dir.children(root_path).sort
-
-                    files.each_with_object({}) do |file, guides|
-                      next if file !~ /\.txt\z/
-                      topic = File.basename(file, '.txt')
-                      guides[topic] = File.join(root_path, file)
-                    end
-                  rescue SystemCallError => e
-                    raise Bolt::FileError.new("#{e.message}: unable to load guides directory", root_path)
-                  end
+        root_path = File.expand_path(File.join(__dir__, '..', '..', 'guides'))
+        files     = Dir.children(root_path).sort
+
+        files.each_with_object({}) do |file, guides|
+          next if file !~ /\.txt\z/
+          topic = File.basename(file, '.txt')
+          guides[topic] = File.join(root_path, file)
+        end
+      rescue SystemCallError => e
+        raise Bolt::FileError.new("#{e.message}: unable to load guides directory", root_path)
+      end
     end
 
     # Display the list of available Bolt guides.
@@ -1019,10 +1035,10 @@ module Bolt
 
     def analytics
       @analytics ||= begin
-                       client = Bolt::Analytics.build_client
-                       client.bundled_content = bundled_content
-                       client
-                     end
+        client = Bolt::Analytics.build_client
+        client.bundled_content = bundled_content
+        client
+      end
     end
 
     def bundled_content
@@ -1057,17 +1073,10 @@ module Bolt
       content
     end
 
-    def config_loaded
-      msg = <<~MSG.chomp
-        Loaded configuration from: '#{config.config_files.join("', '")}'
-      MSG
-      @logger.info(msg)
-    end
-
     # Gem installs include the aggregate, canary, and puppetdb_fact modules, while
     # package installs include modules listed in the Bolt repo Puppetfile
     def incomplete_install?
-      (Dir.children(Bolt::PAL::MODULES_PATH) - %w[aggregate canary puppetdb_fact]).empty?
+      (Dir.children(Bolt::PAL::MODULES_PATH) - %w[aggregate canary puppetdb_fact secure_env_vars]).empty?
     end
 
     # Mimicks the output from Outputter::Human#fatal_error. This should be used to print