cem_acpt 0.10.9 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 34279d516f9561d412312959bbe0180d406a234818e4311c2238983922900de5
-  data.tar.gz: cd20359cc64580a648f74964ceb6847c7c60db987cc96dca76ab30cfd0f1a877
+  metadata.gz: 1e3e1c15beb777d80ea6a65241d1433901f6d627eabd4f11be9547f79e941c03
+  data.tar.gz: bef63cc44f4e536da21599b01d00dc51524f60240e42ad22f23df6e5fadb36b7
 SHA512:
-  metadata.gz: cb06435dc76fe50ff0dffd557db70d0e354a80093cffed96335580601e00d56dbc43a41805fb621c67177d0cf7c97d67ff33f19e90f3e871516dbcddf0661606
-  data.tar.gz: ffb32d8da0e509d56c828b2bcd356e2e0454ec138713991636881f75ed43da8dfe44f16d8d26e5c700ed0940a645d8e084842f916e5abce4b5218919f4787f91
+  metadata.gz: 28f8b379445b92a4ff5e7df0fcd1a2f7385d7a6ee86c47bfdd825be23beb79c60752580e8c62c29f39d5fa5c3f623cc4834c4237679f74b19b847448ed16518f
+  data.tar.gz: 681f5f556c8ddcdc523db369c207e19c96e7378a82299862d10002fa9cc2d02ea8e6a3a416d84fd68594d194218e415f1a137b511bd0786386e0330a714518c5

data/.claude/settings.local.json

@@ -0,0 +1,7 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(xargs ls:*)"
+    ]
+  }
+}

data/CLAUDE.md

@@ -0,0 +1,87 @@
+# CLAUDE.md
+
+## What This Project Is
+
+`cem_acpt` is a Ruby gem providing an acceptance testing CLI for Puppet SCE (Security Compliance Enforcement), formerly known as Puppet CEM (Compliance Enforcement Modules). It provisions cloud nodes via Terraform, applies a Puppet manifest to the node, runs infrastructure tests via Goss, and tears everything down. It is also capable of running Puppet Bolt tests, which validate Bolt tasks and plans. A second binary, `cem_acpt_image`, builds the base VM images used by the test runner.
+
+## Commands
+
+```bash
+bundle install          # Install dependencies
+
+bundle exec rake spec                                  # Run all the spec tests
+bundle exec rake spec SPEC=spec/path/to/file_spec.rb   # Run a single spec file
+
+rubocop                 # Lint
+rubocop -a              # Auto-fix lint issues
+
+bundle exec rake build                           # Build the gem (saves to pkg/cem_acpt-<semver>.gem)
+bundle exec gem install pkg/cem_acpt-X.X.X.gem   # Install the gem with the given semver (X.X.X should be replaced with a version)
+
+bundle exec exe/cem_acpt -h       # CLI help
+bundle exec exe/cem_acpt -Y       # Print merged config (useful for debugging)
+bundle exec exe/cem_acpt -X       # Explain config merge sources
+```
+
+RuboCop target is Ruby 3.2. Line length limit is 200. Many complexity metrics (AbcSize, MethodLength, ClassLength) are disabled.
+
+## Architecture
+
+### Entry Points
+
+- `exe/cem_acpt` → `lib/cem_acpt.rb` → dispatches to `TestRunner::Runner`
+- `exe/cem_acpt_image` → `lib/cem_acpt.rb` → dispatches to `ImageBuilder::TerraformBuilder`
+- CLI parsing lives in `lib/cem_acpt/cli.rb` (Ruby `OptionParser`)
+
+### Configuration System (`lib/cem_acpt/config/`)
+
+Config is merged from four sources, lowest to highest priority:
+1. Environment variables (`CEM_ACPT_` prefix; nested keys use `__`)
+2. User config at `~/.cem_acpt/config.yaml`
+3. `--config FILE` option
+4. Other CLI flags
+
+`Config::Base` handles the merge logic via `deep_merge`. Subclasses `Config::CemAcpt` and `Config::CemAcptImage` define the schema for each command.
+
+### Test Runner Lifecycle (`lib/cem_acpt/test_runner.rb`)
+
+1. **Pre-provision** – Build the Puppet module tarball (`Utils::Puppet`)
+2. **Provision** – Spin up GCP nodes via Terraform (`Provision::Terraform`), generate ephemeral SSH keys, install the module
+3. **Execute** – Run action groups: `:goss` (async, HTTP) and `:bolt` (sync, Puppet tasks)
+4. **Cleanup** – `terraform destroy` unless `--no-destroy-nodes`
+
+### Platform Abstraction (`lib/cem_acpt/platform/`)
+
+`Platform::Base` defines the interface; `Platform::Gcp` implements GCP-specific behaviour. Platforms are loaded dynamically by name from the config.
+
+### Actions (`lib/cem_acpt/actions.rb`)
+
+The `Actions` class orchestrates test execution. Action groups can be filtered with `--only-actions` / `--except-actions`. Goss actions run async via `async-http`; Bolt actions run synchronously.
+
+### Terraform Templates (`lib/terraform/`)
+
+Terraform HCL lives inside the gem under `lib/terraform/`. Paths:
+- `lib/terraform/gcp/linux/` and `lib/terraform/gcp/windows/` – test node provisioning
+- `lib/terraform/image/gcp/linux/` – image-building node provisioning
+
+### Logging (`lib/cem_acpt/logging/`)
+
+Supports simultaneous STDOUT + file logging. Pass `-I` / `--CI` for GitHub Actions–formatted output. Pass `--trace` to enable Ruby `TracePoint` debugging.
+
+## Test Structure
+
+Acceptance test cases live under `spec/acceptance/` (in the consuming module, not this gem):
+
+```
+spec/acceptance/<framework>_<os>-<version>_<firewall>_<profile>_<level>/
+  manifest.pp   # Puppet manifest to apply
+  goss.yaml     # Goss assertions
+  bolt.yaml     # (optional) Bolt task assertions
+```
+
+Unit tests mirror `lib/` under `spec/`. Fixtures are in `spec/fixtures/`.
+
+## Conventions
+
+- Document all Ruby code using Yard comments
+- All changes should have tests

data/Gemfile.lock

@@ -1,10 +1,11 @@
 PATH
   remote: .
   specs:
-    cem_acpt (0.10.9)
+    cem_acpt (0.11.0)
       async-http (>= 0.60, < 0.70)
       bcrypt_pbkdf (>= 1.0, < 2.0)
       deep_merge (>= 1.2, < 2.0)
+      dotenv (>= 3.2, < 4.0)
       ed25519 (>= 1.0, < 2.0)
       puppet-modulebuilder (>= 0.0.1)
       winrm (>= 2.3, < 3.0)
@@ -44,6 +45,7 @@ GEM
     deep_merge (1.2.2)
     diff-lcs (1.6.1)
     docile (1.4.1)
+    dotenv (3.2.0)
     ed25519 (1.3.0)
     erubi (1.13.1)
     ffi (1.17.1)

data/cem_acpt.gemspec

@@ -30,6 +30,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'async-http', '>= 0.60', '< 0.70'
   spec.add_runtime_dependency 'bcrypt_pbkdf', '>= 1.0', '< 2.0'
   spec.add_runtime_dependency 'deep_merge', '>= 1.2', '< 2.0'
+  spec.add_runtime_dependency 'dotenv', '>= 3.2', '< 4.0'
   spec.add_runtime_dependency 'ed25519', '>= 1.0', '< 2.0'
   spec.add_runtime_dependency 'puppet-modulebuilder', '>= 0.0.1'
   spec.add_runtime_dependency 'winrm', '>= 2.3', '< 3.0'

data/exe/cem_acpt

@@ -1,6 +1,7 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
+require 'dotenv/load'
 require 'cem_acpt'
 require 'cem_acpt/cli'
 

data/exe/cem_acpt_image

@@ -1,6 +1,7 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
+require 'dotenv/load'
 require 'cem_acpt'
 require 'cem_acpt/cli'
 

data/lib/cem_acpt/cli.rb

@@ -4,6 +4,14 @@ require 'optparse'
 
 module CemAcpt
   module Cli
+    OPTIONS_DESC = [
+      'Set options. Example: -O "param1=value1,param2=value2"',
+      'For nested options, use dot notation to specify the nesting. For example,',
+      '-O "nested.param1=value1,nested.param2=value2"',
+      'Use this to set any config option or other runtime option. For example, to set the max_run_duration for a test',
+      'node, you would use: -O "node_data.max_run_duration=<duration in seconds>"',
+    ].freeze
+
     def self.parse_opts_for(command)
       cmd = command
       options = {}
@@ -56,8 +64,13 @@ module CemAcpt
             options[:dry_run] = true
           end
 
-          opts.on('--no-build-images', 'Do not build images. Can be combined with --no-destroy-nodes to just provision nodes.') do
+          opts.on('--no-build-images', 'Do not build images from the provisioned nodes.') do
+            options[:no_build_images] = true
+          end
+
+          opts.on('--provision-only', 'Provision the nodes only. Equivalent to --no-build-images and --no-destroy-nodes.') do
             options[:no_build_images] = true
+            options[:no_destroy_nodes] = true
           end
 
           opts.on('--no-linux', 'Do not build Linux images') do
@@ -83,10 +96,16 @@ module CemAcpt
           options[:log_file] = file
         end
 
-        opts.on('-O', '--options OPTS', 'Set options. Example: -P "param1=value1,param2=value2"') do |o|
-          params = o.split(',').map { |s| s.split('=') }.to_h
-          params.transform_keys(&:to_sym).each do |k, v|
-            options[k] = v
+        opts.on('-O', '--options OPTS', OPTIONS_DESC.join(' ')) do |o|
+          params = o.split(',').map { |s| s.split('=', 2) }.to_h
+          params.each do |k, v|
+            keys = k.split('.') # Split the option key into parts for nested hashes
+            last_key = keys.pop # The last part is the actual key to set the value for
+            nested_hash = keys.reduce(options) do |h, key|
+              h[key.to_sym] ||= {} # Create nested hash if it doesn't exist
+              h[key.to_sym] # Return the nested hash for the next iteration
+            end
+            nested_hash[last_key.to_sym] = v # Set the value for the last key
           end
         end
 
@@ -115,7 +134,7 @@ module CemAcpt
           options[:verbose] = true
         end
 
-        opts.on('-S', '--no-epehemeral-ssh-key', 'Do not generate an ephemeral SSH key for test suites') do
+        opts.on('-S', '--no-ephemeral-ssh-key', 'Do not generate an ephemeral SSH key for test suites') do
           options[:no_ephemeral_ssh_key] = true
         end
 

data/lib/cem_acpt/config/base.rb

@@ -2,6 +2,7 @@
 
 require 'digest'
 require 'deep_merge'
+require 'dotenv/load'
 require 'fileutils'
 require 'json'
 require 'yaml'
@@ -13,6 +14,24 @@ module CemAcpt
   module Config
     using CemAcpt::CoreExt::ExtendedHash
 
+    # Provides a wrapper for secret values. This is used to prevent secrets from being printed in logs or error messages.
+    class Secret
+      attr_reader :key, :value
+
+      def initialize(key, value)
+        @value = value
+        @key = key
+      end
+
+      def to_s
+        "Secret(#{key}=****)"
+      end
+
+      def inspect
+        "#<#{self.class}:#{object_id.to_s(16)} key=#{key} value=**** >"
+      end
+    end
+
     # Base class for other config classes
     # Child classes should provide the following constant:
     #   - VALID_KEYS - provide an array of valid top-level keys for the config as symbols
@@ -36,6 +55,7 @@ module CemAcpt
         provisioner
         puppet
         quiet
+        secrets
         terraform
         user_config
         verbose
@@ -46,10 +66,25 @@ module CemAcpt
         merge_nil_values: true,
       }.freeze
 
+      def self.inherited(subclass)
+        subclass.instance_variable_set(:@load_hook, nil)
+      end
+
+      # Add a block to be called after the config is loaded but before it is validated and frozen. The block will be
+      # passed the config hash and can be used to modify the config before it is finalized.
+      def self.load_hook(&block)
+        if block_given?
+          @load_hook = block
+        else
+          @load_hook
+        end
+      end
+
       attr_reader :config, :env_vars
 
       def initialize(opts: {}, config_file: nil, load_user_config: true)
         @load_user_config = load_user_config
+        @explanation = {}
         load(opts: opts, config_file: config_file)
       end
 
@@ -78,11 +113,12 @@ module CemAcpt
 
       # Load the configuration from the environment variables, config file, and opts
       # The order of precedence is:
-      #   1. environment variables
-      #   2. user config file (config.yaml in user_config_dir)
-      #   3. specified config file (if it exists)
-      #   4. opts
-      #   5. static options (set in this class)
+      #   1. static options (set in this class)
+      #   2. Runtime options
+      #   3. Runtime config file
+      #   4. User config file
+      #   5. Environment variables
+      #   6. Defaults
       # @param opts [Hash] The options to load
       # @param config_file [String] The config file to load
       # @return [self] This object with the config loaded
@@ -92,9 +128,24 @@ module CemAcpt
         add_env_vars!(@config)
         @config.deep_merge!(user_config, **DEEP_MERGE_OPTS) if user_config && @load_user_config
         @config.deep_merge!(config_from_file, **DEEP_MERGE_OPTS) if config_from_file
-        @config.deep_merge!(@options, **DEEP_MERGE_OPTS) if @options
+        if @options
+          @config.deep_merge!(@options, **DEEP_MERGE_OPTS)
+          @options.each do |key, _value|
+            add_config_explanation(key, "runtime option")
+          end
+        end
         add_static_options!(@config)
+        # Run the load hook if it is defined. This allows child classes to modify the config after it has been loaded
+        # but before it is validated and frozen.
+        block = self.class.load_hook
+        instance_eval(&block) if block
         @config.format! # Symbolize keys of all hashes
+        # Remove any keys that are not in the valid keys list for this config. This prevents invalid config options
+        # from being set.
+        @config.select! { |key, _| valid_keys.include?(key) }
+        # Wrap secrets in the config with the Secret class to prevent them from being accidentally printed in logs
+        # or error messages. WARNING: Secrets can leak from Terraform logging.
+        wrap_secrets!
         validate_config!
         @dot_key_cache = {}
         # Freeze the config so it can't be modified
@@ -106,21 +157,9 @@ module CemAcpt
 
       # Returns a string representation of how the config was loaded
       def explain
-        explanation = {}
-        %i[defaults env_vars user_config config_from_file options].each do |source|
-          source_vals = send(source).dup
-          next if source_vals.nil? || source_vals.empty?
-
-          # The loop below will overwrite the value of explanation[key] if the same key is found in multiple sources
-          # This is intentional, as the last source to set the value is the one that should be used
-          source_vals.each do |key, value|
-            explanation[key] = source if @config.dget(key.to_s) == value
-          end
-        end
-        explained = explanation.each_with_object([]) do |(key, value), ary|
-          ary << "Key '#{key}' from source '#{value}'"
-        end
-        explained.join("\n")
+        @explanation.each_with_object([]) { |(key, values), ary|
+          ary << "#{key}:\n  -->#{values.join("\n  -->")}"
+        }.join("\n")
       end
 
       def [](key)
@@ -166,17 +205,24 @@ module CemAcpt
       end
       alias quiet? quiet_mode?
 
-      def to_yaml
-        @config.to_yaml
+      def to_yaml(expose_secrets: false)
+        return @config.to_yaml unless @config.key?(:secrets)
+
+        serializable_secrets = @config[:secrets].transform_values { |v| v.is_a?(Secret) ? (expose_secrets ? v.value : v.to_s) : v }
+        @config.merge(secrets: serializable_secrets).to_yaml
       end
 
-      def to_json(*args)
-        @config.to_json(*args)
+      def to_json(*args, expose_secrets: false)
+        return @config.to_json(*args) unless @config.key?(:secrets)
+
+        serializable_secrets = @config[:secrets].transform_values { |v| v.is_a?(Secret) ? (expose_secrets ? v.value : v.to_s) : v }
+        @config.merge(secrets: serializable_secrets).to_json(*args)
       end
 
       private
 
       attr_reader :options
+      attr_writer :config
 
       def user_config_dir
         @user_config_dir ||= File.join(Dir.home, '.cem_acpt')
@@ -206,11 +252,20 @@ module CemAcpt
         env_var.sub('CEM_ACPT_', '').gsub(%r{__}, '.').downcase
       end
 
+      def add_config_explanation(key, source)
+        @explanation[key] ||= []
+        @explanation[key] << source unless @explanation[key].include?(source)
+      end
+
       def add_static_options!(config)
         config.dset('user_config.dir', user_config_dir)
+        add_config_explanation('user_config.dir', 'static value')
         config.dset('user_config.file', user_config_file)
+        add_config_explanation('user_config.file', 'static value')
         config.dset('provisioner', 'terraform')
+        add_config_explanation('provisioner', 'static value')
         config.dset('terraform.dir', terraform_dir)
+        add_config_explanation('terraform.dir', 'static value')
         set_third_party_env_vars!(config)
       end
 
@@ -221,10 +276,13 @@ module CemAcpt
       def set_third_party_env_vars!(config)
         if ENV['RUNNER_DEBUG'] == '1'
           config.dset('log_level', 'debug')
+          add_config_explanation('log_level', "environment variable 'RUNNER_DEBUG' (static value)")
           config.dset('verbose', true)
+          add_config_explanation('verbose', "environment variable 'RUNNER_DEBUG' (static value)")
         end
         return unless ENV['GITHUB_ACTIONS'] == 'true' || ENV['CI'] == 'true'
         config.dset('ci_mode', true)
+        add_config_explanation('ci_mode', "environment variable 'GITHUB_ACTIONS' or 'CI' (static value)")
       end
 
       # Used to source the config during loading of config files.
@@ -253,6 +311,9 @@ module CemAcpt
         # Set the parameterized defaults
         config_file = ENV["#{env_var_prefix}_CONFIG_FILE"] if config_file.nil?
         @config.dset('config_file', config_file) if config_file
+        @config.each do |key, _value|
+          add_config_explanation(key, "default value")
+        end
         @options = opts || {}
       end
 
@@ -267,6 +328,7 @@ module CemAcpt
           next unless valid_keys.include?(key.split('.').first.to_sym) # Skip if the key is not a known config key
           @env_vars[key] = value
           config.dset(key, value)
+          add_config_explanation(key, "environment variable '#{env_var}'")
         end
       end
 
@@ -282,15 +344,14 @@ module CemAcpt
         @user_config
       end
 
-      # def config_from_file
-      #   {}
-      # end
-
       def load_config_file(config_file)
         return {} if config_file.nil? || config_file.empty? || !File.exist?(File.expand_path(config_file))
 
         loaded = load_yaml(config_file)
         loaded.format!
+        loaded.each do |key, _value|
+          add_config_explanation(key, "config file '#{File.expand_path(config_file)}'")
+        end
         loaded
       end
 
@@ -300,7 +361,7 @@ module CemAcpt
         conf_file = find_option('config_file')
         return {} if conf_file.nil? || conf_file.empty?
 
-        unless conf_file
+        unless conf_file.is_a?(String)
           warn "Invalid config_file type '#{conf_file.class}'. Must be a String."
           return {}
         end
@@ -329,6 +390,12 @@ module CemAcpt
         end
       end
 
+      def wrap_secrets!
+        return unless @config.key?(:secrets)
+
+        @config[:secrets].merge!(@config[:secrets]) { |key, value, _| Secret.new(key, value) }
+      end
+
       def validate_config!
         return unless @config && !valid_keys.empty?
 
@@ -345,10 +412,18 @@ module CemAcpt
       def create_terraform_dir!
         raise 'Cannot create terraform dir without a user config dir' unless Dir.exist? user_config_dir
 
+        checksum = nil
         if File.exist?(module_terraform_checksum_file)
           checksum = File.read(module_terraform_checksum_file).strip
           return if checksum == module_terraform_checksum
         end
+        if checksum
+          warn 'Updating local terraform files with latest from gem...'
+          warn "Old checksum: #{checksum}"
+          warn "New checksum: #{module_terraform_checksum}"
+        else
+          warn 'Copying terraform files to local config...'
+        end
         module_terraform_dir = File.expand_path(File.join(__dir__, '..', '..', 'terraform'))
         FileUtils.rm_rf(File.join(user_config_dir, 'terraform'))
         FileUtils.cp_r(module_terraform_dir, user_config_dir)

data/lib/cem_acpt/config/cem_acpt.rb

@@ -44,7 +44,7 @@ module CemAcpt
           quiet: false,
           test_data: {
             for_each: {
-              collection: %w[puppet7 puppet8],
+              collection: %w[puppet8],
             },
             vars: {},
             name_pattern_vars: %r{^(?<framework>[a-z]+)_(?<image_fam>[a-z0-9-]+)_(?<firewall>[a-z]+)_(?<framework_vars>[-_a-z0-9]+)$},

data/lib/cem_acpt/config/cem_acpt_image.rb

@@ -12,8 +12,15 @@ module CemAcpt
         images
         image_name_filter
         no_build_images
+        node_data
       ].freeze
 
+      # Uses the load hook to filter the images based on the image_name_filter config option.
+      load_hook do
+        self.config[:images].delete_if { |k, _| !k.match(self.config[:image_name_filter]) }
+        self.add_config_explanation('images', "filtered by 'image_name_filter' config option")
+      end
+
       def env_var_prefix
         'CEM_ACPT_IMAGE'
       end
@@ -35,6 +42,7 @@ module CemAcpt
           log_format: 'text',
           no_destroy_nodes: false,
           no_ephemeral_ssh_key: false,
+          node_data: {},
           platform: {
             name: 'gcp',
           },

data/lib/cem_acpt/image_builder/provision_commands.rb

@@ -50,14 +50,12 @@ module CemAcpt
           commands = []
           # Replace the commented out username and password lines with the actual username and password
           # This is necessary to access the private Puppet platform repository
-          # 
+          #
           # Updating the username first
           commands.push("sudo sed -i 's/^.*#username=.*$/username=forge-key/' /etc/yum.repos.d/puppet#{@puppet_version}-release.repo")
 
           # Updating the password next
-          # The password is from the environment variable PUPPET_AUTH_TOKEN
-          # "sudo sed -i 's/#password=/password=#{ENV['PUPPET_AUTH_TOKEN']}/' /etc/yum.repos.d/puppet#{@puppet_version}-release.repo"
-          commands.push("sudo sed -i 's/^.*#password=.*$/password=$PUPPET_AUTH_TOKEN/' /etc/yum.repos.d/puppet#{@puppet_version}-release.repo")
+          commands.push("sudo sed -i \"s/^.*#password=.*$/password=$PUPPET_AUTH_TOKEN/\" /etc/yum.repos.d/puppet#{@puppet_version}-release.repo")
           commands
         end
 
@@ -122,9 +120,9 @@ module CemAcpt
 
         def set_repo_username_and_password
           commands = []
-          # This is necessary to access the private Puppet platform repository 
+          # This is necessary to access the private Puppet platform repository
           # Modifying the conf file at /et/apt/auth.conf.d/puppetcore.conf by adding the username and password
-          
+
           # Adding the server URL
           commands.push("sudo echo machine apt-puppetcore.puppet.com | sudo tee /etc/apt/auth.conf.d/apt-puppetcore-puppet.conf > /dev/null")
           # Adding the username

data/lib/cem_acpt/image_builder.rb

@@ -61,6 +61,9 @@ module CemAcpt
         image_types = []
         image_types << [@linux_tfvars, 'linux'] unless no_linux?
         image_types << [@windows_tfvars, 'windows'] unless no_windows?
+        if image_types.empty?
+          raise 'No images to build. Ensure the images config is populated and that --filter (if used) matches at least one image.'
+        end
         return dry_run(image_types) if @config.get('dry_run')
 
         @working_dir = new_working_dir
@@ -75,8 +78,10 @@ module CemAcpt
             terraform_apply(os_str, DEFAULT_PLAN_NAME)
             output = JSON.parse(terraform_output(os_str, 'node-data', json: true))
             output.each do |instance_name, data|
-              logger.info('CemAcpt::ImageBuilder') { "Stopping instance #{instance_name}..." }
-              @exec.run('compute', 'instances', 'stop', instance_name)
+              unless @config.get('no_destroy_nodes')
+                logger.info('CemAcpt::ImageBuilder') { "Stopping instance #{instance_name}..." }
+                @exec.run('compute', 'instances', 'stop', instance_name)
+              end
               unless @config.get('no_build_images')
                 deprecate_old_images_in_family(data['image_family'])
                 create_image_from_disk(data['disk_link'], image_name_from_image_family(data['image_family']), data['image_family'])
@@ -210,8 +215,6 @@ module CemAcpt
       end
 
       def terraform_init
-        raise 'Cannot initialize Terraform, both no_linux and no_windows are true' if no_linux? && no_windows?
-
         logger.debug('CemAcpt::ImageBuilder') { 'Initializing Terraform' }
         in_os_dir('linux') do
           terraform.init({ input: false, no_color: true })
@@ -225,7 +228,7 @@ module CemAcpt
         in_os_dir(os_dir) do
           logger.debug('CemAcpt::ImageBuilder') { "Creating Terraform plan #{plan_name} for #{os_dir}" }
           logger.verbose('CemAcpt::ImageBuilder') { "Using vars:\n#{JSON.pretty_generate(tfvars)}" }
-          terraform.plan({ input: false, no_color: true, plan: plan_name, vars: tfvars }, { environment: environment })
+          terraform.plan({ input: false, no_color: true, plan: plan_name, vars: terraform_vars(tfvars) }, { environment: environment })
         end
       end
 
@@ -247,7 +250,7 @@ module CemAcpt
         in_os_dir(os_dir) do
           logger.debug('CemAcpt::ImageBuilder') { "Destroying Terraform resources for #{os_dir}" }
           logger.verbose('CemAcpt::ImageBuilder') { "Using vars:\n#{JSON.pretty_generate(tfvars)}" }
-          terraform.destroy({ auto_approve: true, input: false, no_color: true, vars: tfvars }, { environment: environment })
+          terraform.destroy({ auto_approve: true, input: false, no_color: true, vars: terraform_vars(tfvars) }, { environment: environment })
         end
       end
 
@@ -258,17 +261,35 @@ module CemAcpt
         end
       end
 
+      # Keys in node_data that are passed to Terraform. Other keys are used only for Ruby-side logic.
+      TERRAFORM_NODE_DATA_KEYS = %i[image_family machine_type max_run_duration base_image disk_size provision_commands].freeze
+
+      # Returns a copy of tfvars safe to pass directly to TerraformCmd:
+      # - Secret values are unwrapped to their plain string values
+      # - node_data entries are filtered to only the keys defined in the Terraform variable type
+      def terraform_vars(tfvars)
+        result = tfvars.transform_values do |v|
+          v.is_a?(CemAcpt::Config::Secret) ? v.value : v
+        end
+        result[:node_data] = result[:node_data].transform_values do |node|
+          node.slice(*TERRAFORM_NODE_DATA_KEYS)
+        end
+        result
+      end
+
       # @return [Hash] A hash of the Terraform variables to use
       def new_tfvars(config)
+        if !config.has?('secrets.puppet_auth_token')
+          raise ArgumentError, 'Missing required config value: secrets.puppet_auth_token'
+        end
         tfvars = { node_data: {} }
         private_key, public_key, _ = new_ephemeral_ssh_keys
         tfvars[:private_key] = private_key if private_key
         tfvars[:public_key] = public_key if public_key
+        tfvars[:puppet_auth_token] = config.get('secrets.puppet_auth_token')
         config.get('images').each do |image_name, image|
-          next if config.get('image_name_filter')&.respond_to?(:match?) && !config.get('image_name_filter').match?(image_name)
-
           platform = new_platform(config, **tfvars)
-          tfvars.merge!(platform.platform_data)
+          tfvars = platform.platform_data.merge(tfvars)
           provision_commands = CemAcpt::ImageBuilder::ProvisionCommands.provision_commands(
             config,
             image_name: image_name,