We're using puppet + puppetdb in an EC2 environment where nodes come and go quite regularly. We have a custom autosign script that uses ec2 security info to validate the nodes before allowing the autosigning. This is all good, but it can leave a lot of "dead" nodes in puppet, eg. if a bunch of nodes are created by an autoscale policy and then terminated.
To get rid of these zombie nodes from puppet/puppetdb we can just use:
puppet node deactivate <certname1> <certname2> ... <certnameN>
We can query puppetdb to get a list of nodes that have not sent puppet reports for, say, 24 hours. The puppetdb query we need is something like this:
'query=["<", "report-timestamp", "$cutoff_date"]'
where $cutoff_date is a date in ISO8601 format, eg. 2015-03-05T13:39:45+0000
We can use date to generate the cutoff date with something like this:
$cutoff_date=$(date -d '-1 day' -Isec)
We then plug this into the query string and send it with curl as follows:
curl --silent -G 'http://localhost:8080/v4/nodes' \ --data-urlencode "query=[\"<\", \"report-timestamp\", \"$(date -d '-1 day' -Isec)\"]"
Finally, we filter through jq to get a list of certnames:
curl --silent -G 'http://localhost:8080/v4/nodes' \ --data-urlencode "query=[\"<\", \"report-timestamp\", \"$(date -d '-1 day' -Isec)\"]" \ | jq '..certname'
We can then pass the list of nodes to the "puppet node deactivate" command.