--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/dev/provisioning/modules/elasticsearch/manifests/shield/role.pp	Wed Nov 09 15:05:41 2016 +0100
@@ -0,0 +1,76 @@
+# == Define: elasticsearch::shield::role
+#
+# Manage shield roles.
+#
+# === Parameters
+#
+# [*ensure*]
+#   Whether the role should be present or not.
+#   Set to 'absent' to ensure a role is not present.
+#   Value type is string
+#   Default value: present
+#   This variable is optional
+#
+# [*privileges*]
+#   A hash of permissions defined for the role. Valid privilege settings can
+#   be found in the Shield documentation:
+#   https://www.elastic.co/guide/en/shield/current/index.html
+#   Value type is hash
+#   Default value: {}
+#
+# [*mappings*]
+#   A list of optional mappings defined for this role.
+#   Value type is array
+#   Default value: []
+#
+# === Examples
+#
+# # Creates and manages the role 'power_user' mapped to an LDAP group.
+# elasticsearch::shield::role { 'power_user':
+#   privileges => {
+#     'cluster' => 'monitor',
+#     'indices' => {
+#       '*' => 'all',
+#     },
+#   },
+#   mappings => [
+#     "cn=users,dc=example,dc=com",
+#   ],
+# }
+#
+# === Authors
+#
+# * Tyler Langlois <mailto:tyler@elastic.co>
+#
+define elasticsearch::shield::role (
+  $ensure     = 'present',
+  $privileges = {},
+  $mappings   = [],
+) {
+  validate_string($ensure)
+  validate_hash($privileges)
+  validate_array($mappings)
+  validate_slength($name, 30, 1)
+
+  if empty($privileges) or $ensure == 'absent' {
+    $_role_ensure = 'absent'
+  } else {
+    $_role_ensure = $ensure
+  }
+
+  if empty($mappings) or $ensure == 'absent' {
+    $_mapping_ensure = 'absent'
+  } else {
+    $_mapping_ensure = $ensure
+  }
+
+  elasticsearch_shield_role { $name :
+    ensure     => $_role_ensure,
+    privileges => $privileges,
+  }
+
+  elasticsearch_shield_role_mapping { $name :
+    ensure   => $_mapping_ensure,
+    mappings => $mappings,
+  }
+}