Heat puppet module isn't HA aware

I'm having issues with the heat puppet module. It appears that the auth_encryption_key gets set different on all the mgmt nodes.

I've found the offending code in modules/heat/manifests/engine.pp. Looks like the module generates the key on its own. Which is not good for a multiple controller environment. It then gets better. Every time puppet runs it either finds "%ENCRYPTION_KEY%" and updates the key or it sticks %ENCRPYTION_KEY% back in heat.conf. It's a merry-go-round of fun :-)

It would probably be best to simply expose auth_encryption_key to be set by the puppet admin or default it to a string.

  service { 'heat-engine':
    ensure => $service_ensure,
    name => $::heat::params::engine_service_name,
    enable => $enabled,
    hasstatus => true,
    hasrestart => true,
    require => [ File['/etc/heat/heat.conf'],
                    Exec['heat-encryption-key-replacement'],
                    Package['heat-common'],
                    Package['heat-engine']],
    subscribe => Exec['heat-dbsync'],
  }

  exec {'heat-encryption-key-replacement':
#/// Hello. on my own I'm not a bad piece of code but in this context I'm dangerous ///
    command => 'sed -i".bak" "s/%ENCRYPTION_KEY%/`hexdump -n 16 -v -e \'/1 "%02x"\' /dev/random`/" /etc/heat/heat.conf',
    path => [ '/usr/bin', '/bin'],
    onlyif => 'grep -c %ENCRYPTION_KEY% /etc/heat/heat.conf',
    require => File['/etc/heat/heat.conf'],
  }

  heat_config {
#/// Below it gets even better. We can't check to see if Encryption_key is set to anything but we'll set it anyway :-)
    'DEFAULT/auth_encryption_key' : value => '%ENCRYPTION_KEY%'; # replaced above
    'DEFAULT/heat_stack_user_role' : value => $heat_stack_user_role;
    'DEFAULT/heat_metadata_server_url' : value => $heat_metadata_server_url;
    'DEFAULT/heat_waitcondition_server_url': value => $heat_waitcondition_server_url;
    'DEFAULT/heat_watch_server_url' : value => $heat_watch_server_url;
  }