puppet-keystone fails to manage service users in multi-domain mode

puppet-nova, for example, as well as puppet-glance, attempt to create users when configure_user => true. A first run will succeed in user creation, but subsequent runs will fail.

User creation is done with the keystone_user type. When API v3 is employed with multi-domain support enabled, puppet prefetch method fails to apply the --domain default argument, failing to detect the presence of the users. It will then attempt to create the user again, which will fail.

    Debug: Prefetching openstack resources for keystone_user
    Debug: Executing '/usr/bin/openstack user list --quiet --format csv --long'
    Error: Could not prefetch keystone_user provider 'openstack': Could not authenticate.
    Debug: Executing '/usr/bin/openstack user create --format shell nova --enable --password password --email nova@localhost --domain default'
    Error: Execution of '/usr/bin/openstack user create --format shell nova --enable --password password --email nova@localhost --domain default' returned 1: ERROR: open
    stack Conflict occurred attempting to store user - Duplicate Entry (HTTP 409) (Request-ID: req-ef63b595-d9ae-481b-8425-b942c6ddca58)
    Error: /Stage[main]/Nova::Keystone::Auth/Keystone::Resource::Service_identity[nova service, user nova]/Keystone_user[nova]/ensure: change from absent to present fail
    ed: Execution of '/usr/bin/openstack user create --format shell nova --enable --password password --email nova@localhost --domain default' returned 1: ERROR: openstack Conflict occurred attempting to store user - Duplicate Entry (HTTP 409) (Request-ID: req-ef63b595-d9ae-481b-8425-b942c6ddca58)

Note this also affects other resource types like keystone_user_role and keystone_endpoint

    Debug: Prefetching openstack resources for keystone_role
    Debug: Executing '/usr/bin/openstack role list --quiet --format csv'
    Debug: Executing '/usr/bin/openstack project list --quiet --format csv --long'
    Debug: Executing '/usr/bin/openstack user list --quiet --format csv --long'
    Error: /Stage[main]/Systems_openstack_controller::Keystone/Keystone_user_role[csa@services]: Could not evaluate: Could not authenticate.
    Debug: Prefetching openstack resources for keystone_endpoint
    Debug: Executing '/usr/bin/openstack endpoint list --quiet --format csv --long'
    Debug: Executing '/usr/bin/openstack project list --quiet --format csv --long'
    Debug: Executing '/usr/bin/openstack user list --quiet --format csv --long'
    Error: /Stage[main]/Systems_openstack_controller::Keystone/Keystone_user_role[csa@csa]: Could not evaluate: Could not authenticate.
    Debug: Executing '/usr/bin/openstack project list --quiet --format csv --long'
    Debug: Executing '/usr/bin/openstack user list --quiet --format csv --long'
    Error: /Stage[main]/Systems_openstack_controller::Keystone/Keystone_user_role[csa@admin]: Could not evaluate: Could not authenticate.
    Notice: /Stage[main]/Systems_openstack_controller::Glance/Keystone_user_role[glance@services]: Dependency Keystone_user_role[csa@csa] has failures: true
    Notice: /Stage[main]/Systems_openstack_controller::Glance/Keystone_user_role[glance@services]: Dependency Keystone_user_role[csa@admin] has failures: true
    Notice: /Stage[main]/Systems_openstack_controller::Glance/Keystone_user_role[glance@services]: Dependency Keystone_user_role[csa@services] has failures: true
    Warning: /Stage[main]/Systems_openstack_controller::Glance/Keystone_user_role[glance@services]: Skipping because of failed dependencies