There are couple of things you could do to approach this problem which will make your code better in the long run.
- Use the stdlib library which has improved string comparison operations, such as
versioncmp(). It will work properly with version strings that have decimals and letters.
if versioncmp($::puppetversion, '3.0.0') < 0 { fail("foobar requires puppet 3.0.0 or greater, found: \'${::puppetversion}\'") } - Don't do your conditional statements inside of your resource. At the very least split them out so they are at the top of your manifest. (Untested code)
if versioncmp( '$openssl', '1.1.3e') < 0 { $openssl_version = '42' } package {'openssl': ensure => "$openssl_version", } Though, you have to ask yourself, is this really what you want to do? Puppet best practices are that your business requirements should not be part of your base modules. They should be abstracted to roles/profiles modules or with hiera. You may be better off with the following options.
A. Just make sure all your servers are up to date
package {'openssl': ensure => latest, } B. If you have some nodes, that just must use an older/insecure version. Then make a parameterized class, and override the openssl_version parameter with hiera or role/profile.
Additional information
https://puppetlabs.com/blog/patching-heartbleed-openssl-vulnerability-puppet-enterprise http://garylarizza.com/blog/2014/02/17/puppet-workflow-part-2/