tuxmea/gist:d777e46a3779dd746d8761ee2bc224e1

## gistfile1.txt
diff --git a/manifests/key_management.pp b/manifests/key_management.pp
index 6171151..091afc5 100644
--- a/manifests/key_management.pp
+++ b/manifests/key_management.pp
@@ -22,6 +22,7 @@
 # @api private
 #
 define accounts::key_management(
+  Enum['present','absent'] $ensure = 'present',
   String $user,
   String $group,
   Optional[String] $user_home = undef,
@@ -31,11 +32,13 @@ define accounts::key_management(
 ) {

   if $user_home {
-    file { "${user_home}/.ssh":
-      ensure => directory,
-      owner  => $user,
-      group  => $group,
-      mode   => '0700',
+    if $ensure == 'present' {
+      file { "${user_home}/.ssh":
+        ensure  => directory,
+        owner   => $user,
+        group   => $group,
+        mode    => '0700',
+      }
     }
   }

@@ -47,26 +50,37 @@ define accounts::key_management(
     err(translate('Either user_home or sshkey_custom_path must be specified'))
   }

+  if $ensure == 'present' {
+    $key_file_ensure = 'file'
+    $key_file_before = undef
+  } else {
+    $key_file_ensure = 'absent'
+    $key_file_before = [User[$user], Group[$group]]
+  }
   file { $key_file:
-    ensure => file,
+    ensure => $key_file_ensure,
     owner  => $user,
     group  => $group,
     mode   => '0600',
+    before => $key_file_before,
   }

   if $sshkeys != [] {
-    if $user_home {
-      $requires = [File["${user_home}/.ssh"], File[$key_file]]
-    } else {
-      $requires = [File[$key_file]]
-    }
-    $sshkeys.each |$sshkey| {
-      accounts::manage_keys { "${sshkey} for ${user}":
-        keyspec   => $sshkey,
-        user      => $user,
-        key_owner => $sshkey_owner,
-        key_file  => $key_file,
-        require   => $requires,
+    if $ensure == 'present' {
+      if $user_home {
+        $requires = [File["${user_home}/.ssh"], File[$key_file]]
+      } else {
+        $requires = [File[$key_file]]
+      }
+      $sshkeys.each |$sshkey| {
+        accounts::manage_keys { "${sshkey} for ${user}":
+          ensure    => $ensure,
+          keyspec   => $sshkey,
+          user      => $user,
+          key_owner => $sshkey_owner,
+          key_file  => $key_file,
+          require   => $requires,
+        }
       }
     }
   }
diff --git a/manifests/manage_keys.pp b/manifests/manage_keys.pp
index f426750..1bcbb29 100644
--- a/manifests/manage_keys.pp
+++ b/manifests/manage_keys.pp
@@ -13,6 +13,7 @@
 # @api private
 #
 define accounts::manage_keys(
+  Enum['absent','present'] $ensure = 'present',
   String $keyspec,
   String $user,
   String $key_file,
@@ -35,8 +36,11 @@ define accounts::manage_keys(

     $key_title = "${user}_${key_type}_${key_name}"

+    if $ensure == 'absent' {
+      Ssh_authorized_key[$key_title] -> User[$user]
+    }
     ssh_authorized_key { $key_title:
-      ensure  => present,
+      ensure  => $ensure,
       user    => $key_owner,
       key     => $key_content,
       type    => $key_type,
diff --git a/manifests/user.pp b/manifests/user.pp
index f33b0cc..11c4ac1 100644
--- a/manifests/user.pp
+++ b/manifests/user.pp
@@ -292,30 +292,48 @@ define accounts::user(
       forward_source       => $forward_source,
       user                 => $name,
       group                => $group,
-      require              => [ User[$name] ],
+    }
+    accounts::key_management { "${name}_key_management":
+      ensure             => $ensure,
+      user               => $name,
+      group              => $group,
+      user_home          => $_home,
+      sshkeys            => $sshkeys,
+      sshkey_owner       => $sshkey_owner,
+      sshkey_custom_path => $sshkey_custom_path,
     }
     if ( $ensure == 'present' ) {
-      accounts::key_management { "${name}_key_management":
-        user               => $name,
-        group              => $group,
-        user_home          => $_home,
-        sshkeys            => $sshkeys,
-        sshkey_owner       => $sshkey_owner,
-        sshkey_custom_path => $sshkey_custom_path,
-        require            => Accounts::Home_dir[$_home]
-      }
+      User[$name]
+      -> Accounts::Home_dir[$_home]
+      -> Accounts::Key_management["${name}_key_management"]
+    } else {
+      # When purging users, we must first remove homedir and ssh key prior removing user
+      Accounts::Key_management["${name}_key_management"]
+      -> Accounts::Home_dir[$_home]
+      -> User[$name]
     }
   } elsif $sshkeys != [] {
     # We are not managing the user's home directory but we have specified a
     # custom, non-home directory for the ssh keys.
-      if (($sshkey_custom_path != undef) and ($ensure == 'present')) {
+      if ($sshkey_custom_path != undef) {
         accounts::key_management { "${name}_key_management":
+          ensure             => $ensure,
           user               => $sshkey_owner,
           group              => $group,
           sshkeys            => $sshkeys,
           sshkey_owner       => $sshkey_owner,
           sshkey_custom_path => $sshkey_custom_path,
         }
+        if ( $ensure == 'present' ) {
+          User[$name]
+          -> Accounts::Home_dir[$_home]
+          -> Accounts::Key_management["${name}_key_management"]
+        } else {
+          # When purging users, we must first remove homedir and ssh key prior removing user
+          Accounts::Key_management["${name}_key_management"]
+          -> Accounts::Home_dir[$_home]
+          -> User[$name]
+        }
       }
       else {
         warning(translate('ssh keys were passed for user %{name} but $managehome is set to false; not managing user ssh keys',
	diff --git a/manifests/key_management.pp b/manifests/key_management.pp
	index 6171151..091afc5 100644
	--- a/manifests/key_management.pp
	+++ b/manifests/key_management.pp
	@@ -22,6 +22,7 @@
	# @api private
	#
	define accounts::key_management(
	+ Enum['present','absent'] $ensure = 'present',
	String $user,
	String $group,
	Optional[String] $user_home = undef,
	@@ -31,11 +32,13 @@ define accounts::key_management(
	) {

	if $user_home {
	- file { "${user_home}/.ssh":
	- ensure => directory,
	- owner => $user,
	- group => $group,
	- mode => '0700',
	+ if $ensure == 'present' {
	+ file { "${user_home}/.ssh":
	+ ensure => directory,
	+ owner => $user,
	+ group => $group,
	+ mode => '0700',
	+ }
	}
	}

	@@ -47,26 +50,37 @@ define accounts::key_management(
	err(translate('Either user_home or sshkey_custom_path must be specified'))
	}

	+ if $ensure == 'present' {
	+ $key_file_ensure = 'file'
	+ $key_file_before = undef
	+ } else {
	+ $key_file_ensure = 'absent'
	+ $key_file_before = [User[$user], Group[$group]]
	+ }
	file { $key_file:
	- ensure => file,
	+ ensure => $key_file_ensure,
	owner => $user,
	group => $group,
	mode => '0600',
	+ before => $key_file_before,
	}

	if $sshkeys != [] {
	- if $user_home {
	- $requires = [File["${user_home}/.ssh"], File[$key_file]]
	- } else {
	- $requires = [File[$key_file]]
	- }
	- $sshkeys.each \|$sshkey\| {
	- accounts::manage_keys { "${sshkey} for ${user}":
	- keyspec => $sshkey,
	- user => $user,
	- key_owner => $sshkey_owner,
	- key_file => $key_file,
	- require => $requires,
	+ if $ensure == 'present' {
	+ if $user_home {
	+ $requires = [File["${user_home}/.ssh"], File[$key_file]]
	+ } else {
	+ $requires = [File[$key_file]]
	+ }
	+ $sshkeys.each \|$sshkey\| {
	+ accounts::manage_keys { "${sshkey} for ${user}":
	+ ensure => $ensure,
	+ keyspec => $sshkey,
	+ user => $user,
	+ key_owner => $sshkey_owner,
	+ key_file => $key_file,
	+ require => $requires,
	+ }
	}
	}
	}
	diff --git a/manifests/manage_keys.pp b/manifests/manage_keys.pp
	index f426750..1bcbb29 100644
	--- a/manifests/manage_keys.pp
	+++ b/manifests/manage_keys.pp
	@@ -13,6 +13,7 @@
	# @api private
	#
	define accounts::manage_keys(
	+ Enum['absent','present'] $ensure = 'present',
	String $keyspec,
	String $user,
	String $key_file,
	@@ -35,8 +36,11 @@ define accounts::manage_keys(

	$key_title = "${user}_${key_type}_${key_name}"

	+ if $ensure == 'absent' {
	+ Ssh_authorized_key[$key_title] -> User[$user]
	+ }
	ssh_authorized_key { $key_title:
	- ensure => present,
	+ ensure => $ensure,
	user => $key_owner,
	key => $key_content,
	type => $key_type,
	diff --git a/manifests/user.pp b/manifests/user.pp
	index f33b0cc..11c4ac1 100644
	--- a/manifests/user.pp
	+++ b/manifests/user.pp
	@@ -292,30 +292,48 @@ define accounts::user(
	forward_source => $forward_source,
	user => $name,
	group => $group,
	- require => [ User[$name] ],
	+ }
	+ accounts::key_management { "${name}_key_management":
	+ ensure => $ensure,
	+ user => $name,
	+ group => $group,
	+ user_home => $_home,
	+ sshkeys => $sshkeys,
	+ sshkey_owner => $sshkey_owner,
	+ sshkey_custom_path => $sshkey_custom_path,
	}
	if ( $ensure == 'present' ) {
	- accounts::key_management { "${name}_key_management":
	- user => $name,
	- group => $group,
	- user_home => $_home,
	- sshkeys => $sshkeys,
	- sshkey_owner => $sshkey_owner,
	- sshkey_custom_path => $sshkey_custom_path,
	- require => Accounts::Home_dir[$_home]
	- }
	+ User[$name]
	+ -> Accounts::Home_dir[$_home]
	+ -> Accounts::Key_management["${name}_key_management"]
	+ } else {
	+ # When purging users, we must first remove homedir and ssh key prior removing user
	+ Accounts::Key_management["${name}_key_management"]
	+ -> Accounts::Home_dir[$_home]
	+ -> User[$name]
	}
	} elsif $sshkeys != [] {
	# We are not managing the user's home directory but we have specified a
	# custom, non-home directory for the ssh keys.
	- if (($sshkey_custom_path != undef) and ($ensure == 'present')) {
	+ if ($sshkey_custom_path != undef) {
	accounts::key_management { "${name}_key_management":
	+ ensure => $ensure,
	user => $sshkey_owner,
	group => $group,
	sshkeys => $sshkeys,
	sshkey_owner => $sshkey_owner,
	sshkey_custom_path => $sshkey_custom_path,
	}
	+ if ( $ensure == 'present' ) {
	+ User[$name]
	+ -> Accounts::Home_dir[$_home]
	+ -> Accounts::Key_management["${name}_key_management"]
	+ } else {
	+ # When purging users, we must first remove homedir and ssh key prior removing user
	+ Accounts::Key_management["${name}_key_management"]
	+ -> Accounts::Home_dir[$_home]
	+ -> User[$name]
	+ }
	}
	else {
	warning(translate('ssh keys were passed for user %{name} but $managehome is set to false; not managing user ssh keys',