Most Puppet element types have a relatively low number of instances on each host -- users, packages, groups, cron jobs, etc. Many shops will start out by just using Puppet to add items to the list of existing instances, but some shops will want to require that only instances specified by Puppet be allowed to exist.

There needs to be some way to specify that a given element type is managed inclusively by Puppet, meaning that any instance of that type not specified by Puppet should be removed.

This has to be a semantic feature, not a syntactic one, because the compiler will (by definition) not know what elements exist but are not managed by Puppet. Also, it's likely that the feature will need to be per-element type, so that administrators can specify to manage all users on the system but not all packages.

I don't know how this feature would work, but the only thing I can think of is to provide an 'inclusive' parameter to types, and if any instances specifies 'inclusive', then the type itself is inclusive. This seems, um, insanely dangerous, so I'd like to find a better way.

This feature requires Element Listing.