diff --git a/howto/puppet.md b/howto/puppet.md
index cbba3ce4ca6fa979daefa2e4f8627b11ef5e971f..c2e134ca2f07a1b75ca688d9ca091bad74d6ce8f 100644
--- a/howto/puppet.md
+++ b/howto/puppet.md
@@ -634,6 +634,27 @@ general, it's safe to use `trocla create` as it will reuse existing
 password. It's actually how the `trocla()` function behaves in Puppet
 as well.
 
+TODO: Trocla can provide passwords to classes transparently, without
+having to do function calls inside Puppet manifests. For example, this
+code:
+
+    class profile::grafana {
+        $password = trocla('profile::grafana::password', 'plain')
+        # ...
+    }
+
+Could simply be expressed as:
+
+    class profile::grafana(String $password) {
+        # ...
+    }
+
+But this requires a few changes:
+ 
+ 1. Trocla needs to be included in Hiera
+ 2. We need roles to be more clearly defined in Hiera, and use Hiera
+    as an ENC so that we can do per-roles passwords (for example),
+    which is not currently possible.
 
 ## Getting information from other nodes