Check out saz/sudo (https://forge.puppet.com/saz/sudo). By default it manages /etc/sudoers.d with `sudo::conf` instances and purges /etc/sudoers.d of anything it didn't create, but if something else is managing files in that directory you can set `sudo::purge: false` so they can share nicely.
Rob Nelson rnels...@gmail.com On Fri, Apr 21, 2017 at 12:10 PM, James Perry <jjperr...@gmail.com> wrote: > I'm at an impasse. > > Due to changing requirements we have different local service accounts > being added 'ad hoc' to various servers. Each needs their own set of > sudoers lines. When moving from Puppet 0.25 to Puppet 4 I had to kludge > something together in a hurry. It works, but not well. > > I looked at defining classes for each set of lines that needed to be added > and have it create a separate file for that class in /etc/sudoers.d/. Due > to SOX compliance we can't have any sudo permissions defined for accounts > not on the server. So if i remove the class that creates > /etc/sudoers.d/foo, the /etc/sudoers.d/foo file still remains. If I try to > clean out all non-needed files, I either have to do: > 1. Remove all files, but that causes Puppet to always recreate the files. > 2. Create some way to remove a file based on knowing if the class is > defined for this node, which forum posts show as problematic. > > I did see the Puppet-concat module, but haven't had the time to really dig > into it to see if the would solve the problem. In this case it would be > modifying / creating the main sudoers file, which is fine. > > Another option would be to use something like file_line to make sure a > specific line(s) are in the sudoers file after the initial template creates > our default /etc/sudoers file. > > Has anyone solved this type of issue? I know there are ways to do it, but > I really want to do it right and forget it. Wen we need a new sudo setup > for a new account, we create the required class and the rest is "magic" > based on the classes defined for that node. > > In the mean time I will be doing more deep Google dives and serious RTFM. > > Thanks! > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/puppet-users/db9fabde-a539-4e8a-97b7-b160387df942%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/db9fabde-a539-4e8a-97b7-b160387df942%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAC76iT-feTK%2BGLtLL6yDP8fn16V97qg8DYyz-W%3DQ%3DPY-oxE5Tw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
