On Wed, Apr 26, 2017 at 10:45 AM James Perry <jjperr...@gmail.com> wrote:
> Since all of our Puppet code is in a source code repo and requires a > change control to push to PROD, I don;t want to have to manually create a > per host entry, either via the* case* statement or a *node.yaml* file as > that requires a full regression test and verification before it moves to > PROD. > > Via Foreman I can add puppet classes for *userX *and *userQ* to a > specific server. As long as *sudo::sudoers::userX *and *sudo::sudoers::userQ > *are defined in the Puppet code, then no change to modify code or custom > hiera yaml files is required. This takes the sudo setups from having to be > done per node in code to a point and click for the team that handles the > tickets for the host definitions in Foreman. > This is a complete aside to sudo, but I think your controls here do not operate as you expect them to. Foreman, like hiera, is just separating your data from your code, which is great. But changing data in either system can have adverse effects in production. For example, I once changed the value for an nfs exports list from an array to a string. That ... did not go well! If only an integration test had been used to catch that, I could have avoided a small outage and a remediation change. Personally, I prefer hiera to foreman or the PE Console classifier because it's integrated with version control of the control repo and into my test setup. But the point is, we use the same controls on data as code because they have similar potentials for impacts in production. You may want to revisit your controls, even if it's just to acknowledge the risk. > -- Rob Nelson -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAC76iT8QUSLY5aip_j1JG%3D%2BuzDDT6yoVM0oAxQWgDrXjBwt9ng%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
