sudo module for Puppet

Manage sudo configuration via Puppet

Supported OS

Some family and some specific os are supported by this module

• debian osfamily (debian, ubuntu, kali, ...)
• redhat osfamily (redhat, centos, fedora, ...)
• suse osfamily (suse, opensuse, ...)
• solaris osfamily (Solaris, OmniOS, SmartOS, ...)
• freebsd osfamily
• openbsd osfamily
• aix osfamily
• darwin osfamily
• gentoo operating system
• archlinux operating system
• amazon operating system

Usage

WARNING

This module will purge your current sudo config

If this is not what you're expecting, set purge and/or config_file_replace to false

Install sudo with default sudoers

Purge current sudo config

    class { 'sudo': }

Purge sudoers.d directory, but leave sudoers file as it is

    class { 'sudo':
      config_file_replace => false,
    }

Selective Purge of sudoers.d Directory

A combination of prefix, suffix and purge_ignore can be used to purge only files that puppet previously created. If suffix is specified all puppet created sudoers.d entries will have this suffix apprended to the thier file name. If prefix is specified all puppet created sudoers.d entries will have this prefix prepended. A ruby glob can be used as ignore to ignore all files that do not have this suffix.

    class{'sudo':
      suffix => '_puppet',
      purge_ignore => '*[!_puppet]',
    }

or

    class{'sudo':
      prefix => 'puppet_',
      purge_ignore => '[!puppet_]*',
    }

Due to limitations in ruby glob the prefix and ignore is recommended.

Leave current sudo config as it is

    class { 'sudo':
      purge               => false,
      config_file_replace => false,
    }

Use LDAP along with sudo

Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.

    class { 'sudo':
      ldap_enable => true,
    }

Adding sudoers configuration

Using Code

    class { 'sudo': }
    sudo::conf { 'web':
      source => 'puppet:///files/etc/sudoers.d/web',
    }
    sudo::conf { 'admins':
      priority => 10,
      content  => '%admins ALL=(ALL) NOPASSWD: ALL',
    }
    sudo::conf { 'joe':
      priority => 60,
      source   => 'puppet:///files/etc/sudoers.d/users/joe',
    }

Using Hiera

A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.

Examples using:

• YAML backend
• an environment called production
• a /etc/puppet/hiera.yaml hierarchy configuration:

:hierarchy:
  - "%{environment}"
  - "defaults"

Load module

Load the module via Puppet Code or your ENC.

    include sudo

Configure Hiera YAML (defaults.yaml)

These defaults will apply to all systems.

sudo::configs:
    'web':
        'source'    : 'puppet:///files/etc/sudoers.d/web'
    'admins':
        'content'   : '%admins ALL=(ALL) NOPASSWD: ALL'
        'priority'  : 10
    'joe':
        'priority'  : 60
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'

Configure Hiera YAML (production.yaml)

This will only apply to the production environment. In this example we are:

• inheriting/preserving the web configuration
• overriding the admins configuration
• removing the joe configuration
• adding the bill template

lookup_options:
  sudo::configs:
    merge:
      strategy: deep
      merge_hash_arrays: true

sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
    'joe':
        'ensure'    : 'absent'
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
    'bill':
        'template'  : "mymodule/bill.erb"

In this example we are:

• inheriting/preserving the web configuration
• overriding the admins:content setting
• inheriting/preserving the admins:priority setting
• inheriting/preserving the joe:source and joe:priority settings
• removing the joe configuration
• adding the bill template

lookup_options:
  sudo::configs:
    merge:
      strategy: deep
      merge_hash_arrays: true

sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
    'joe':
        'ensure'    : 'absent'
    'bill':
        'template'  : "mymodule/bill.erb"

Set a custom name for the sudoers file

In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.

sudo::conf { "foreman-proxy":
	ensure          => "present",
	source          => "puppet:///modules/sudo/foreman-proxy",
	sudo_file_name  => "foreman-proxy",
}

sudo::conf / sudo::configs notes

• One of content or source must be set.
• Content may be an array, string will be added with return carriage after each element.
• In order to properly pass a template() use template instead of content, as hiera would run template function otherwise.

sudo class parameters

sudo::conf class / sudo::configs hash parameters