Check out saz/sudo (https://forge.puppet.com/saz/sudo). By default it manages /etc/sudoers.d with `sudo::conf` instances and purges /etc/sudoers.d of anything it didn't create, but if something else is managing files in that directory you can set `sudo::purge: false` so they can share nicely.
Rob Nelson [email protected] On Fri, Apr 21, 2017 at 12:10 PM, James Perry <[email protected]> wrote: > I'm at an impasse. > > Due to changing requirements we have different local service accounts > being added 'ad hoc' to various servers. Each needs their own set of > sudoers lines. When moving from Puppet 0.25 to Puppet 4 I had to kludge > something together in a hurry. It works, but not well. > > I looked at defining classes for each set of lines that needed to be added > and have it create a separate file for that class in /etc/sudoers.d/. Due > to SOX compliance we can't have any sudo permissions defined for accounts > not on the server. So if i remove the class that creates > /etc/sudoers.d/foo, the /etc/sudoers.d/foo file still remains. If I try to > clean out all non-needed files, I either have to do: > 1. Remove all files, but that causes Puppet to always recreate the files. > 2. Create some way to remove a file based on knowing if the class is > defined for this node, which forum posts show as problematic. > > I did see the Puppet-concat module, but haven't had the time to really dig > into it to see if the would solve the problem. In this case it would be > modifying / creating the main sudoers file, which is fine. > > Another option would be to use something like file_line to make sure a > specific line(s) are in the sudoers file after the initial template creates > our default /etc/sudoers file. > > Has anyone solved this type of issue? I know there are ways to do it, but > I really want to do it right and forget it. Wen we need a new sudo setup > for a new account, we create the required class and the rest is "magic" > based on the classes defined for that node. > > In the mean time I will be doing more deep Google dives and serious RTFM. > > Thanks! > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/puppet-users/db9fabde-a539-4e8a-97b7-b160387df942%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/db9fabde-a539-4e8a-97b7-b160387df942%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAC76iT-feTK%2BGLtLL6yDP8fn16V97qg8DYyz-W%3DQ%3DPY-oxE5Tw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
