sudo module for Puppet

Manage sudo configuration via Puppet

Supported Puppet versions

• Puppet >= 4
• Last version supporting Puppet 3: v4.2.0

Supported OS

Some family and some specific os are supported by this module

• debian osfamily (debian, ubuntu, kali, ...)
• redhat osfamily (redhat, centos, fedora, ...)
• suse osfamily (suse, opensuse, ...)
• solaris osfamily (Solaris, OmniOS, SmartOS, ...)
• freebsd osfamily
• openbsd osfamily
• aix osfamily
• darwin osfamily
• gentoo operating system
• archlinux operating system
• amazon operating system

Gittip

Usage

WARNING

This module will purge your current sudo config

If this is not what you're expecting, set purge and/or config_file_replace to false

Install sudo with default sudoers

Purge current sudo config

    class { 'sudo': }

Purge sudoers.d directory, but leave sudoers file as it is

    class { 'sudo':
      config_file_replace => false,
    }

Selective Purge of sudoers.d Directory

A combination of suffix and purge_ignore can be used to purge only files that puppet previously created. If suffix is specified all puppet created sudoers.d entries will have this suffix apprended to the thier file name. A ruby glob can be used as purge_ignore to ignore all files that do not have this suffix.

    class{'sudo':
      suffix => '_puppet',
      purge_ignore => '*[!_puppet]',
    }

Leave current sudo config as it is

    class { 'sudo':
      purge               => false,
      config_file_replace => false,
    }

Use LDAP along with sudo

Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.

    class { 'sudo':
      ldap_enable         => true,
    }

Adding sudoers configuration

Using Code

    class { 'sudo': }
    sudo::conf { 'web':
      source => 'puppet:///files/etc/sudoers.d/web',
    }
    sudo::conf { 'admins':
      priority => 10,
      content  => '%admins ALL=(ALL) NOPASSWD: ALL',
    }
    sudo::conf { 'joe':
      priority => 60,
      source   => 'puppet:///files/etc/sudoers.d/users/joe',
    }

Using Hiera

A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.

Examples using:

• YAML backend
• an environment called production
• a /etc/puppet/hiera.yaml hierarchy configuration:

:hierarchy:
  - "%{environment}"
  - "defaults"

Load module

Load the module via Puppet Code or your ENC.

    include sudo

Configure Hiera YAML (defaults.yaml)

These defaults will apply to all systems.

sudo::configs:
    'web':
        'source'    : 'puppet:///files/etc/sudoers.d/web'
    'admins':
        'content'   : '%admins ALL=(ALL) NOPASSWD: ALL'
        'priority'  : 10
    'joe':
        'priority'  : 60
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'

Configure Hiera YAML (production.yaml)

This will only apply to the production environment. In this example we are:

• inheriting/preserving the web configuration
• overriding the admins configuration
• removing the joe configuration
• adding the bill template

lookup_options:
  sudo::configs:
    merge:
      strategy: deep
      merge_hash_arrays: true

sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
    'joe':
        'ensure'    : 'absent'
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
    'bill':
        'template'  : "mymodule/bill.erb"

In this example we are:

• inheriting/preserving the web configuration
• overriding the admins:content setting
• inheriting/preserving the admins:priority setting
• inheriting/preserving the joe:source and joe:priority settings
• removing the joe configuration
• adding the bill template

lookup_options:
  sudo::configs:
    merge:
      strategy: deep
      merge_hash_arrays: true

sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
    'joe':
        'ensure'    : 'absent'
    'bill':
        'template'  : "mymodule/bill.erb"

Set a custom name for the sudoers file

In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.

sudo::conf { "foreman-proxy":
    ensure          => "present",
    source          => "puppet:///modules/sudo/foreman-proxy",
    sudo_file_name  => "foreman-proxy",
}

sudo::conf / sudo::configs notes

• One of content or source must be set.
• Content may be an array, string will be added with return carriage after each element.
• In order to properly pass a template() use template instead of content, as hiera would run template function otherwise.

sudo class parameters

Parameter	Type	Default	Description
enable	boolean	true	Set this to remove or purge all sudoers configs
package	string	OS specific	Set package name (for unsupported platforms)
package_ensure	string	present	latest, absent, or a specific package version
package_source	string	OS specific	Set package source (for unsupported platforms)
purge	boolean	true	Purge unmanaged files from config_dir
purge_ignore	string	undef	Files excluded from purging in config_dir
config_file	string	OS specific	Set configfile (for unsupported platforms)_
config_file_replace	boolean	true	Replace config file with module config file
includedirsudoers	boolean	OS specific	Add #includedir /etc/sudoers.d with augeas
config_dir	string	OS specific	Set configdir (for unsupported platforms)_
content	string	OS specific	Alternate content file location
ldap_enable	boolean	false	Add support to LDAP
configs	hash	{}	A hash of sudo::conf's

sudo::conf class / sudo::configs hash parameters

Parameter	Type	Default	Description
ensure	string	present	present or absent
priority	number	10	file name prefix
content	string	undef	content of configuration snippet
source	string	undef	source of configuration snippet
template	string	undef	template of configuration snippet
sudo_config_dir	string	OS Specific	configuration snippet directory (for unsupported platforms)
sudo_file_name	string	undef	custom file name for sudo file in sudoers directory

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[7.0.2]

Added

• Allow stdlib < 9.0.0

[7.0.1]

Fixed

• Fix duplicate variable declaration (#274)

[7.0.0]

Breaking changes

• Support Puppet >= 6.1.0

Added

• Added secure_path parameter (#270)
• Added package_provider parameter (#241)
• Added wheel_config parameter (#271)
• Added support for Manjarolinux (#244)
• Template for RHEL 8 added (#247)
• Added suffix parameter (#248)

Changed

• Migrated to Github Actions
• Replaced travis-ci badge with Github Actions badge
• Bumped stdlib dependency to < 8.0.0

Fixed

• sudoversion fact should not run on Windows (#259)
• docs: ignore parameter has been renamed to purge_ignore
• Removed extra % in sudo::allow template (#242)
• Fixed AIX default package source (#240)

[6.0.0]

Breaking changes

• Remove sudo::configs, move hiera lookups to init.pp (#228)

Fixed

• Do not ensure package, when it's undefined (#213)
• Fix regex matching rhel 5.1 to 5.4 only (#217)
• Add systemctl commands back to SERVICES alias (#224, #225)

Added

• Add Puppet 6 to travis checks
• Allow usage of sudoreplay (#231)

Changed

• Let $purge_ignore accept an array of strings (#211)
• Update Puppet version requirement to include version 6 (#230, #234)

Removed

• Drop Ruby 2.1 from travis checks