Manage sudo configuration via Puppet

Steffen Zieger



554,918 latest version

4.6 quality score

Version information

  • 6.0.0 (latest)
  • 5.0.0
  • 4.2.0
  • 4.1.0
  • 4.0.0
  • 3.1.0
  • 3.0.9
  • 3.0.8
  • 3.0.7
  • 3.0.6
  • 3.0.5
  • 3.0.4
  • 3.0.3
  • 3.0.2
  • 3.0.1
  • 3.0.0
  • 2.4.3
  • 2.4.2
  • 2.4.1
  • 2.4.0
  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.9
  • 2.0.8
  • 2.0.7
  • 2.0.6
  • 2.0.5
  • 2.0.4
  • 2.0.3
  • 2.0.2
  • 2.0.1
  • 2.0.0
  • 1.0.2
  • 1.0.1
  • 1.0.0
released Feb 12th 2019
This version is compatible with:
  • RedHat, CentOS, OracleLinux, Scientific, Debian, Ubuntu, SmartOS, OmniOS, FreeBSD, OpenBSD, AIX, Darwin, Gentoo, Archlinux, Amazon, Suse

Start using this module

Tags: sudo


saz/sudo — version 6.0.0 Feb 12th 2019

puppet-sudo Build Status

Manage sudo configuration via Puppet

Supported Puppet versions

  • Puppet >= 4
  • Last version supporting Puppet 3: v4.2.0

Supported OS

Some family and some specific os are supported by this module

  • debian osfamily (debian, ubuntu, kali, ...)
  • redhat osfamily (redhat, centos, fedora, ...)
  • suse osfamily (suse, opensuse, ...)
  • solaris osfamily (Solaris, OmniOS, SmartOS, ...)
  • freebsd osfamily
  • openbsd osfamily
  • aix osfamily
  • darwin osfamily
  • gentoo operating system
  • archlinux operating system
  • amazon operating system


Support via Gittip



This module will purge your current sudo config

If this is not what you're expecting, set purge and/or config_file_replace to false

Install sudo with default sudoers

Purge current sudo config

    class { 'sudo': }

Purge sudoers.d directory, but leave sudoers file as it is

    class { 'sudo':
      config_file_replace => false,

Leave current sudo config as it is

    class { 'sudo':
      purge               => false,
      config_file_replace => false,

Use LDAP along with sudo

Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.

    class { 'sudo':
      ldap_enable         => true,

Adding sudoers configuration

Using Code

    class { 'sudo': }
    sudo::conf { 'web':
      source => 'puppet:///files/etc/sudoers.d/web',
    sudo::conf { 'admins':
      priority => 10,
      content  => '%admins ALL=(ALL) NOPASSWD: ALL',
    sudo::conf { 'joe':
      priority => 60,
      source   => 'puppet:///files/etc/sudoers.d/users/joe',

Using Hiera

A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.

Examples using:

  • YAML backend
  • an environment called production
  • a /etc/puppet/hiera.yaml hierarchy configuration:
  - "%{environment}"
  - "defaults"
Load module

Load the module via Puppet Code or your ENC.

    include sudo
Configure Hiera YAML (defaults.yaml)

These defaults will apply to all systems.

        'source'    : 'puppet:///files/etc/sudoers.d/web'
        'content'   : '%admins ALL=(ALL) NOPASSWD: ALL'
        'priority'  : 10
        'priority'  : 60
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
Configure Hiera YAML (production.yaml)

This will only apply to the production environment. In this example we are:

  • inheriting/preserving the web configuration
  • overriding the admins configuration
  • removing the joe configuration
  • adding the bill template
      strategy: deep
      merge_hash_arrays: true

        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
        'ensure'    : 'absent'
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
        'template'  : "mymodule/bill.erb"

In this example we are:

  • inheriting/preserving the web configuration
  • overriding the admins:content setting
  • inheriting/preserving the admins:priority setting
  • inheriting/preserving the joe:source and joe:priority settings
  • removing the joe configuration
  • adding the bill template
      strategy: deep
      merge_hash_arrays: true

        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
        'ensure'    : 'absent'
        'template'  : "mymodule/bill.erb"
Set a custom name for the sudoers file

In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.

sudo::conf { "foreman-proxy":
    ensure          => "present",
    source          => "puppet:///modules/sudo/foreman-proxy",
    sudo_file_name  => "foreman-proxy",

sudo::conf / sudo::configs notes

  • One of content or source must be set.
  • Content may be an array, string will be added with return carriage after each element.
  • In order to properly pass a template() use template instead of content, as hiera would run template function otherwise.

sudo class parameters

Parameter Type Default Description
enable boolean true Set this to remove or purge all sudoers configs
package string OS specific Set package name (for unsupported platforms)
package_ensure string present latest, absent, or a specific package version
package_source string OS specific Set package source (for unsupported platforms)
purge boolean true Purge unmanaged files from config_dir
purge_ignore string undef Files excluded from purging in config_dir
config_file string OS specific Set configfile (for unsupported platforms)_
config_file_replace boolean true Replace config file with module config file
includedirsudoers boolean OS specific Add #includedir /etc/sudoers.d with augeas
config_dir string OS specific Set configdir (for unsupported platforms)_
content string OS specific Alternate content file location
ldap_enable boolean false Add support to LDAP
configs hash {} A hash of sudo::conf's

sudo::conf class / sudo::configs hash parameters

Parameter Type Default Description
ensure string present present or absent
priority number 10 file name prefix
content string undef content of configuration snippet
source string undef source of configuration snippet
template string undef template of configuration snippet
sudo_config_dir string OS Specific configuration snippet directory (for unsupported platforms)
sudo_file_name string undef custom file name for sudo file in sudoers directory