How to generate customized sudoers files in puppet depending on the environment they're deployed to?

Question

the sysadmins are present in the sudoers files of all environments, but other sudoers are not. Different environments all have slightly different sudoers. Most of the time, 90% of users are the same, and 10% vary so we cannot have only one sudoers file for everything.

Right now, we are using puppet with 10 different files with names like sudoers.production1, sudoers.production2, sudoers.production3, sudoers.testing1, sudoers.staging1 and so forth.

Puppet then picks the file to deploy based on the server's $domain (ex: dbserver.staging1.acme.com) or $hardwaremodel. It works fine but it's a nightmare to maintain so many files.

I'd like to autogenerate sudoers files based on the server's domain and have only one big file with all the sudoers permissions for all users and all environments. Something that looks like:

User_Alias ADMINS = abe, bob, carol, dave

case $domain {
 "staging1.acme.com" {
    #add dev1,dev2,tester1,tester2 to sudoers file 
  }
 "testing2.acme.com" {
    #add tester1, tester3, tester4 to sudoers file
  }    

What's the best way to go about this? Suggestions for alternatives are welcome. I'd appreciate any tips.

Update 1:

For security reasons, we'd rather not concatenate a bunch of files from a folder located on a puppet client in case someone puts a file in there (maliciously or not) and either breaks the combined file or inserts something in it.

Most importantly, for usability, we'd like to keep the number of sudoers related files (fragment or complete) on puppet server to either 3 (prod/stage/test) or preferably 1 file. this file would (somehow) generate sudoers files on the puppet server and send one customized file to each puppet client.

The purpose of this would be only searching for a username in a single file and removing it quicker than doing it on 11 files. When adding a user to a bunch of environments, it won't be as quick, but only one file would need to be opened and looked at, greatly reducing the chances of an omission.

our Sudo version is 1.6.9p8 so we can't use /sudoers.d folder, only a sudoers file.

Update2:

I've been googling some and I just found this, which I've spent the past hour looking at:

https://github.com/saz/puppet-sudo#readme

I'm not certain but it looks like it might do the trick. Has anyone used it or heard about it?

Answer 1

What version of sudo? Does your version of sudo support using #includedir option to break things out into a fragment directory /etc/sudoers.d/?

If so, then I suggest you use that functionality to build your config.

Have your main config file delivered to /etc/sudoers that includes all the settings that is common to every host you control. Then have role-specific configuration get dropped into a file within /etc/sudoers.d/.

Each class or puppet section is responsible for updating the small portion of the sudo config directly related to that class.

Answer 2

You can have a look at virtual resources and realize: https://puppet.com/docs/puppet/latest/lang_virtual.html.

This does exactly that: on some systems you 'realize' the resource and on some you don't.

Answer 3

You can do with using Puppet templates... Site-specific configuration with a small ruby snippet/variable for the user you need. (I'll post an example later)

The traditional way of handling this is by using group definitions instead of named-users in your /etc/sudoers. It may be less of a hassle to manage.