1

I'm trying to deploy the saz/sudo module to manage our sudo configs (I'm pretty new to puppet (~3days), so please excuse my potential ignorance).

Our current sudo config all contained in a single (large) /etc/sudoers file, which I'd like to break up into relevant files in sudoers.d.

I've been able to get the saz/sudo module installed but have been fumbling about configuring it. I've currently got it to work by including it in another module, site_sudo, using the following config: 

# cwd : /etc/puppetlabs/code/environments/production/modules
site_sudo/examples
site_sudo/files
site_sudo/Gemfile
site_sudo/manifests
site_sudo/metadata.json
site_sudo/Rakefile
site_sudo/README.md
site_sudo/spec
site_sudo/examples/init.pp
site_sudo/files/etc
site_sudo/files/etc/sudoers.d
site_sudo/files/etc/sudoers.d/svc_servicenanme
site_sudo/files/etc/sudoers.d/user_username
site_sudo/manifests/init.pp
site_sudo/spec/classes
site_sudo/spec/spec_helper.rb
site_sudo/spec/classes/init_spec.rb

with the contents of init.pp as follows:

[root@puppet modules]# cat site_sudo/manifests/init.pp  | grep -vP '^#'
class site_sudo {

  class { 'sudo': }
  sudo::conf { 'user_username':
    source => 'puppet:///modules/site_sudo/etc/sudoers.d/user_username',
  }
  sudo::conf { 'svc_servicename':
    source => 'puppet:///modules/site_sudo/etc/sudoers.d/svc_servicename',
  }

}
[root@puppet modules]#

My question: is this the best/correct way to implement saz/sudo?

I was kind of hoping to have all this configuration in the main saz/sudo module, rather than having to create site_sudo like this, but the documentation isn't clear about to do this.

If it is possible to include this configuration in the main saz/sudo module, can someone suggest how to achieve this ?

Mark V
  • 111
  • 6

1 Answers1

3

You're doing the right thing in keeping the configuration outside of the module you're using.

Modules should be reusable, and if you customise a module to contain site-local configuration then you will need to maintain your customisations. It won't be possible to install a newer version of the module without merging in your changes (depending on how you maintain the changes and install modules, this could be anywhere from trivial to difficult).

The module provides a public interface through sudo::conf and its class parameters to customise everything you should need.

The site_sudo class you've created is a profile class (see: Roles and Profiles) for configuring sudo using the saz/sudo module for your site and service preferences. This is a common and well-used design pattern in Puppet environments, so by all means, stick with it.

The second method that saz/sudo supports is to define the configuration in Hiera under the sudo::configs key. It will look this data up and then apply the configuration. Using Hiera is another good way of keeping the configuration outside of the module you're using. Your Hiera data files can be stored in your Puppet environment.

Dominic Cleal
  • 3,120
  • 17
  • 16
  • Thanks for the answer - obviously still have lots to learn but good to know I'm on the right track. – Mark V May 31 '17 at 20:21