Search code examples
variablesmodulepuppet

Add a custom sudoers in Puppet

I'm new to Puppet and have downloaded central_auth module in forge to implement AD login on Linux (CentOS) servers. After some tweaking, I finally got AD login to work. What I'm trying to do now is add a custom sudoers file in /etc/sudoers.d based on the value in the node's yaml file. The issue: /etc/sudoers.d/customsudo gets created but the contents are not correct.

Here are my configs:

in manifests/init.pp

class central_auth (
  # Class parameters are populated from External(hiera)/Defaults/Fail
  Boolean $manage_auth                = false,
  Boolean $enable_sssd                = true,
  Boolean $enable_pam_access          = false,
  Boolean $manage_pam_files           = true,
   
) {



  if $manage_auth {
    class { 'central_auth::install': }
    -> class { 'central_auth::config': }
    -> class { 'central_auth::pam': }
    -> class { 'central_auth::join_ad': }
    -> class { 'central_auth::service': }
    -> class { 'central_auth::custom_sudoers': }
  }
}

in manifests/custom_sudoers.pp

class central_auth::custom_sudoers (
  Any $sudoersgrp               = $central_auth::sudoersgrp,
) {

  if $sudoersgrp {
    file { '/etc/sudoers.d/customsudo':
      ensure  => present,
      owner   => 'root',
      group   => 'root',      
      mode    => '0644',
      content => template( 'central_auth/sudogroup.epp' ),
    }   } }

in templates/sudogroup.epp

%<%= $sudoersgrp %> ALL=(ALL) NOPASSWD: ALL

In the node's yaml file, I added these lines to call the central_auth class:

classes:
  - central_auth

central_auth::manage_auth: true
central_auth::enable_sssd: true
central_auth::enable_pam_access: true
central_auth::manage_pam_files: true
central_auth::sudoersgrp: 'CustomSudoers'

In the client's /etc/sudoers.d/customsudo file that was created, it only appears like the below. I want 'CustomSudoers' to be passed on $sudoersgrp varible in manifests/custom_sudoers.pp which will create /etc/sudoers.d/customsudo file.

What it should look like in /etc/sudoers.d/customsudo:

%CustomSudoers ALL=(ALL) NOPASSWD: ALL
Solution

  • Fixed now after watching a tutorial in Udemy. :)

    in init.pp

    class central_auth (
  # Class parameters are populated from External(hiera)/Defaults/Fail
  Boolean $manage_auth                = false,
  Boolean $enable_sssd                = true,
  Boolean $enable_pam_access          = false,
  Boolean $manage_pam_files           = true,
  Any $sudoersgrp                     = undef,

) {



  if $manage_auth {
    class { 'central_auth::install': }
    -> class { 'central_auth::config': }
    -> class { 'central_auth::pam': }
    -> class { 'central_auth::join_ad': }
    -> class { 'central_auth::service': }
    -> class { 'central_auth::custom_sudoers': }
  }
}

    in manifests/custom_sudoers.pp

    class central_auth::custom_sudoers (
  Any $sudoersgrp               = $central_auth::sudoersgrp,
) {

  if $sudoersgrp {
    file { '/etc/sudoers.d/customsudo':
      ensure  => present,
      owner   => 'root',
      group   => 'root',      
      mode    => '0644',
      content => epp('central_auth/sudogroup.epp', {
        'sudoersgrp'  => $sudoersgrp,
      } ),
    }
  }
}