Migrate Puppet sudo configs to saz/sudo module
Currently in the tor-puppet
repository, most sudo
configurations are deployed via a single file resource that's identical across all our machines. This is less than ideal from a security standpoint since this one file reveals a great deal about the permissions granted to users on our different machines. Furthermore, the file is deployed without any syntax checking: a single error in there is susceptible to break sudo
for many users and systems.
I propose we deploy the 3rd party saz/puppet-sudo module in our Puppet infrastructure and leverage this along with a new profile::sudo
class to progressively migrate from the current sudo
module.
The deployment would be staged in several steps:
-
audit saz/puppet-sudo -
rename the currentsudo
module tosudo_legacy
and modify the base includes to use the new class name -
pull in the new sudo module in 3rdparty/modules
-
add a new profile::sudo
class to createsudo::conf
resources from Hiera data -
move the sudoers- file
resource inrole::network_health_relay
to Hiera -
validate thatprofile::sudo
andsudo_legacy
can coexist -
add profile::sudo
to base classes and deploy progressively -
move sudoers- file
resource in other classes to Hiera -
retire sudo_legacy
-
progressively convert monolithicmove to a separate ticketsudoers
to Hiera
Edited by Jérôme Charaoui