Forge Home


Manage sudo configuration via Puppet


23,687 latest version

4.7 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 8.0.0 (latest)
  • 7.0.2
  • 7.0.1
  • 7.0.0
  • 6.0.0
  • 5.0.0
  • 4.2.0
  • 4.1.0
  • 4.0.0
  • 3.1.0
  • 3.0.9
  • 3.0.8
  • 3.0.7
  • 3.0.6
  • 3.0.5
  • 3.0.4
  • 3.0.3
  • 3.0.2
  • 3.0.1
  • 3.0.0
  • 2.4.3
  • 2.4.2
  • 2.4.1
  • 2.4.0
  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.9
  • 2.0.8
  • 2.0.7
  • 2.0.6
  • 2.0.5
  • 2.0.4
  • 2.0.3
  • 2.0.2
  • 2.0.1
  • 2.0.0
  • 1.0.2
  • 1.0.1
  • 1.0.0
released Jun 26th 2023
This version is compatible with:
  • Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • , , , , , , SmartOS, OmniOS, FreeBSD, OpenBSD, AIX, Darwin, Gentoo, Archlinux, Amazon, Suse,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'saz-sudo', '8.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add saz-sudo
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install saz-sudo --version 8.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Tags: sudo


saz/sudo — version 8.0.0 Jun 26th 2023

sudo module for Puppet

Build Status

Manage sudo configuration via Puppet

Supported OS

Some family and some specific os are supported by this module

  • debian osfamily (debian, ubuntu, kali, ...)
  • redhat osfamily (redhat, centos, fedora, ...)
  • suse osfamily (suse, opensuse, ...)
  • solaris osfamily (Solaris, OmniOS, SmartOS, ...)
  • freebsd osfamily
  • openbsd osfamily
  • aix osfamily
  • darwin osfamily
  • gentoo operating system
  • archlinux operating system
  • amazon operating system



This module will purge your current sudo config

If this is not what you're expecting, set purge and/or config_file_replace to false

Install sudo with default sudoers

Purge current sudo config

    class { 'sudo': }

Purge sudoers.d directory, but leave sudoers file as it is

    class { 'sudo':
      config_file_replace => false,

Selective Purge of sudoers.d Directory

A combination of prefix, suffix and purge_ignore can be used to purge only files that puppet previously created. If suffix is specified all puppet created sudoers.d entries will have this suffix apprended to the thier file name. If prefix is specified all puppet created sudoers.d entries will have this prefix prepended. A ruby glob can be used as ignore to ignore all files that do not have this suffix.

      suffix => '_puppet',
      purge_ignore => '*[!_puppet]',


      prefix => 'puppet_',
      purge_ignore => '[!puppet_]*',

Due to limitations in ruby glob the prefix and ignore is recommended.

Leave current sudo config as it is

    class { 'sudo':
      purge               => false,
      config_file_replace => false,

Use LDAP along with sudo

Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.

    class { 'sudo':
      ldap_enable => true,

Adding sudoers configuration

Using Code

    class { 'sudo': }
    sudo::conf { 'web':
      source => 'puppet:///files/etc/sudoers.d/web',
    sudo::conf { 'admins':
      priority => 10,
      content  => '%admins ALL=(ALL) NOPASSWD: ALL',
    sudo::conf { 'joe':
      priority => 60,
      source   => 'puppet:///files/etc/sudoers.d/users/joe',

Using Hiera

A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.

Examples using:

  • YAML backend
  • an environment called production
  • a /etc/puppet/hiera.yaml hierarchy configuration:
  - "%{environment}"
  - "defaults"
Load module

Load the module via Puppet Code or your ENC.

    include sudo
Configure Hiera YAML (defaults.yaml)

These defaults will apply to all systems.

        'source'    : 'puppet:///files/etc/sudoers.d/web'
        'content'   : '%admins ALL=(ALL) NOPASSWD: ALL'
        'priority'  : 10
        'priority'  : 60
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
Configure Hiera YAML (production.yaml)

This will only apply to the production environment. In this example we are:

  • inheriting/preserving the web configuration
  • overriding the admins configuration
  • removing the joe configuration
  • adding the bill template
      strategy: deep
      merge_hash_arrays: true

        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
        'ensure'    : 'absent'
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
        'template'  : "mymodule/bill.erb"

In this example we are:

  • inheriting/preserving the web configuration
  • overriding the admins:content setting
  • inheriting/preserving the admins:priority setting
  • inheriting/preserving the joe:source and joe:priority settings
  • removing the joe configuration
  • adding the bill template
      strategy: deep
      merge_hash_arrays: true

        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
        'ensure'    : 'absent'
        'template'  : "mymodule/bill.erb"
Set a custom name for the sudoers file

In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.

sudo::conf { "foreman-proxy":
    ensure          => "present",
    source          => "puppet:///modules/sudo/foreman-proxy",
    sudo_file_name  => "foreman-proxy",

sudo::conf / sudo::configs notes

  • One of content or source must be set.
  • Content may be an array, string will be added with return carriage after each element.
  • In order to properly pass a template() use template instead of content, as hiera would run template function otherwise.

sudo class parameters

Parameter Type Default Description
enable boolean true Set this to remove or purge all sudoers configs
package string OS specific Set package name (for unsupported platforms)
package_ensure string present latest, absent, or a specific package version
package_source string OS specific Set package source (for unsupported platforms)
purge boolean true Purge unmanaged files from config_dir
purge_ignore string undef Files excluded from purging in config_dir
config_file string OS specific Set configfile (for unsupported platforms)_
config_file_replace boolean true Replace config file with module config file
includedirsudoers boolean OS specific Add #includedir /etc/sudoers.d with augeas
config_dir string OS specific Set configdir (for unsupported platforms)_
content string OS specific Alternate content file location
ldap_enable boolean false Add support to LDAP
configs hash {} A hash of sudo::conf's

sudo::conf class / sudo::configs hash parameters

Parameter Type Default Description
ensure string present present or absent
priority number 10 file name prefix
content string undef content of configuration snippet
source string undef source of configuration snippet
template string undef template of configuration snippet
sudo_config_dir string OS Specific configuration snippet directory (for unsupported platforms)
sudo_file_name string undef custom file name for sudo file in sudoers directory