Merge pull request #2485 from codeenigma/Updating-sudoers-task-PR-2.x

matej5 · web-flow · commit ec47c79630e6 · 2025-05-07T12:15:22.000+02:00
Updating-sudoers-task
diff --git a/roles/debian/sudo_config/tasks/main.yml b/roles/debian/sudo_config/tasks/main.yml
@@ -5,11 +5,48 @@
     state: directory
     mode: "0750"
 
-- name: "Add {{ sudo_config.entity_name }} to sudoers."
+- name: Create temporary directory for sudoers validation.
+  ansible.builtin.tempfile:
+    state: directory
+    suffix: sudoers
+  register: temp_sudoers_dir
+  when: sudo_config | default([]) | length > 0
+
+- name: Create sudoers file for validation.
   ansible.builtin.template:
     src: "sudoer.j2"
-    dest: "/etc/sudoers.d/{{ sudo_config.filename }}"
+    dest: "{{ temp_sudoers_dir.path }}/{{ item.filename }}"
     owner: root
     group: root
     mode: "0440"
-  when: sudo_config.entity_name | length > 0
+  when: item.entity_name | default('') | length > 0
+  with_items: "{{ sudo_config if sudo_config is iterable and sudo_config is not mapping else [sudo_config] }}"
+  register: sudo_templates
+
+- name: Validate sudoers file on remote.
+  ansible.builtin.command: "visudo -cf {{ temp_sudoers_dir.path }}/{{ item.filename }}"
+  register: visudo_check
+  failed_when: visudo_check.rc != 0
+  changed_when: false
+  with_items: "{{ sudo_config if sudo_config is iterable and sudo_config is not mapping else [sudo_config] }}"
+  when: item.entity_name | default('') | length > 0
+  loop_control:
+    label: "{{ item.filename }}"
+  delegate_to: "{{ inventory_hostname }}"
+
+- name: Install validated sudoers file.
+  ansible.builtin.copy:
+    src: "{{ temp_sudoers_dir.path }}/{{ item.filename }}"
+    dest: "/etc/sudoers.d/{{ item.filename }}"
+    owner: root
+    group: root
+    mode: "0440"
+    remote_src: true
+  when: item.entity_name | default('') | length > 0
+  with_items: "{{ sudo_config if sudo_config is iterable and sudo_config is not mapping else [sudo_config] }}"
+
+- name: Clean up temporary files.
+  ansible.builtin.file:
+    path: "{{ temp_sudoers_dir.path }}"
+    state: absent
+  when: temp_sudoers_dir.path is defined
diff --git a/roles/debian/sudo_config/templates/sudoer.j2 b/roles/debian/sudo_config/templates/sudoer.j2
@@ -1 +1 @@
-{{ sudo_config.entity_name }} {{ sudo_config.hosts }}={{ sudo_config.operators }} {{ sudo_config.tags }} {{ sudo_config.commands }}
+{{ item.entity_name }} {{ item.hosts | default('ALL') }}={{ item.operators | default('ALL') }} {{ item.tags | default('') }} {{ item.commands | default('ALL') }}

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{{ sudo_config.entity_name }} {{ sudo_config.hosts }}={{ sudo_config.operators }} {{ sudo_config.tags }} {{ sudo_config.commands }}`
	`1`	`+{{ item.entity_name }} {{ item.hosts \| default('ALL') }}={{ item.operators \| default('ALL') }} {{ item.tags \| default('') }} {{ item.commands \| default('ALL') }}`