How to generate customized sudoers files in puppet depending on the environment they're deployed to?

Solution 1:

What version of sudo? Does your version of sudo support using #includedir option to break things out into a fragment directory /etc/sudoers.d/?

If so, then I suggest you use that functionality to build your config.

Have your main config file delivered to /etc/sudoers that includes all the settings that is common to every host you control. Then have role-specific configuration get dropped into a file within /etc/sudoers.d/.

Each class or puppet section is responsible for updating the small portion of the sudo config directly related to that class.

Solution 2:

You can have a look at virtual resources and realize: https://puppet.com/docs/puppet/latest/lang_virtual.html.

This does exactly that: on some systems you 'realize' the resource and on some you don't.

---

Solution 3:

You can do with using Puppet templates... Site-specific configuration with a small ruby snippet/variable for the user you need. (I'll post an example later)

The traditional way of handling this is by using group definitions instead of named-users in your /etc/sudoers. It may be less of a hassle to manage.