Try SpotterManage sudoers files
| "added in version" 4.3.0 of community.general"
Authors: Jon Ellis (@JonEllis) <ellis.jp@gmail.com>
Install with ansible-galaxy collection install community.general:==8.5.0
collections:
- name: community.general
version: 8.5.0This module allows for the manipulation of sudoers files.
- name: Allow the backup user to sudo /usr/local/bin/backup
community.general.sudoers:
name: allow-backup
state: present
user: backup
commands: /usr/local/bin/backup
- name: Allow the bob user to run any commands as alice with sudo -u alice
community.general.sudoers:
name: bob-do-as-alice
state: present
user: bob
runas: alice
commands: ALL
- name: >-
Allow the monitoring group to run sudo /usr/local/bin/gather-app-metrics
without requiring a password on the host called webserver
community.general.sudoers:
name: monitor-app
group: monitoring
host: webserver
commands: /usr/local/bin/gather-app-metrics
- name: >-
Allow the alice user to run sudo /bin/systemctl restart my-service or
sudo /bin/systemctl reload my-service, but a password is required
community.general.sudoers:
name: alice-service
user: alice
commands:
- /bin/systemctl restart my-service
- /bin/systemctl reload my-service
nopassword: false
- name: Revoke the previous sudo grants given to the alice user
community.general.sudoers:
name: alice-service
state: absent
- name: Allow alice to sudo /usr/local/bin/upload and keep env variables
community.general.sudoers:
name: allow-alice-upload
user: alice
commands: /usr/local/bin/upload
setenv: true
- name: >-
Allow alice to sudo /usr/bin/less but prevent less from
running further commands itself
community.general.sudoers:
name: allow-alice-restricted-less
user: alice
commands: /usr/bin/less
noexec: true
host:
default: ALL
description:
- Specify the host the rule is for.
type: str
version_added: 6.2.0
version_added_collection: community.general
name:
description:
- The name of the sudoers rule.
- This will be used for the filename for the sudoers file managed by this rule.
required: true
type: str
user:
description:
- The name of the user for the sudoers rule.
- This option cannot be used in conjunction with O(group).
type: str
group:
description:
- The name of the group for the sudoers rule.
- This option cannot be used in conjunction with O(user).
type: str
runas:
description:
- Specify the target user the command(s) will run as.
type: str
version_added: 4.7.0
version_added_collection: community.general
state:
choices:
- present
- absent
default: present
description:
- Whether the rule should exist or not.
type: str
noexec:
default: false
description:
- Whether a command is prevented to run further commands itself.
type: bool
version_added: 8.4.0
version_added_collection: community.general
setenv:
default: false
description:
- Whether to allow keeping the environment when command is run with sudo.
type: bool
version_added: 6.3.0
version_added_collection: community.general
commands:
description:
- The commands allowed by the sudoers rule.
- Multiple can be added by passing a list of commands.
- Use V(ALL) for all commands.
elements: str
type: list
nopassword:
default: true
description:
- Whether a password will be required to run the sudo'd command.
type: bool
validation:
choices:
- absent
- detect
- required
default: detect
description:
- If V(absent), the sudoers rule will be added without validation.
- If V(detect) and visudo is available, then the sudoers rule will be validated by
visudo.
- If V(required), visudo must be available to validate the sudoers rule.
type: str
version_added: 5.2.0
version_added_collection: community.general
sudoers_path:
default: /etc/sudoers.d
description:
- The path which sudoers config files will be managed in.
type: str