search

terraform-google-modules / terraform-google-startup-scripts

Provides a library of useful startup scripts to embed in VMs
https://registry.terraform.io/modules/terraform-google-modules/startup-scripts/google
Apache License 2.0
73 stars 36 forks source link

(WIP) Add stdlib::setup_sudoers #19

Closed jeffmccune closed 5 years ago

jeffmccune commented 5 years ago

Read the metadata key sudoers and configure each CSV listed username in /etc/sudoers with full root access.

emalloy commented 5 years ago

This is awesome! Wondering if you ever foresee a use-case when someone needs to add users to sudoers at the instance or instance group level vs. project only? I ask this question when going about devising a test strategy. I was looking in project-factory and yet to see where we are declaring the google_compute_project_metadata resource. I'm happy to add this, but wanted to check in with you before I go to left field.

If you think this is a relevant additional use case, what do you think about the stdlib::setup_sudoers function taking an argument to target either the project or instance metadata?

jeffmccune commented 5 years ago

Good idea to handle the use case of instance metadata. I recommend doing that as a follow on ticket instead of expanding the scope of this effort, which is focused on getting the behavior in place as-is.

For the test strategy, I'd declare the google_compute_project_metadata resource inside of examples/sudoers_example/main.tf, call a sudo command from startup-script-custom that produces some output, then check for the output using the get-serial-output technique in #15 . YMMV though, this is just thinking off the top of my head.

emalloy commented 5 years ago

Thanks!

Sent from my Apple Watch

On Feb 21, 2019, at 11:22, Jeff McCune notifications@github.com wrote:

Good idea to handle the use case of instance metadata. I recommend doing that as a follow on ticket instead of expanding the scope of this effort, which is focused on getting the behavior in place as-is.

For the test strategy, I'd declare the google_compute_project_metadata resource inside of examples/sudoers_example/main.tf, call a sudo command from startup-script-custom that produces some output, then check for the output using the get-serial-output technique in #15 . YMMV though, this is just thinking off the top of my head. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

jeffmccune commented 5 years ago

I’d also approve a test that simply cats the sudoers file and checks for the expected line. This could be a lot easier than dealing with sudo gymnastics and user creation.

aaron-lane commented 5 years ago

Closed in favour of #21.