Added sudoers.included formula to manage included sudoers files

README.rst

@@ -1,7 +1,7 @@
 sudoers
 =======
 
-Set up the sudoers file
+Set up sudo and the sudoers included files.
 
 .. note::
 
@@ -13,3 +13,6 @@ Available states
 
 ``sudoers``
     Set up the sudoers file
+
+``sudoers.included``
+    Set up an additional sudoers included file

pillar.example

@@ -26,3 +26,9 @@ sudoers:
         - /usr/bin/pkill
         - /usr/bin/top
   includedir: /etc/sudoers.d
+  included_files:
+    /etc/sudoers.d/extra-file:
+      users:
+        foo: 'ALL=(ALL) ALL'
+      groups:
+        bargroup: 'ALL=(ALL) NOPASSWD: ALL'

sudoers/files/sudoers

@@ -1,4 +1,9 @@
-{% set sudoers = pillar.get('sudoers', {}) %}
+{%- if (not included) %}
+  {%- set sudoers = pillar.get('sudoers', {}) %}
+  {%- set includedir = sudoers.get('includedir', '/etc/sudoers.d') -%}
+{%- else %}
+  {%- set includedir = sudoers.get('includedir', None) %}
+{%- endif %}
 {%- set defaults = sudoers.get('defaults', []) %}
 {%- set aliases = sudoers.get('aliases', {}) %}
 {%- set host_aliases = aliases.get('hosts', {}) %}
@@ -6,8 +11,7 @@
 {%- set command_aliases = aliases.get('commands', {}) %}
 {%- set runas_aliases = aliases.get('runas', {}) %}
 {%- set users = sudoers.get('users', {}) %}
-{%- set groups = sudoers.get('groups', {}) %}
-{%- set includedir = sudoers.get('includedir', None) -%}
+{%- set groups = sudoers.get('groups', {}) -%}
 #
 # This file is managed by salt
 #
@@ -47,6 +51,4 @@ Runas_Alias {{ name }} = {{ ",".join(runas) }}
 
 {% if includedir %}
 #includedir {{ includedir }}
-{% else %}
-#includedir /etc/sudoers.d
 {% endif %}

sudoers/included.sls

@@ -0,0 +1,19 @@
+include:
+  - sudoers
+
+{% set sudoers = pillar.get('sudoers', {}) %}
+{% set included_files = sudoers.get('included_files', []) %}
+{% for included_file,spec in included_files.items() -%}
+{{ included_file }}:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 440
+    - template: jinja
+    - source: salt://sudoers/files/sudoers
+    - context:
+        included: True
+        sudoers: {{ spec }}
+    - require:
+      - file: /etc/sudoers
+{% endfor %}

sudoers/init.sls

@@ -11,5 +11,7 @@ sudo:
     - mode: 440
     - template: jinja
     - source: salt://sudoers/files/sudoers
+    - context:
+        included: False
     - require:
       - pkg: sudo