diff --git a/roles/revoke-sudo/tasks/main.yaml b/roles/revoke-sudo/tasks/main.yaml index bb4af9126..6ad1efb0a 100644 --- a/roles/revoke-sudo/tasks/main.yaml +++ b/roles/revoke-sudo/tasks/main.yaml @@ -3,11 +3,13 @@ failed_when: false register: zuul_is_sudoer +# We do this in one command and not in a loop +# to make sure we don't revoke sudo in the first file +# and then error because we lost sudo access when we +# try to delete the next file. - name: Remove sudo access for zuul user. become: yes - file: - path: /etc/sudoers.d/zuul - state: absent + command: rm -rf /etc/sudoers.d/zuul /etc/sudoers.d/90-cloud-init-users # noqa 302 when: zuul_is_sudoer.rc == 0 - name: Prove that general sudo access is actually revoked.