From 86b6edb4211f4b562c77d8eb7d4797fdab2543a9 Mon Sep 17 00:00:00 2001 From: Albin Vass Date: Tue, 10 Nov 2020 20:04:08 +0100 Subject: [PATCH] revoke-sudo: delete cloud-config sudoers file Change-Id: Icc3d1b4122d5328dd900d8ce581755f53030ed21 --- roles/revoke-sudo/tasks/main.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/revoke-sudo/tasks/main.yaml b/roles/revoke-sudo/tasks/main.yaml index bb4af9126..6ad1efb0a 100644 --- a/roles/revoke-sudo/tasks/main.yaml +++ b/roles/revoke-sudo/tasks/main.yaml @@ -3,11 +3,13 @@ failed_when: false register: zuul_is_sudoer +# We do this in one command and not in a loop +# to make sure we don't revoke sudo in the first file +# and then error because we lost sudo access when we +# try to delete the next file. - name: Remove sudo access for zuul user. become: yes - file: - path: /etc/sudoers.d/zuul - state: absent + command: rm -rf /etc/sudoers.d/zuul /etc/sudoers.d/90-cloud-init-users # noqa 302 when: zuul_is_sudoer.rc == 0 - name: Prove that general sudo access is actually revoked.