I'm using the saz/sudoers as well and it removes, say ERPM10-20, when I remove the user from the host, exactly as expected.
What doesn't happen is the user ERPM10-20 isn't removed from the server. Let me try to see if I can put it another way to make it clearer. Say I have ERPM01-01, ERPM01-22 and ERPM02-09 defined. Here is a scenario. Server Mapping: ERPM01-01: servera, serverb, serverc ERPM01-22: servera, serverc ERPM02-09: serverb, serverc ERPM User mapping to ERPM accounts based on AD credentials to access ERPM. ERPM01-01: Foo ERPM01-22: Bar ERPM02-09: Baz So to get access to servera, serverb or serverc, Foo logs into ERPM with AD credentials. Then ERPM's hosting server then handles providing the username (ERPM01-01) to the host and the password. Foo never knows the password so they can't ever access the account outside of ERPM. Now Baz was supporting a DB on serverc, but is moved to another team. We get a request to remove ERPM02-09 from serverc. In Foreman we go to the host, pull that class off serverc. Since Baz is still on serverb, we can't set ensure => absent on the Puppet user block in class ERPM02-09 as that will lock him out of serverb. When Puppet runs on serverc the sudoers module removes the sudoers.d/erpm02-09.conf file. Unfortunately the user ERPM02-09 is still on the host. What I wanted to code up would be to iterate through the ERPMXX-YY classes to see if any of the classes are absent. If so it then calls a user block to do ensure => absent for ERPM02-09 on serverc and servera while serverb will still have the user and sudoers definitions. What I don't know how to do is to find where I can access the Puppet state for classes which are absent. I hope this is a better explanation of what I'm trying to do here. -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/bac6a93f-c2b8-4ad7-b8c4-c8fda5383df3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
