pulumi-command icon indicating copy to clipboard operation
pulumi-command copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Add 'become' Support to `Command` resources for Privilege Escalation Without Passwordless Sudo

Open froazin opened this issue 11 months ago • 3 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Currently, when using Pulumi's remote.Command and local.Command resources to execute commands that require elevated privileges (e.g., apt-get update), the user must be configured to allow passwordless privilege escalation. This setup can pose security concerns and adds complexity to the deployment process.

Affected area/feature

pulumi_command.remote.Command

Proposed Solution

Introduce a become parameter to the remote.Command resource, similar to Ansible's become directive. This parameter would enable users to specify privilege escalation within the Pulumi configuration, eliminating the need for passwordless sudo configuration on the remote host.

Example Usage (Python 🐍)

"""
Execute a remote command with privilege escalation built in.
"""

import pulumi_command as command

remote_command = command.remote.Command(
    "updatePackages",
    create="apt-get update",
    connection=command.remote.ConnectionArgs(
        host="hostname.local",
        user="your_user_name",
        password="your_password",
    ),
    become=True,
    becomeUser="root",
    becomeMethod="sudo",
    becomePassword="your_sudo_password",
)

froazin avatar Nov 21 '24 18:11 froazin