Possible ansible Template issue preventing use of /etc/sudoers.d/deploy for locking down NOPASSWD

[Bochenski]

Currently, we set /etc/sudoers.d/deploy to:

deploy ALL=(ALL)NOPASSWD:ALL

which allows the deploy user to run sudo commands without a password prompt

We want to lock this down to specific sudo commands ie:

deploy ALL=(ALL)NOPASSWD:/usr/bin/apt-get,/usr.bin/apt-key

etc.

but it appears that the moment you put a / in the template file

(roles/common/templates/deploy.sudoers)

then the visudo -cf fails to validate the file when the task runs, citing a synax error

if you remove the validation check, indeed the sudoers file is corrupted.

Manually edit the file, by deleting whatever character is at the end of the line, it then validates fine. So I suspect some dodgy unicode character is being inserted by ansible templating - i.e jinja which is causing sudoers to barf.

I will try and see if I can isolate what line endings are being used.