ansible: replace sudo by become

Since ansible 2.9 sudo statements have been removed and we should use
become instead.

"All previously deprecated sudo/su and module locale global settings have
been removed." [1]

[1] https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>

diff --git a/ansible/examples/init.yml b/ansible/examples/init.yml
index 4a8455eda95dd12e15c8441576a982d4ed03c776..a886add6cf2a0579d6b03da132589a1a95cd2fd7 100644 (file)
--- a/ansible/examples/init.yml
+++ b/ansible/examples/init.yml
@@ -7,7 +7,7 @@
 
 # install python2.7 on xenial nodes
 - hosts: all
-  sudo: yes
+  become: yes
   user: admin 
   gather_facts: false
   tasks:
@@ -18,7 +18,7 @@
 
 - hosts: all
   user: admin
-  sudo: true
+  become: true
   tasks:
 
     - name: uncomment SSH port

diff --git a/ansible/examples/sensu.yml b/ansible/examples/sensu.yml
index 8d13ff2dd3f6b858b731390d07ca272088ef79c3..dc12af4049bb51f68d61b80ffdb22cf5f8f11765 100644 (file)
--- a/ansible/examples/sensu.yml
+++ b/ansible/examples/sensu.yml
@@ -4,7 +4,7 @@
 #     ansible-galaxy install -r requirements/sensu-requirements.yml
 #
 - hosts: sensu-server
-  sudo: true
+  become: true
   vars_files:
     - vars/sensu-vars.yml
   roles:
@@ -38,7 +38,7 @@
           vhost: "%2Fsensu"
 
 - hosts: sensu-clients
-  sudo: true
+  become: true
   vars_files:
     - vars/sensu-vars.yml
   roles:

diff --git a/ansible/examples/slave_static.yml b/ansible/examples/slave_static.yml
index 2849350455a85f86f9e730cad7e7d5e56f322e16..a070e07c153bf14f9e344575fd3ef8687cec8c3a 100644 (file)
--- a/ansible/examples/slave_static.yml
+++ b/ansible/examples/slave_static.yml
@@ -4,7 +4,7 @@
 #
 # install python2.7 on xenial nodes
 - hosts: all
-  sudo: yes
+  become: yes
 # this will most likely need changed
   user: admin
   gather_facts: false
@@ -15,7 +15,7 @@
       failed_when: false
 
 - hosts: all
-  sudo: true
+  become: true
 # this will most likely need changed
   user: admin
   vars:
@@ -49,7 +49,7 @@
       authorized_key: user={{ jenkins_user }} key="{{ lookup('file', 'files/ssh/keys/jenkins_build.pub') }}"
 
     - name: ensure {{ jenkins_user }} can sudo without a prompt
-      sudo: yes
+      become: yes
       lineinfile:
         dest: /etc/sudoers
         regexp: '^{{ jenkins_user }} ALL'
@@ -84,7 +84,7 @@
 
     # smithi nodes do not have epel repos
     - name: install an yum epel repo
-      sudo: yes
+      become: yes
       template:
         src: "templates/yum-repos/epel.repo"
         dest: "/etc/yum.repos.d/epel.repo"
@@ -94,7 +94,7 @@
       when: ansible_pkg_mgr  == "yum"
 
     - name: Install RPM requirements (All distro versions)
-      sudo: yes
+      become: yes
       package:
         name: "{{ item }}"
         state: present
@@ -130,7 +130,7 @@
         - ansible_os_family == "RedHat"
 
     - name: Install RPM requirements (<=7)
-      sudo: yes
+      become: yes
       package:
         name: "{{ item }}"
         state: present
@@ -143,7 +143,7 @@
         - ansible_distribution_major_version|int <= 7
 
     - name: Install RPM requirements (>=8)
-      sudo: yes
+      become: yes
       package:
         name: "{{ item }}"
         state: present
@@ -168,7 +168,7 @@
       when: ansible_pkg_mgr  == "apt"
 
     - name: Install DEB requirements
-      sudo: yes
+      become: yes
       apt: name={{ item }} state=present
       with_items:
         - git
@@ -201,17 +201,17 @@
       when: ansible_pkg_mgr  == "apt"
 
     - name: Add the Debian Jessie Key
-      sudo: yes
+      become: yes
       when: ansible_pkg_mgr  == "apt"
       apt_key: id=2B90D010 url=https://ftp-master.debian.org/keys/archive-key-8.asc keyring=/etc/apt/trusted.gpg state=present
 
     - name: Add the Debian Security Jessie Key
-      sudo: yes
+      become: yes
       when: ansible_pkg_mgr  == "apt"
       apt_key: id=C857C906 url=https://ftp-master.debian.org/keys/archive-key-8-security.asc keyring=/etc/apt/trusted.gpg state=present
 
     - name: Add the Debian Jessie Stable Key
-      sudo: yes
+      become: yes
       when: ansible_pkg_mgr  == "apt"
       apt_key: id=518E17E1 url=http://download.ceph.com/keys/jessie-stable-release.asc keyring=/etc/apt/trusted.gpg state=present
 
@@ -260,12 +260,12 @@
         owner: "{{ jenkins_user }}"
 
     - name: Set Hostname with hostname command
-      sudo: yes
+      become: yes
       hostname:
         name: "{{ ansible_hostname }}"
 
     - name: ensure that the current host is in /etc/hosts. Yes this is a thing.
-      sudo: true
+      become: true
       replace:
         backup: yes
         dest: /etc/hosts
@@ -273,23 +273,23 @@
         replace: '\1 {{ ansible_hostname }}'
 
     - name: ensure that 127.0.1.1 is present with an actual hostname
-      sudo: true
+      become: true
       lineinfile:
         dest: /etc/hosts
         regexp: '^(127\.0\.1\.1(?!.*\b{{ ansible_hostname }}\b).*)$'
         line: '127.0.1.1 {{ ansible_hostname }}'
 
     - name: install six, latest one
-      sudo: true
+      become: true
       pip: name=six state=latest
 
     - name: install python-jenkins
-      sudo: true
+      become: true
       # https://review.openstack.org/460363
       pip: name=python-jenkins version=0.4.15
 
     - name: add github.com host key
-      sudo: true
+      become: true
       known_hosts:
         path: '/etc/ssh/ssh_known_hosts'
         # we need to use 'host' here because prado currently uses ansible-playbook==1.9.1
@@ -344,7 +344,7 @@
       template:
         src: "templates/systemd/jenkins.service.j2"
         dest: "/etc/systemd/system/jenkins.service"
-      sudo: true
+      become: true
       when: use_jnlp
 
     - name: start jenkins service
@@ -352,5 +352,5 @@
         name: jenkins
         state: started
         enabled: yes
-      sudo: yes
+      become: yes
       when: use_jnlp

diff --git a/ansible/roles/grafana/handlers/main.yml b/ansible/roles/grafana/handlers/main.yml
index af49413c5ae9825a178d6067f5910c9403a58389..83a345c0404b2ff3f7c8b3271212abfe2fb7dd55 100644 (file)
--- a/ansible/roles/grafana/handlers/main.yml
+++ b/ansible/roles/grafana/handlers/main.yml
@@ -1,18 +1,18 @@
 ---
 
 - name: reload systemd
-  sudo: yes
+  become: yes
   command: systemctl daemon-reload
 
 - name: restart app
-  sudo: true
+  become: true
   service:
     name: grafana-server
     state: restarted
     enabled: yes
 
 - name: restart nginx
-  sudo: true
+  become: true
   service:
     name: nginx
     state: restarted

diff --git a/ansible/roles/grafana/tasks/main.yml b/ansible/roles/grafana/tasks/main.yml
index 3eafb8db3abdb7b11b12145ee4fab2f95bf6462e..b4e307524fc18009ac58860913b6ec80ed20ca51 100644 (file)
--- a/ansible/roles/grafana/tasks/main.yml
+++ b/ansible/roles/grafana/tasks/main.yml
@@ -2,10 +2,10 @@
 - name: update apt cache
   apt:
     update_cache: yes
-  sudo: yes
+  become: yes
 
 - name: install ssl system requirements
-  sudo: yes
+  become: yes
   apt:
     name: "{{ item }}"
     state: present
@@ -14,7 +14,7 @@
     - packages
 
 - name: install system packages
-  sudo: yes
+  become: yes
   apt:
     name: "{{ item }}"
     state: present
@@ -38,7 +38,7 @@
     dest: "/etc/grafana/grafana.ini"
   notify:
     - restart app
-  sudo: true
+  become: true
 
 - include: postgresql.yml
   tags:
@@ -47,14 +47,14 @@
 - include: nginx.yml
 
 - name: ensure nginx is running
-  sudo: true
+  become: true
   service:
     name: nginx
     state: started
     enabled: yes
 
 - name: ensure grafana is restarted
-  sudo: true
+  become: true
   service:
     name: grafana-server
     state: restarted

diff --git a/ansible/roles/grafana/tasks/nginx.yml b/ansible/roles/grafana/tasks/nginx.yml
index 0ddba990e8efbdbbfc9e787f47440da1e562f450..bc5bbd40dc5f5d7c60927dc918a632bed8d4c1f2 100644 (file)
--- a/ansible/roles/grafana/tasks/nginx.yml
+++ b/ansible/roles/grafana/tasks/nginx.yml
@@ -1,10 +1,10 @@
 ---
 - name: create nginx site config
   action: template src=../templates/nginx_site.conf dest=/etc/nginx/sites-available/{{ app_name }}.conf
-  sudo: true
+  become: true
   notify:
     - restart nginx
 
 - name: link nginx config
   action: file src=/etc/nginx/sites-available/{{ app_name }}.conf dest=/etc/nginx/sites-enabled/{{ app_name }}.conf state=link
-  sudo: true
+  become: true

diff --git a/ansible/roles/grafana/tasks/postgresql.yml b/ansible/roles/grafana/tasks/postgresql.yml
index 24241b3ec4b54df6c85e5372e79016fdfb562ab9..191feb0002e35d0b0a99fb5e0550b3196385dad0 100644 (file)
--- a/ansible/roles/grafana/tasks/postgresql.yml
+++ b/ansible/roles/grafana/tasks/postgresql.yml
@@ -4,10 +4,10 @@
     name: postgresql
     state: started
     enabled: yes
-  sudo: yes
+  become: yes
 
 - name: allow users to connect locally
-  sudo: yes
+  become: yes
   lineinfile:
      # TODO: should not hardcode that version
      dest: /etc/postgresql/9.5/main/pg_hba.conf
@@ -19,7 +19,7 @@
 - service:
     name: postgresql
     state: restarted
-  sudo: true
+  become: true
   when: pg_hba_conf.changed
 
 - name: make {{ app_name }} user
@@ -37,12 +37,12 @@
     owner: "{{ app_name }}"
     state: present
     login_user: postgres
-  sudo_user: postgres
-  sudo: yes
+  become_user: postgres
+  become: yes
 
 - name: ensure database service is up
   service:
     name: postgresql
     state: started
     enabled: yes
-  sudo: yes
+  become: yes

diff --git a/ansible/roles/graphite/handlers/main.yml b/ansible/roles/graphite/handlers/main.yml
index 251cf3a6dd4647df465f7cb00dfac9368508a191..5ad2a8107b77d1f3045817ca4f9e617ac416870c 100644 (file)
--- a/ansible/roles/graphite/handlers/main.yml
+++ b/ansible/roles/graphite/handlers/main.yml
@@ -1,11 +1,11 @@
 ---
 
 - name: reload systemd
-  sudo: yes
+  become: yes
   command: systemctl daemon-reload
 
 - name: restart app
-  sudo: true
+  become: true
   service: 
     name: graphite 
     state: restarted 
@@ -16,5 +16,5 @@
     name: carbon-cache
     state: restarted
     enabled: yes
-  sudo: yes
+  become: yes
 

diff --git a/ansible/roles/graphite/tasks/carbon.yml b/ansible/roles/graphite/tasks/carbon.yml
index 4424f94d69fa6c057bd5f1da2202625139b5e898..c152baf6c3762539a43d557e4019f1822fbb122e 100644 (file)
--- a/ansible/roles/graphite/tasks/carbon.yml
+++ b/ansible/roles/graphite/tasks/carbon.yml
@@ -6,7 +6,7 @@
     regexp: "^CARBON_CACHE_ENABLED=false"
     line: "CARBON_CACHE_ENABLED=true"
     state: present
-  sudo: true
+  become: true
 
 - name: enable whitelisting in carbon
   lineinfile:
@@ -15,7 +15,7 @@
     line: "USE_WHITELIST = True"
     state: present
     backrefs: true
-  sudo: true
+  become: true
 
 - name: create the rewrite config with the secret api key
   template:
@@ -23,7 +23,7 @@
     dest: "/etc/carbon/rewrite-rules.conf"
   notify:
     - restart carbon
-  sudo: true
+  become: true
 
 - name: create the whitelist/blacklist config allowing the api key only
   template:
@@ -31,7 +31,7 @@
     dest: "/etc/carbon/whitelist.conf"
   notify:
     - restart carbon
-  sudo: true
+  become: true
 
 - name: define the storage schemas
   template:
@@ -39,11 +39,11 @@
     dest: "/etc/carbon/storage-schemas.conf"
   notify:
     - restart carbon
-  sudo: true
+  become: true
 
 - name: ensure database service is up
   service:
     name: carbon-cache
     state: restarted
     enabled: yes
-  sudo: yes
+  become: yes

diff --git a/ansible/roles/graphite/tasks/main.yml b/ansible/roles/graphite/tasks/main.yml
index cc1603a4fbfcceb9ca7649c5a39e98b8a5e036f3..f6f616f46c7b0296f55e846944da1c11c6b7ca34 100644 (file)
--- a/ansible/roles/graphite/tasks/main.yml
+++ b/ansible/roles/graphite/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 
 - name: "Build hosts file"
-  sudo: yes
+  become: yes
   lineinfile:
     dest: /etc/hosts
     regexp: ".*{{ fqdn }}$"
@@ -9,16 +9,16 @@
     state: present
 
 - name: Set Hostname with hostname command
-  sudo: yes
+  become: yes
   hostname: name="{{ fqdn }}"
 
 - name: update apt cache
   apt:
     update_cache: yes
-  sudo: yes
+  become: yes
 
 - name: install ssl system requirements
-  sudo: yes
+  become: yes
   apt:
     name: "{{ item }}"
     state: present
@@ -27,7 +27,7 @@
     - packages
 
 - name: install system packages
-  sudo: yes
+  become: yes
   apt:
     name: "{{ item }}"
     state: present
@@ -38,7 +38,7 @@
 - command: cp /usr/share/graphite-web/graphite.wsgi /usr/lib/python2.7/dist-packages/graphite/graphite_web.py
   args:
     creates: "/usr/lib/python2.7/dist-packages/graphite/graphite_web.py"
-  sudo: true
+  become: true
 
 - include: carbon.yml
 
@@ -51,7 +51,7 @@
     - postgresql
 
 - name: ensure graphite is running
-  sudo: true
+  become: true
   service:
     name: graphite
     state: restarted

diff --git a/ansible/roles/graphite/tasks/postgresql.yml b/ansible/roles/graphite/tasks/postgresql.yml
index 478d477e4d41815bae7da17b63bd4300616a88f5..ca49b916a0b6197baf7882f50f426322e1a6ac64 100644 (file)
--- a/ansible/roles/graphite/tasks/postgresql.yml
+++ b/ansible/roles/graphite/tasks/postgresql.yml
@@ -4,10 +4,10 @@
     name: postgresql
     state: started
     enabled: yes
-  sudo: yes
+  become: yes
 
 - name: allow users to connect locally
-  sudo: yes
+  become: yes
   lineinfile:
      # TODO: should not hardcode that version
      dest: /etc/postgresql/9.5/main/pg_hba.conf
@@ -19,7 +19,7 @@
 - service:
     name: postgresql
     state: restarted
-  sudo: true
+  become: true
   when: pg_hba_conf.changed
 
 - name: generate pseudo-random password for the database connection
@@ -42,15 +42,15 @@
     owner: "{{ app_name }}"
     state: present
     login_user: postgres
-  sudo_user: postgres
-  sudo: yes
+  become_user: postgres
+  become: yes
 
 - name: ensure database service is up
   service:
     name: postgresql
     state: started
     enabled: yes
-  sudo: yes
+  become: yes
 
 - name: create the config file with the db password
   template:
@@ -58,14 +58,14 @@
     dest: "/etc/graphite/local_settings.py"
   notify:
     - restart app
-  sudo: true
+  become: true
 
   # there is a bug where if you don't migrate auth first only it will fail
   # with "ProgrammingError: relation "auth_user" does not exist"
 - name: run migrate for auth first
   command: graphite-manage migrate --noinput auth
-  sudo: true
+  become: true
 
 - name: run migrate to ensure database schema
   command: graphite-manage migrate --noinput
-  sudo: true
+  become: true

diff --git a/ansible/roles/graphite/tasks/systemd.yml b/ansible/roles/graphite/tasks/systemd.yml
index c702e71d129d0b8d225833ed072bf880734ef6d8..4a1eb6612d74cfceda5a340b97a1a5e838c840af 100644 (file)
--- a/ansible/roles/graphite/tasks/systemd.yml
+++ b/ansible/roles/graphite/tasks/systemd.yml
@@ -1,7 +1,7 @@
 ---
 
 - name: ensure /var/log/graphite dir exists
-  sudo: true
+  become: true
   file: 
     path: /var/log/graphite 
     state: directory 
@@ -13,12 +13,12 @@
   template: 
     src: systemd/graphite.service.j2 
     dest: /etc/systemd/system/graphite.service
-  sudo: true
+  become: true
   notify:
      - reload systemd
 
 - name: ensure graphite is enabled and running
-  sudo: true
+  become: true
   service: 
     name: graphite 
     state: running 

diff --git a/ansible/roles/kraken/handlers/main.yml b/ansible/roles/kraken/handlers/main.yml
index 47e28e857a01f0d590579bd41ee11ee2fd7ca830..f86ee4c4e5614bddfa4209bddcdc6127c2dcf3ac 100644 (file)
--- a/ansible/roles/kraken/handlers/main.yml
+++ b/ansible/roles/kraken/handlers/main.yml
@@ -7,5 +7,5 @@
 
 # prevents issues when updating systemd files
 - name: reload systemd
-  sudo: yes
+  become: yes
   command: systemctl daemon-reload

diff --git a/ansible/roles/kraken/tasks/systemd.yml b/ansible/roles/kraken/tasks/systemd.yml
index 83bb0525cf4d09a1915dbab631c574f333bd7afa..4a81c1aa59e5fefd638db67b843eba34026e3aca 100644 (file)
--- a/ansible/roles/kraken/tasks/systemd.yml
+++ b/ansible/roles/kraken/tasks/systemd.yml
@@ -2,21 +2,21 @@
 
 
 - name: ensure /etc/sysconfig/ dir exists
-  sudo: true
+  become: true
   file:
     path: /etc/sysconfig
     state: directory
 
 # prevents issues when updating systemd files
 - name: reload systemd
-  sudo: yes
+  become: yes
   command: systemctl daemon-reload
 
 - name: install the systemd configuration file for celery
   template:
     src: helga.sysconfig.j2
     dest: /etc/sysconfig/helga
-  sudo: true
+  become: true
   notify:
      - reload systemd
 
@@ -24,12 +24,12 @@
   template:
     src: helga.service.j2
     dest: /etc/systemd/system/helga.service
-  sudo: true
+  become: true
   notify:
      - reload systemd
 
 - name: ensure helga is enabled and running
-  sudo: true
+  become: true
   service:
     name: helga
     state: running 

diff --git a/ansible/roles/nginx/handlers/main.yml b/ansible/roles/nginx/handlers/main.yml
index 8bddf01d6df1dd31153fa510ce54878bc2e403d9..ffa98275a7768e2c47f02ac1d593a987991ac0d5 100644 (file)
--- a/ansible/roles/nginx/handlers/main.yml
+++ b/ansible/roles/nginx/handlers/main.yml
@@ -1,5 +1,5 @@
 ---
 
 - name: restart nginx
-  sudo: yes
+  become: yes
   action: service name=nginx state=restarted enabled=yes

diff --git a/ansible/roles/nginx/tasks/letsencrypt.yml b/ansible/roles/nginx/tasks/letsencrypt.yml
index e610f41ca983452a2ff260cc827f68000c714134..22903f01c6bc6eb412352aa275a7dce674e02b6a 100644 (file)
--- a/ansible/roles/nginx/tasks/letsencrypt.yml
+++ b/ansible/roles/nginx/tasks/letsencrypt.yml
@@ -1,7 +1,7 @@
 ---
 
 - name: install system packages
-  sudo: yes
+  become: yes
   apt:
     name: "letsencrypt"
     state: present
@@ -11,32 +11,32 @@
     path: "{{ ssl_webroot_base_path }}/{{ item.fqdn }}"
     state: "directory"
     mode: 0755
-  sudo: yes
+  become: yes
   with_items: nginx_hosts
 
 - name: unlink nginx configs
   file:
     path: "/etc/nginx/sites-enabled/{{ item.app_name }}.conf"
     state: "absent"
-  sudo: true
+  become: true
   with_items: nginx_hosts
 
 - name: create temporary nginx config
   template:
     src: "nginx_tmp_site.conf"
     dest: "/etc/nginx/sites-enabled/{{ item.app_name }}.conf"
-  sudo: true
+  become: true
   with_items: nginx_hosts
 
 - name: restart nginx
-  sudo: yes
+  become: yes
   service:
     name: nginx
     state: restarted
 
 - name: create (or renew) letsencrypt ssl cert
   command: "letsencrypt certonly --webroot -w {{ ssl_webroot_base_path }}/{{ item.fqdn }} -d {{ item.fqdn }} --email {{ ssl_support_email }} --agree-tos --renew-by-default"
-  sudo: yes
+  become: yes
   with_items: nginx_hosts
 
 - name: setup a cron to renew the SSL cert every day
@@ -45,12 +45,12 @@
     minute: "21"
     hour: "6,18"
     job: "letsencrypt renew --agree-tos  --email {{ ssl_support_email }}"
-  sudo: yes
+  become: yes
   with_items: nginx_hosts
 
 - name: unlink tmp nginx config
   file:
     path: "/etc/nginx/sites-enabled/{{ item.app_name }}.conf"
     state: "absent"
-  sudo: true
+  become: true
   with_items: nginx_hosts

diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml
index 3eb5e85a10830a7c77e11167732f9930beac89e8..422991729fd72cc77c1e38ea01c204ad81a8ff3e 100644 (file)
--- a/ansible/roles/nginx/tasks/main.yml
+++ b/ansible/roles/nginx/tasks/main.yml
@@ -3,34 +3,34 @@
   file:
     path: /etc/nginx/sites-available
     state: directory
-  sudo: true
+  become: true
 
 - name: ensure there is an nginx user
   user:
     name: nginx
     comment: "Nginx user"
-  sudo: true
+  become: true
 
 - name: ensure sites-enable for nginx
   file:
     path: /etc/nginx/sites-enabled
     state: directory
-  sudo: true
+  become: true
 
 - name: remove default nginx site
   file:
     path: /etc/nginx/sites-enabled/default
     state: absent
-  sudo: true
+  become: true
 
 - name: write nginx.conf
   template:
     src: nginx.conf
     dest: /etc/nginx/nginx.conf
-  sudo: true
+  become: true
 
 - name: enable nginx
-  sudo: true
+  become: true
   service:
     name: nginx
     enabled: true
@@ -39,7 +39,7 @@
   template:
     src: "nginx_site.conf"
     dest: "/etc/nginx/sites-available/{{ item.app_name }}.conf"
-  sudo: true
+  become: true
   with_items: nginx_hosts
   notify:
     - restart nginx
@@ -55,11 +55,11 @@
     src: "/etc/nginx/sites-available/{{ item.app_name }}.conf"
     dest: "/etc/nginx/sites-enabled/{{ item.app_name }}.conf"
     state: link
-  sudo: true
+  become: true
   with_items: nginx_hosts
 
 - name: ensure nginx is restarted
-  sudo: true
+  become: true
   service:
     name: nginx
     state: restarted

diff --git a/ansible/roles/nginx/tasks/ssl.yml b/ansible/roles/nginx/tasks/ssl.yml
index 990badc2357e95ab5619e2644bc89471abfd87ab..554e103152bd902350c0ccfab139a1c4f22f3aba 100644 (file)
--- a/ansible/roles/nginx/tasks/ssl.yml
+++ b/ansible/roles/nginx/tasks/ssl.yml
@@ -4,13 +4,13 @@
   file:
     dest: /etc/ssl/certs
     state: directory
-  sudo: true
+  become: true
 
 - name: ensure ssl private directory
   file:
     dest: /etc/ssl/private
     state: directory
-  sudo: true
+  become: true
 
 - name: copy SSL cert
   copy:
@@ -18,7 +18,7 @@
     dest: "/etc/ssl/certs/{{ item.fqdn }}-bundled.crt"
     mode: 0777
     force: no
-  sudo: true
+  become: true
   notify: restart nginx
   when: nginx_hosts is defined
   with_items: nginx_hosts
@@ -28,7 +28,7 @@
     src: "{{ ssl_key_path }}"
     dest: "/etc/ssl/private/{{ item.fqdn }}.key"
     force: no
-  sudo: true
+  become: true
   notify: restart nginx
   when: nginx_hosts is defined
   with_items: nginx_hosts