https://gerrit.wikimedia.org/r/c/operations/puppet/+/621343 includes a proposal to add the wmcs-admin group (which is the WMCS engineering manager's special access for managing wiki replica host scripts because they are part of our clinic duty rotation). We have a wmcs-roots group that the same people are a part of, but that group grants root on all other cloud* hosts vs. restricted sudo for the wiki-replicas hosts.
Right now, that group provides a list of scripts that must be run as root on the wiki replica servers. This adds secure-cookbook wmcs.* to the list on the requisite cumin server to run it from. This would unblock some parts of the redesign of the wikireplicas because we are moving from 4 to 8 servers and multiinstance. It will require more complex manual interactions that don't scale well without being able to use cumin, spicerack or a similar framework.