diff --git a/bundles/sudo/files/bwusers b/bundles/sudo/files/bwusers
new file mode 100644
index 0000000..36a9248
--- /dev/null
+++ b/bundles/sudo/files/bwusers
@@ -0,0 +1,5 @@
+% for user, config in sorted(node.metadata['users'].items()):
+%     for p in sorted(config.get('sudo_commands', [])):
+${user} ALL=(ALL) NOPASSWD:${p}
+%     endfor
+% endfor
diff --git a/bundles/sudo/files/sudoers b/bundles/sudo/files/sudoers
index c5ce343..beea3f9 100644
--- a/bundles/sudo/files/sudoers
+++ b/bundles/sudo/files/sudoers
@@ -6,8 +6,4 @@ Defaults secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bi
 
 root ALL=(ALL) ALL
 
-% for user, permissions in sorted(node.metadata['sudo'].items()):
-%     for p in sorted(permissions):
-${user} ALL=(ALL) NOPASSWD:${p}
-%     endfor
-% endfor
+#includedir /etc/sudoers.d
diff --git a/bundles/sudo/items.py b/bundles/sudo/items.py
index ba74753..698c935 100644
--- a/bundles/sudo/items.py
+++ b/bundles/sudo/items.py
@@ -2,8 +2,19 @@ groups = {
     'sudo': {},
 }
 
+directories = {
+    '/etc/sudoers.d': {
+        'purge': True,
+    },
+}
+
 files = {
     '/etc/sudoers': {
+        'needs': {
+            'file:/etc/sudoers.d/bwusers',
+        },
+    },
+    '/etc/sudoers.d/bwusers': {
         'content_type': 'mako',
     },
 }
diff --git a/bundles/sudo/metadata.py b/bundles/sudo/metadata.py
deleted file mode 100644
index 4155d59..0000000
--- a/bundles/sudo/metadata.py
+++ /dev/null
@@ -1,11 +0,0 @@
-@metadata_reactor
-def sudo_users(metadata):
-    sudoers = {}
-
-    for username, config in metadata.get('users', {}).items():
-        if 'sudo_commands' in config:
-            sudoers[username] = config['sudo_commands']
-
-    return {
-        'sudo': sudoers,
-    }