Merge pull request #4327 from edx/nadeem/security-updates-on-amazon-linux

Enable auto security updates for tools splunk machines

playbooks/roles/security/defaults/main.yml

@@ -34,4 +34,6 @@ security_debian_pkgs:
   - unattended-upgrades
   - gcc
 
-security_redhat_pkgs: []
+security_redhat_pkgs:
+  - yum-plugin-security
+  - yum-cron

playbooks/roles/security/tasks/main.yml

@@ -23,3 +23,7 @@
 
 - include: security-ubuntu.yml
   when: ansible_distribution == 'Ubuntu'
+
+- include: security-amazon.yml
+  when: ansible_distribution == 'Amazon'
+  

playbooks/roles/security/tasks/security-amazon.yml

+---
+#### Enable periodic security updates
+- name: Install security packages
+  yum:
+    name: "{{ item }}"
+    state: latest
+    update_cache: yes
+  with_items: "{{ security_redhat_pkgs }}"
+
+- name: Enable automatic start for update service
+  service:
+    name: yum-cron
+    enabled: yes
+    state: started
+
+- name: Update all system packages
+  yum:
+    name: '*'
+    state: latest
+  when: SAFE_UPGRADE_ON_ANSIBLE
+
+- name: Configure security auto-updates
+  lineinfile:
+    dest: /etc/yum/yum-cron.conf
+    regexp: "{{ item.regexp }}"
+    line:  "{{ item.line }}"
+  with_items:
+    - { regexp: '^update_cmd', line: 'update_cmd = security' }
+    - { regexp: '^apply_updates', line: 'apply_updates = yes' }
+
+- name: "Take security updates during ansible runs"
+  command: "{{ item }}"
+  when: SECURITY_UPGRADE_ON_ANSIBLE
+  with_items:
+    - yum check-update --security
+    - yum update --security -y

playbooks/roles/splunk-server/meta/main.yml

@@ -12,5 +12,7 @@
 dependencies:
   - role: user
     user_info: "{{ COMMON_USER_INFO }}"
+  - role: security
+    when: COMMON_SECURITY_UPDATES
   - role: mount_ebs
     volumes: "{{ SPLUNK_VOLUMES }}"