Enable auto security updates for amazon linux

a738fec8 · nadeemshahzad · f626f23a · a738fec8 · a738fec8 · a738fec8
Commit a738fec8 authored Feb 13, 2018 by nadeemshahzad
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 1 deletions

playbooks/roles/security/defaults/main.yml
+3 -1

playbooks/roles/security/tasks/main.yml
+4 -0

playbooks/roles/security/tasks/security-amazon.yml
+36 -0

No files found.
--- a/playbooks/roles/security/defaults/main.yml
+++ b/playbooks/roles/security/defaults/main.yml
@@ -34,4 +34,6 @@ security_debian_pkgs:
  - unattended-upgrades
  - gcc

-security_redhat_pkgs: []
+security_redhat_pkgs:
+  - yum-plugin-security
+  - yum-cron
--- a/playbooks/roles/security/tasks/main.yml
+++ b/playbooks/roles/security/tasks/main.yml
@@ -23,3 +23,7 @@

 - include: security-ubuntu.yml
  when: ansible_distribution == 'Ubuntu'
+
+- include: security-amazon.yml
+  when: ansible_distribution == 'Amazon'
+  
--- a/playbooks/roles/security/tasks/security-amazon.yml
+++ b/playbooks/roles/security/tasks/security-amazon.yml
+---
+#### Enable periodic security updates
+- name: Install security packages
+  yum:
+    name: "{{ item }}"
+    state: latest
+    update_cache: yes
+  with_items: "{{ security_redhat_pkgs }}"
+
+- name: Enable automatic start for update service
+  service:
+    name: yum-cron
+    enabled: yes
+    state: started
+
+- name: Update all system packages
+  yum:
+    name: '*'
+    state: latest
+  when: SAFE_UPGRADE_ON_ANSIBLE
+
+- name: Configure security auto-updates
+  lineinfile:
+    dest: /etc/yum/yum-cron.conf
+    regexp: "{{ item.regexp }}"
+    line:  "{{ item.line }}"
+  with_items:
+    - { regexp: '^update_cmd', line: 'update_cmd = security' }
+    - { regexp: '^apply_updates', line: 'apply_updates = yes' }
+
+- name: "Take security updates during ansible runs"
+  command: "{{ item }}"
+  when: SECURITY_UPGRADE_ON_ANSIBLE
+  with_items:
+    - yum check-update --security
+    - yum update --security -y