Merge pull request #3155 from edx/arbab/security-rewrite

rewrite ansible tasks using YAML syntax

playbooks/roles/security/tasks/main.yml

@@ -22,5 +22,4 @@
 #
 
 - include: security-ubuntu.yml
-  when:
-    - ansible_distribution == 'Ubuntu'
+  when: ansible_distribution == 'Ubuntu'

playbooks/roles/security/tasks/security-ubuntu.yml

+---
 #### Enable periodic security updates
+- name: Install security packages
+  apt:
+    name: "{{ item }}"
+    state: latest
+    update_cache: yes
+  with_items: "{{ security_debian_pkgs }}"
 
-- name: install security packages
-  apt: name={{ item }} state=latest update_cache=yes
-  with_items: security_debian_pkgs 
 
-
-- name: update all system packages
-  apt: upgrade=safe
+- name: Update all system packages
+  apt:
+    upgrade: safe
   when: SECURITY_UPGRADE_ON_ANSIBLE
 
-- name: configure periodic unattended-upgrades
-  template: >
-    src=etc/apt/apt.conf.d/10periodic
-    dest=/etc/apt/apt.conf.d/10periodic
-    owner=root group=root mode=0644
+- name: Configure periodic unattended-upgrades
+  template:
+    src: "etc/apt/apt.conf.d/10periodic"
+    dest: "/etc/apt/apt.conf.d/10periodic"
+    owner: root
+    group: root
+    mode: "0644"
   when: SECURITY_UNATTENDED_UPGRADES
 
-- name: disable unattended-upgrades
-  file: path=/etc/apt/apt.conf.d/10periodic state=absent
+- name: Disable unattended-upgrades
+  file:
+    path: "/etc/apt/apt.conf.d/10periodic"
+    state: absent
   when: not SECURITY_UNATTENDED_UPGRADES
 
-- name: only unattended-upgrade from security repo
-  template: >
-    src=etc/apt/apt.conf.d/20unattended-upgrade
-    dest=/etc/apt/apt.conf.d/20unattended-upgrade
-    owner=root group=root mode=0644
+- name: Only unattended-upgrade from security repo
+  template:
+    src: "etc/apt/apt.conf.d/20unattended-upgrade"
+    dest: "/etc/apt/apt.conf.d/20unattended-upgrade"
+    owner: root
+    group: root
+    mode: "0644"
   when: SECURITY_UNATTENDED_UPGRADES and not SECURITY_UPDATE_ALL_PACKAGES
 
-- name: disable security only updates on unattended-upgrades
-  file: path=/etc/apt/apt.conf.d/20unattended-upgrade state=absent
+- name: Disable security only updates on unattended-upgrades
+  file:
+    path: "/etc/apt/apt.conf.d/20unattended-upgrade"
+    state: absent
   when: SECURITY_UPDATE_ALL_PACKAGES or not SECURITY_UNATTENDED_UPGRADES
 
-
 #### Bash security vulnerability
 
 - name: Check if we are vulnerable
-  shell: executable=/bin/bash chdir=/tmp foo='() { echo vulnerable; }' bash -c foo
+  shell: "executable=/bin/bash chdir=/tmp foo='() { echo vulnerable; }' bash -c foo"
   register: test_vuln
   ignore_errors: yes
 
 - name: Apply bash security update if we are vulnerable
-  apt: name=bash state=latest update_cache=true
+  apt:
+    name: bash
+    state: latest
+    update_cache: yes
   when: "'vulnerable' in test_vuln.stdout"
 
 - name: Check again and fail if we are still vulnerable
-  shell: executable=/bin/bash foo='() { echo vulnerable; }' bash -c foo
+  shell: "executable=/bin/bash foo='() { echo vulnerable; }' bash -c foo"
   when: "'vulnerable' in test_vuln.stdout"
   register: test_vuln
   failed_when: "'vulnerable' in test_vuln.stdout"
@@ -52,20 +66,23 @@
 #### GHOST security vulnerability
 
 - name: GHOST.c
-  copy: >
-    src=tmp/GHOST.c
-    dest=/tmp/GHOST.c
-    owner=root group=root
+  copy:
+    src: "tmp/GHOST.c"
+    dest: "/tmp/GHOST.c"
+    owner: root
+    group: root
 
-- name: compile GHOST
-  shell: gcc -o /tmp/GHOST /tmp/GHOST.c
+- name: Compile GHOST
+  shell: "gcc -o /tmp/GHOST /tmp/GHOST.c"
 
 - name: Check if we are vulnerable
-  shell: /tmp/GHOST
+  shell: "/tmp/GHOST"
   register: test_ghost_vuln
   ignore_errors: yes
 
 - name: Apply glibc security update if we are vulnerable
-  apt: name=libc6 state=latest update_cache=true
-  when: "'vulnerable' in test_ghost_vuln.stdout"
-
+  apt:
+    name: libc6
+    state: latest
+    update_cache: yes
+  when: "'vulnerable' in test_ghost_vuln.stdout"
\ No newline at end of file