Skip to content

Latest commit

 

History

History
230 lines (135 loc) · 6.32 KB

REFERENCE.md

File metadata and controls

230 lines (135 loc) · 6.32 KB

Reference

Table of Contents

Classes

  • patching_as_code: Framework for patch management as code. Works alongside the puppetlabs/pe_patch or albatrossflavour/os_patching modules

Classes

patching_as_code

Framework for patch management as code. Works alongside the puppetlabs/pe_patch or albatrossflavour/os_patching modules

Examples

Using the module with defaults, or controlling options through Hiera
include patching_as_code
Forcing the classification of pe_patch on PE 2019.8.0+
class {'patching_as_code':
  classify_pe_patch => true
}
Forcing the use of albatrossflavour/os_patching on PE 2019.8.0+
class {'patching_as_code':
  use_pe_patch => false
}

Parameters

The following parameters are available in the patching_as_code class.

patch_group

Data type: Variant[String,Array[String]]

Name(s) of the patch_group(s) for this node. Must match one or more of the patch groups in $patch_schedule To assign multiple patch groups, provide this parameter as an array

patch_schedule

Data type: Hash

Hash of available patch_schedules. Default schedules are in /data/common.yaml of this module

Options:

  • :day_of_week String: Day of the week to patch, valid options: 'Any', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday', 'Sunday'
  • :count_of_week Variant[Integer,Array[Integer]]: Which week(s) in the month to patch, use number(s) between 1 and 5
  • :hours String: Which hours on patch day to patch, define a range as 'HH:MM - HH:MM'
  • :max_runs String: How many Puppet runs during the patch window can Puppet install patches. Must be at least 1.
  • :reboot String: Reboot behavior, valid options: 'always', 'never', 'ifneeded'
blocklist

Data type: Array

List of updates to block from installing

allowlist

Data type: Array

List of updates that are allowed to be installed. Any updates not on this list get blocked.

blocklist_choco

Data type: Array

List of Chocolatey updates to block from installing

allowlist_choco

Data type: Array

List of Chocolatey updates that are allowed to be installed. Any Chocolatey updates not on this list get blocked.

high_priority_patch_group

Data type: String

Name of the high_priority_patch_group for this node. Must match a patch group in $patch_schedule This patch schedule will only be used for patches in the $high_priority_list.

high_priority_list

Data type: Array

List of updates to install on the patch schedule set by $high_priority_patch_group.

high_priority_list_choco

Data type: Array

List of Chocolatey updates to install on the patch schedule set by $high_priority_patch_group.

unsafe_process_list

Data type: Array

List of processes that will cause patching to be skipped if any of the processes in the list are active on the system. Prepend an entry with {full} to match against the full process arguments.

pre_patch_commands

Data type: Hash

Hash of command to run before patching

Options:

  • :command String: The pre-patching command to execute
  • :path String: The path for the command
  • :provider String: The provider for the command
post_patch_commands

Data type: Hash

Hash of command to run after patching

Options:

  • :command String: The post-patching command to execute
  • :path String: The path for the command
  • :provider String: The provider for the command
pre_reboot_commands

Data type: Hash

Hash of command to run before rebooting

Options:

  • :command String: The pre-reboot command to execute
  • :path String: The path for the command

Note: the provider for the command gets forced to posix on Linux and powershell on Windows

fact_upload

Data type: Optional[Boolean]

How os_patching/pe_patch handles changes to fact cache. Defaults to true. When true (default), puppet fact upload occurs as expected When false, changes to fact cache are not uploaded

Default value: true

plan_patch_fact

Data type: Optional[String]

Reserved parameter for running patching_as_code via a Plan (future functionality).

Default value: undef

enable_patching

Data type: Optional[Boolean]

Controls if patching_as_code is allowed to install any updates. Can be used to disable patching with a single override.

Default value: true

security_only

Data type: Optional[Boolean]

Install only security updates. Requires latest version of Puppet Enterprise to work on Windows. When using os_patching, security updates can only be applied to Linux. If patching of Chocolatey packages is enabled, Chocolatey packages will still update even if security_only is set to true.

Default value: false

high_priority_only

Data type: Optional[Boolean]

Only allow updates from the $high_priority_list to be installed. Enabling this option will prevent regular patches from being installed, and will skip a pending reboot at the beginning of the patch run if a pending reboot is detected. A pending reboot may still happen at the end of the patch run, as long as the patch schedule set by $high_priority_patch_group allows reboots to occur.

Default value: false

use_pe_patch

Data type: Optional[Boolean]

Use the pe_patch module if available (PE 2019.8+). Defaults to true.

Default value: true

classify_pe_patch

Data type: Optional[Boolean]

Controls if the pe_patch class (PE 2019.8+) is controlled by this module. When enabled, this module will classify the node with pe_patch, and set it's patch_group according to this module's patch_group. When disabled (default), you can use PE's own "PE Patch Management" groups to classify nodes with pe_patch. In that case, please make sure you match the patch_group variable in pe_patch with the patch_group in patching_as_code

Default value: false

patch_on_metered_links

Data type: Optional[Boolean]

Controls if patches are installed when the active network connection is a metered link. This setting only has affect for Windows operating systems. When enabled, patching are installed even over a metered link. When disabled (default), patches are not installed over a metered link.

Default value: false