patching_as_code: Framework for patch management as code. Works alongside the puppetlabs/pe_patch or albatrossflavour/os_patching modulespatching_as_code::high_prio_reboot: This class gets called by init.pp to reboot the node. You can use Hiera to set a different default for the reboot_delay if desired.patching_as_code::linux::patchday: This class gets called by init.pp to perform the actual patching on Linux.patching_as_code::reboot: This class gets called by init.pp to reboot the node. You can use Hiera to set a different default for the reboot_delay if desired.patching_as_code::windows::patchday: This class gets called by init.pp to perform the actual patching on Windows.patching_as_code::wu: class patching_as_code::wu
patching_as_code::kb: This define gets called by init.pp to install Windows KB patches.
patch_package: Define a package resource to patchreboot_if_pending: Perform a clean reboot if it was pending before this agent run
patching_as_code::dedupe_archpatching_as_code::high_prio_last_runpatching_as_code::is_patchdaypatching_as_code::last_runpatching_as_code::process_patch_groups
install_kb: Immediately installs a specific KB update
Framework for patch management as code. Works alongside the puppetlabs/pe_patch or albatrossflavour/os_patching modules
include patching_as_codeclass {'patching_as_code':
classify_pe_patch => true
}class {'patching_as_code':
use_pe_patch => false
}The following parameters are available in the patching_as_code class:
Variantpatch_scheduleblocklistallowlistblocklist_chocoallowlist_chocohigh_priority_patch_grouphigh_priority_listhigh_priority_list_chocounsafe_process_listpre_patch_commandspost_patch_commandspre_reboot_commandsfact_uploadenable_patchingsecurity_onlyhigh_priority_onlypatch_chocouse_pe_patchclassify_pe_patchpatch_on_metered_linksplan_patch_factpatch_group
Data type: String, Array[String]
patch_group Name(s) of the patch_group(s) for this node. Must match one or more of the patch groups in $patch_schedule To assign multiple patch groups, provide this parameter as an array
Data type: Hash
Hash of available patch_schedules. Default schedules are in /data/common.yaml of this module
Options:
- :day_of_week
String: Day of the week to patch, valid options: 'Any', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday', 'Sunday' - :count_of_week
Variant[Integer,Array[Integer]]: Which week(s) in the month to patch, use number(s) between 1 and 5 - :hours
String: Which hours on patch day to patch, define a range as 'HH:MM - HH:MM' - :max_runs
String: How many Puppet runs during the patch window can Puppet install patches. Must be at least 1. - :reboot
String: Reboot behavior, valid options: 'always', 'never', 'ifneeded'
Default value: { 'weekly' => { 'day_of_week' => 'Thursday', 'count_of_week' => [1, 2, 3, 4, 5], 'hours' => '09:00 - 11:00', 'max_runs' => 4, 'reboot' => 'ifneeded' }, 'testing' => { 'day_of_week' => 'Thursday', 'count_of_week' => 2, 'hours' => '07:00 - 09:00', 'max_runs' => 4, 'reboot' => 'ifneeded' }, 'early' => { 'day_of_week' => 'Monday', 'count_of_week' => 3, 'hours' => '20:00 - 22:00', 'max_runs' => 4, 'reboot' => 'ifneeded' }, 'primary' => { 'day_of_week' => 'Friday', 'count_of_week' => 3, 'hours' => '22:00 - 00:00', 'max_runs' => 4, 'reboot' => 'ifneeded' }, 'secondary' => { 'day_of_week' => 'Saturday', 'count_of_week' => 3, 'hours' => '22:00 - 00:00', 'max_runs' => 4, 'reboot' => 'ifneeded' }, 'late' => { 'day_of_week' => 'Saturday', 'count_of_week' => 4, 'hours' => '22:00 - 00:00', 'max_runs' => 4, 'reboot' => 'ifneeded' } }
Data type: Array
List of updates to block from installing
Default value: []
Data type: Array
List of updates that are allowed to be installed. Any updates not on this list get blocked.
Default value: []
Data type: Array
List of Chocolatey updates to block from installing
Default value: []
Data type: Array
List of Chocolatey updates that are allowed to be installed. Any Chocolatey updates not on this list get blocked.
Default value: []
Data type: String
Name of the high_priority_patch_group for this node. Must match a patch group in $patch_schedule
This patch schedule will only be used for patches in the $high_priority_list.
Default value: 'never'
Data type: Array
List of updates to install on the patch schedule set by $high_priority_patch_group.
Default value: []
Data type: Array
List of Chocolatey updates to install on the patch schedule set by $high_priority_patch_group.
Default value: []
Data type: Array
List of processes that will cause patching to be skipped if any of the processes in the list are active on the system.
Prepend an entry with {full} to match against the full process arguments.
Default value: []
Data type: Hash
Hash of command to run before patching
Options:
- :command
String: The pre-patching command to execute - :path
String: The path for the command - :provider
String: The provider for the command
Default value: {}
Data type: Hash
Hash of command to run after patching
Options:
- :command
String: The post-patching command to execute - :path
String: The path for the command - :provider
String: The provider for the command
Default value: {}
Data type: Hash
Hash of command to run before rebooting
Options:
- :command
String: The pre-reboot command to execute - :path
String: The path for the command - :provider
String: The provider for the command Note: the provider for the command gets forced toposixon Linux andpowershellon Windows
Default value: {}
Data type: Boolean
How os_patching/pe_patch handles changes to fact cache. Defaults to true.
When true (default), puppet fact upload occurs as expected
When false, changes to fact cache are not uploaded
Default value: true
Data type: Boolean
Controls if patching_as_code is allowed to install any updates. Can be used to disable patching with a single override.
Can be used to disable patching with a single override.
Default value: true
Data type: Boolean
Install only security updates. Requires latest version of Puppet Enterprise to work on Windows.
When using os_patching, security updates can only be applied to Linux.
If patching of Chocolatey packages is enabled, Chocolatey packages will still update even if
security_only is set to true.
Default value: false
Data type: Boolean
Only allow updates from the $high_priority_list to be installed. Enabling this option will prevent
regular patches from being installed, and will skip a pending reboot at the beginning of the patch
run if a pending reboot is detected. A pending reboot may still happen at the end of the patch run,
as long as the patch schedule set by $high_priority_patch_group allows reboots to occur.
Default value: false
Data type: Boolean
Also patch outdated Chocolatey packages (on Windows)
Default value: false
Data type: Boolean
Use the pe_patch module if available (PE 2019.8+). Defaults to true.
Default value: true
Data type: Boolean
Controls if the pe_patch class (PE 2019.8+) is controlled by this module. When enabled, this module will classify the node with pe_patch, and set it's patch_group according to this module's patch_group. When disabled (default), you can use PE's own "PE Patch Management" groups to classify nodes with pe_patch. In that case, please make sure you match the patch_group variable in pe_patch with the patch_group in patching_as_code
Default value: false
Data type: Boolean
Controls if patches are installed when the active network connection is a metered link. This setting only has affect for Windows operating systems. When enabled, patching are installed even over a metered link. When disabled (default), patches are not installed over a metered link.
Default value: false
Data type: Optional[String]
Reserved parameter for running patching_as_code via a Plan (future functionality).
Default value: undef
Data type: Variant[String,Array[String]]
Default value: 'primary'
Class: patching_as_code::high_prio_reboot
The following parameters are available in the patching_as_code::high_prio_reboot class:
Data type: Boolean
Only reboot the node if a system reboot is pending. This parameter is passed automatically from init.pp
Default value: true
Data type: Integer
Time in seconds to delay the reboot by, defaults to 2 minutes. To override for patching, specify an alternate value by setting the patching_as_code::high_prio_reboot::reboot_delay parameter in Hiera.
Default value: 120
Class: patching_as_code::linux::patchday
The following parameters are available in the patching_as_code::linux::patchday class:
Data type: Array
List of Linux packages to update.
Data type: Array
List of Chocolatey packages to update, which should always be empty for Linux. This parameter exists only for compability.
Default value: []
Data type: Array
List of high-priority Linux packages to update.
Default value: []
Data type: Array
List of high-priority Chocolatey packages to update, which should always be empty for Linux. This parameter exists only for compability.
Default value: []
Class: patching_as_code::reboot
The following parameters are available in the patching_as_code::reboot class:
Data type: Boolean
Only reboot the node if a system reboot is pending. This parameter is passed automatically from init.pp
Default value: true
Data type: Integer
Time in seconds to delay the reboot by, defaults to 2 minutes. To override for patching, specify an alternate value by setting the patching_as_code::reboot::reboot_delay parameter in Hiera.
Default value: 120
Class: patching_as_code::windows::patchday
The following parameters are available in the patching_as_code::windows::patchday class:
Data type: Array
List of Windows KB patches to install.
Data type: Array
List of Chocolatey packages to update.
Data type: Array
List of high-priority Windows KB patches to install.
Default value: []
Data type: Array
List of high-priority Chocolatey packages to update.
Default value: []
class patching_as_code::wu
define patching_as_code::kb
The following parameters are available in the patching_as_code::kb defined type:
Data type: String
When set to 'enabled' or 'present', will allow this resource to be applied. Removing updates is currently not supported.
Default value: 'enabled'
Data type: String
Name of the KB patch to install.
Default value: $name
Data type: Optional[String]
Name of the patch window to use for installing the patch.
Default value: undef
Define a package resource to patch
The following parameters are available in the patch_package type.
Whether this is a Chocolatey package (Windows only)
namevar
Name of the package to patch
Puppet schedule to link package resource to
Perform a clean reboot if it was pending before this agent run
The following parameters are available in the reboot_if_pending type.
namevar
Name of this resource (has no function)
OS type from kernel fact
Puppet schedule to link the reboot resource to
Type: Ruby 4.x API
The patching_as_code::dedupe_arch function.
The patching_as_code::dedupe_arch function.
Returns: Any
Data type: Array
Type: Ruby 4.x API
The patching_as_code::high_prio_last_run function.
The patching_as_code::high_prio_last_run function.
Returns: Any
Data type: Array
Data type: Array
Type: Puppet Language
The patching_as_code::is_patchday function.
patching_as_code::is_patchday(Enum['Any','Monday','Tuesday','Wednesday','Thursday','Friday','Saturday','Sunday'] $day_of_week, Variant[Integer, Array] $week_iteration, String $patch_group)
The patching_as_code::is_patchday function.
Returns: Any
Data type: Enum['Any','Monday','Tuesday','Wednesday','Thursday','Friday','Saturday','Sunday']
Data type: Variant[Integer, Array]
Data type: String
Type: Ruby 4.x API
The patching_as_code::last_run function.
The patching_as_code::last_run function.
Returns: Any
Data type: Array
Data type: Array
Type: Puppet Language
The patching_as_code::process_patch_groups function.
The patching_as_code::process_patch_groups function.
Returns: Any
Immediately installs a specific KB update
Supports noop? false
Data type: Pattern[/^KB\d+$/]
The KB number of the patch you want to install (e.g. KB123456)
Data type: Boolean
Perform a restart after installing the patch