v0.6.0 - patch_group and scheduling improvements (#21)

Kevin Reeuwijk · web-flow · commit 3da6357ba6f0 · 2021-04-16T20:14:47.000+02:00
* support multiple schedules and week values
* update docs and changelog
* bump version
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+## Release 0.6.0
+
+**Features**
+- Adds support for providing an array of values to the `patch_group` attribute of the `patching_as_code` class
+- Adds support for providing an array of values to the `count_of_week` parameter in a patch schedule
+
 ## Release 0.5.0
 
 **Features**
diff --git a/README.md b/README.md
@@ -65,13 +65,14 @@ This will change the behavior to also declare the `pe_patch` class, and match it
 
 ## Usage
 
-To control which patch group a node belongs to, you need to set the `patch_group` parameter of the class.
+To control which patch group(s) a node belongs to, you need to set the `patch_group` parameter of the class.
 It is highly recommended to use Hiera to set the correct value for each node, for example:
 ```
 patching_as_code::patch_group: early
 ```
-The module provides 5 patch groups out of the box:
+The module provides 6 patch groups out of the box:
 ```
+weekly:    patches each Thursday of the month, between 09:00 and 11:00, performs a reboot if needed
 testing:   patches every 2nd Thursday of the month, between 07:00 and 09:00, performs a reboot if needed
 early:     patches every 3rd Monday   of the month, between 20:00 and 22:00, performs a reboot if needed
 primary:   patches every 3rd Friday   of the month, between 22:00 and 00:00, performs a reboot if needed
@@ -84,6 +85,19 @@ always:    patches immediately when a patch is available, can patch in any agent
 never:     never performs any patching and does not reboot
 ```
 
+If you want to assign a node to multiple patch groups, specify an array of values in Hiera:
+```
+patching_as_code::patch_group:
+  - testing
+  - early
+```
+or, in flow style:
+```
+patching_as_code::patch_group: [ testing, early ]
+```
+
+Note: if you assign a node to multiple patch groups, the value for the patch group provided to `pe_patch`/`os_patching` will be a space-separated list of the assigned patch groups. This is because `pe_patch`/`os_patching` do not natively support multiple patch groups, so we work around this by converting our list a single string that `pe_patch`/`os_patching` can work with. This is purely for cosmetic purposes and does not affect the functionality of either solution.
+
 ### Customizing the patch groups
 
 You can customize the patch groups to whatever you need. To do so, simply copy the `patching_as_code::patch_schedule` hash from the `data/common.yaml` in this module, and paste it into your own Hiera store (recommended to place it in your Hiera's own `common.yaml`). This Hiera value will now override the defaults that the module provides. Customize the hash to your needs.
@@ -101,7 +115,7 @@ patching_as_code::patch_schedule:
 For example, say you want to have the following 2 patch groups:
 ```
 group1: patches every 2nd Sunday of the month, between 10:00 and 11:00, max 1 time, reboots if needed
-group2: patches every 3nd Monday of the month, between 20:00 and 22:00, max 3 times, does not reboot
+group2: patches every 3nd and 4th Monday of the month, between 20:00 and 22:00, max 3 times, does not reboot
 ```
 then define the hash as follows:
 ```
@@ -114,7 +128,7 @@ patching_as_code::patch_schedule:
     reboot: ifneeded
   group2:
     day_of_week: Monday
-    count_of_week: 3
+    count_of_week: [3,4]
     hours: 20:00 - 22:00
     max_runs: 3
     reboot: never
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -43,9 +43,10 @@ The following parameters are available in the `patching_as_code` class.
 
 ##### `patch_group`
 
-Data type: `String`
+Data type: `Variant[String,Array[String]]`
 
-Name of the patch_group for this node. Must match one of the patch groups in $patch_schedule
+Name(s) of the patch_group(s) for this node. Must match one or more of the patch groups in $patch_schedule
+To assign multiple patch groups, provide this parameter as an array
 
 ##### `patch_schedule`
 
@@ -56,7 +57,7 @@ Hash of available patch_schedules. Default schedules are in /data/common.yaml of
 Options:
 
 * **:day_of_week** `String`: Day of the week to patch, valid options: 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday', 'Sunday'
-* **:count_of_week** `Integer`: Which week in the month to patch, use a number between 1 and 4
+* **:count_of_week** `Variant[Integer,Array[Integer]]`: Which week(s) in the month to patch, use number(s) between 1 and 5
 * **:hours** `String`: Which hours on patch day to patch, define a range as 'HH:MM - HH:MM'
 * **:max_runs** `String`: How many Puppet runs during the patch window can Puppet install patches. Must be at least 1.
 * **:reboot** `String`: Reboot behavior, valid options: 'always', 'never', 'ifneeded'
diff --git a/data/common.yaml b/data/common.yaml
@@ -1,6 +1,12 @@
 ---
 patching_as_code::patch_group: primary
 patching_as_code::patch_schedule:
+  weekly:
+    day_of_week: Thursday
+    count_of_week: [1,2,3,4,5]
+    hours: 09:00 - 11:00
+    max_runs: 4
+    reboot: ifneeded
   testing:
     day_of_week: Thursday
     count_of_week: 2
diff --git a/functions/is_patchday.pp b/functions/is_patchday.pp
@@ -1,6 +1,6 @@
 function patching_as_code::is_patchday(
   Enum['Monday','Tuesday','Wednesday','Thursday','Friday','Saturday','Sunday'] $day_of_week,
-  Integer $week_iteration
+  Variant[Integer, Array] $week_iteration
 ){
   $day_number = $day_of_week ? {
     'Monday'    => 1,
@@ -25,11 +25,21 @@ function patching_as_code::is_patchday(
     $firstocc = 1 + $day_number - $som_weekday
   }
 
-  # Calculate date of patch day
-  $patchday = $firstocc + (( $week_iteration - 1 ) * 7 )
+  # Calculate dates of valid patch days
+  case type($week_iteration, 'generalized') {
+    Type[Integer]: {
+      $patchdays = Array($firstocc + (( $week_iteration - 1 ) * 7 ), true)
+    }
+    Type[Array[Integer]]: {
+      $patchdays = $week_iteration.map |$week| { $firstocc + (( $week - 1 ) * 7 ) }
+    }
+    default: {
+      fail('The count_of_week parameter of the patch_schedule must be configured as an integer or an array of integers!')
+    }
+  }
 
-  # Return true if today is patch day
-  if $patchday == $dayofmonth {
+  # Return true if today is a patch day
+  if $dayofmonth in $patchdays {
     true
   } else {
     false
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -14,14 +14,15 @@
 #     use_pe_patch => false
 #   }
 # 
-# @param [String] patch_group
-#   Name of the patch_group for this node. Must match one of the patch groups in $patch_schedule
+# @param Variant[String,Array[String]] patch_group
+#   Name(s) of the patch_group(s) for this node. Must match one or more of the patch groups in $patch_schedule
+#   To assign multiple patch groups, provide this parameter as an array
 # @param [Hash] patch_schedule
 #   Hash of available patch_schedules. Default schedules are in /data/common.yaml of this module
 # @option patch_schedule [String] :day_of_week
 #   Day of the week to patch, valid options: 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday', 'Sunday'
-# @option patch_schedule [Integer] :count_of_week
-#   Which week in the month to patch, use a number between 1 and 4
+# @option patch_schedule [Variant[Integer,Array[Integer]]] :count_of_week
+#   Which week(s) in the month to patch, use number(s) between 1 and 5
 # @option patch_schedule [String] :hours
 #   Which hours on patch day to patch, define a range as 'HH:MM - HH:MM'
 # @option patch_schedule [String] :max_runs
@@ -74,25 +75,30 @@
 #   When disabled (default), patches are not installed over a metered link.
 # 
 class patching_as_code(
-  String            $patch_group,
-  Hash              $patch_schedule,
-  Array             $blocklist,
-  Array             $allowlist,
-  Array             $unsafe_process_list,
-  Hash              $pre_patch_commands,
-  Hash              $post_patch_commands,
-  Hash              $pre_reboot_commands,
-  Optional[String]  $plan_patch_fact = undef,
-  Optional[Boolean] $enable_patching = true,
-  Optional[Boolean] $security_only = false,
-  Optional[Boolean] $use_pe_patch = true,
-  Optional[Boolean] $classify_pe_patch = false,
-  Optional[Boolean] $patch_on_metered_links = false,
+  Variant[String,Array[String]] $patch_group,
+  Hash                          $patch_schedule,
+  Array                         $blocklist,
+  Array                         $allowlist,
+  Array                         $unsafe_process_list,
+  Hash                          $pre_patch_commands,
+  Hash                          $post_patch_commands,
+  Hash                          $pre_reboot_commands,
+  Optional[String]              $plan_patch_fact = undef,
+  Optional[Boolean]             $enable_patching = true,
+  Optional[Boolean]             $security_only = false,
+  Optional[Boolean]             $use_pe_patch = true,
+  Optional[Boolean]             $classify_pe_patch = false,
+  Optional[Boolean]             $patch_on_metered_links = false,
 ) {
-  # Verify the $patch_group value points to a valid patch schedule
-  unless $patch_schedule[$patch_group] or $patch_group in ['always', 'never'] {
-    fail("Patch group ${patch_group} is not valid as no associated schedule was found!
-    Ensure the patching_as_code::patch_schedule parameter contains a schedule for this patch group.")
+  # Ensure we work with a $patch_groups array for further processing
+  $patch_groups = Array($patch_group, true)
+
+  # Verify if all of $patch_groups point to a valid patch schedule
+  $patch_groups.each |$pg| {
+    unless $patch_schedule[$pg] or $pg in ['always', 'never'] {
+      fail("Patch group ${pg} is not valid as no associated schedule was found!
+      Ensure the patching_as_code::patch_schedule parameter contains a schedule for this patch group.")
+    }
   }
 
   # Verify the puppet_confdir from the puppetlabs/puppet_agent module is present
@@ -123,28 +129,28 @@
         if $classify_pe_patch {
           # Only classify pe_patch if $classify_pe_patch == true
           class { 'pe_patch':
-            patch_group => $patch_group,
+            patch_group => join($patch_groups, ' '),
           }
         }
       } else {
         $patch_fact = 'os_patching'
         class { 'os_patching':
-          patch_window => $patch_group,
+          patch_window => join($patch_groups, ' '),
         }
       }
     }
     'pe_patch': {
       # Received the patch_fact from a plan run, use it directly
       $patch_fact = 'pe_patch'
       class { 'pe_patch':
-        patch_group => $patch_group,
+        patch_group => join($patch_groups, ' '),
       }
     }
     'os_patching': {
       # Received the patch_fact from a plan run, use it directly
       $patch_fact = 'os_patching'
       class { 'os_patching':
-        patch_window => $patch_group,
+        patch_window => join($patch_groups, ' '),
       }
     }
     default: { fail('Unsupported value for plan_patch_fact parameter!') }
@@ -155,34 +161,46 @@
     ensure_packages('yum-utils')
   }
 
-  # Determine if today is Patch Day for this node's $patch_group
-  case $patch_group {
-    'always': {
-      $bool_patch_day = true
-      schedule { 'Patching as Code - Patch Window':
-        range  => '00:00 - 23:59',
-        repeat => 1440
-      }
-      $_reboot = 'ifneeded'
+  # Determine if today is Patch Day for this node's $patch_groups
+  if 'never' in $patch_groups {
+    $bool_patch_day = false
+    schedule { 'Patching as Code - Patch Window':
+      period => 'never',
     }
-    'never': {
-      $bool_patch_day = false
-      schedule { 'Patching as Code - Patch Window':
-        period => 'never',
+    $_reboot = 'never'
+    $active_pg = 'never'
+  } elsif 'always' in $patch_groups {
+    $bool_patch_day = true
+    schedule { 'Patching as Code - Patch Window':
+      range  => '00:00 - 23:59',
+      repeat => 1440
+    }
+    $_reboot = 'ifneeded'
+    $active_pg = 'always'
+  } else {
+    $pg_info = $patch_groups.map |$pg| {
+      {
+        'name'         => $pg,
+        'is_patch_day' => patching_as_code::is_patchday(
+                            $patch_schedule[$pg]['day_of_week'],
+                            $patch_schedule[$pg]['count_of_week']
+                          )
       }
-      $_reboot = 'never'
     }
-    default: {
-      $bool_patch_day = patching_as_code::is_patchday(
-        $patch_schedule[$patch_group]['day_of_week'],
-        $patch_schedule[$patch_group]['count_of_week']
-      )
+    $active_pg = $pg_info.reduce(undef) |$memo, $value| {
+      if $value['is_patch_day'] == true { $value['name'] } else { $memo }
+    }
+    $bool_patch_day = type($active_pg,'generalized') ? {
+      Type[String] => true,
+      default => false
+    }
+    if $bool_patch_day {
       schedule { 'Patching as Code - Patch Window':
-        range   => $patch_schedule[$patch_group]['hours'],
-        weekday => $patch_schedule[$patch_group]['day_of_week'],
-        repeat  => $patch_schedule[$patch_group]['max_runs']
+        range   => $patch_schedule[$active_pg]['hours'],
+        weekday => $patch_schedule[$active_pg]['day_of_week'],
+        repeat  => $patch_schedule[$active_pg]['max_runs']
       }
-      $_reboot = $patch_schedule[$patch_group]['reboot']
+      $_reboot = $patch_schedule[$active_pg]['reboot']
     }
   }
 
@@ -196,9 +214,12 @@
         blocklist              => $blocklist,
         enable_patching        => $enable_patching,
         patch_fact             => $patch_fact,
-        patch_group            => $patch_group,
-        patch_schedule         => if $patch_schedule[$patch_group] == undef { 'none' }
-                                  else { $patch_schedule[$patch_group] },
+        patch_group            => $patch_groups,
+        patch_schedule         => if $active_pg in ['always', 'never'] {
+                                    { $active_pg => 'N/A' }
+                                  } else {
+                                    $patch_schedule.filter |$item| { $item[0] in $patch_groups }
+                                  },
         post_patch_commands    => $post_patch_commands,
         pre_patch_commands     => $pre_patch_commands,
         pre_reboot_commands    => $pre_reboot_commands,
diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-patching_as_code",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "author": "puppetlabs",
   "summary": "Automated patching through desired state code",
   "license": "Apache-2.0",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "puppetlabs-patching_as_code",`
`3`		`- "version": "0.5.0",`
	`3`	`+ "version": "0.6.0",`
`4`	`4`	`"author": "puppetlabs",`
`5`	`5`	`"summary": "Automated patching through desired state code",`
`6`	`6`	`"license": "Apache-2.0",`