From a64c833a71e4f6f28d38c866388d54b9d9565845 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Thu, 6 Jul 2017 08:23:13 -0500
Subject: [PATCH] Conditionally install EPEL if needed

The current behavior of the hardening role is to install the
epel-release package on all deployments. This patch changes
the logic to only install the EPEL repository if the deployer
has asked for ClamAV to be installed.

The patch also provides an option to disable the installation
of EPEL entirely using a variable.

Closes-Bug: 1702167
Change-Id: I9c5e6048f95636faf2a6d71ac9217ba69ca41296
---
 defaults/main.yml                                |  6 ++++++
 doc/metadata/rhel7/V-72213.rst                   |  6 ++++++
 ...ditionally-install-epel-9e8e1b67e5943019.yaml | 16 ++++++++++++++++
 tasks/main.yml                                   |  7 -------
 tasks/rhel6stig/main.yml                         |  7 +++++++
 tasks/rhel7stig/main.yml                         | 13 +++++++++++++
 6 files changed, 48 insertions(+), 7 deletions(-)
 create mode 100644 releasenotes/notes/conditionally-install-epel-9e8e1b67e5943019.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 084ae8e5..584fe2c7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -28,6 +28,12 @@ cache_timeout: 600
 # Options are 'present' and 'latest'
 security_package_state: present
 
+## EPEL
+# Set the following variable to `no` to prevent the EPEL repository from being
+# installed by the role. This may prevent certain packages from installing,
+# such as ClamAV.
+security_epel_install_repository: yes
+
 ###############################################################################
 #   ____  _   _ _____ _        __     ____ _____ ___ ____
 #  |  _ \| | | | ____| |      / /_   / ___|_   _|_ _/ ___|
diff --git a/doc/metadata/rhel7/V-72213.rst b/doc/metadata/rhel7/V-72213.rst
index 15fc5de4..65f17733 100644
--- a/doc/metadata/rhel7/V-72213.rst
+++ b/doc/metadata/rhel7/V-72213.rst
@@ -18,3 +18,9 @@ variable:
 .. code-block:: yaml
 
     security_enable_virus_scanner: yes
+
+.. warning::
+
+    The ClamAV packages are provided in the EPEL repository. Setting the
+    ``security_enable_virus_scanner`` will also cause the EPEL repository to
+    be installed by the role.
diff --git a/releasenotes/notes/conditionally-install-epel-9e8e1b67e5943019.yaml b/releasenotes/notes/conditionally-install-epel-9e8e1b67e5943019.yaml
new file mode 100644
index 00000000..e38bb050
--- /dev/null
+++ b/releasenotes/notes/conditionally-install-epel-9e8e1b67e5943019.yaml
@@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    The EPEL repository is only installed and configured when the deployer sets
+    ``security_enable_virus_scanner`` to ``yes``. This allows the ClamAV
+    packages to be installed. If ``security_enable_virus_scanner`` is set to
+    ``no`` (the default), the EPEL repository will not be added.
+
+    See
+    `Bug 1702167 <https://bugs.launchpad.net/openstack-ansible/+bug/1702167>`_
+    for more details.
+  - |
+    Deployers now have the option to prevent the EPEL repository from being
+    installed by the role. Setting ``security_epel_install_repository`` to
+    ``no`` prevents EPEL from being installed. This setting may prevent certain
+    packages from installing, such as ClamAV.
diff --git a/tasks/main.yml b/tasks/main.yml
index 6129de01..ac02466e 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -52,11 +52,4 @@
     tags:
       - always
 
-  - name: Install EPEL repository
-    yum:
-      name: epel-release
-      state: "{{ security_package_state }}"
-    when:
-      - ansible_pkg_mgr == 'yum'
-
   - include: "{{ stig_version }}stig/main.yml"
diff --git a/tasks/rhel6stig/main.yml b/tasks/rhel6stig/main.yml
index 1144473c..3afb6997 100644
--- a/tasks/rhel6stig/main.yml
+++ b/tasks/rhel6stig/main.yml
@@ -13,6 +13,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+  - name: Install EPEL repository
+    yum:
+      name: epel-release
+      state: "{{ security_package_state }}"
+    when:
+      - ansible_pkg_mgr == 'yum'
+
   - include: apt.yml
     static: no
     when: ansible_pkg_mgr == 'apt'
diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml
index 94cbb83c..37bf3c26 100644
--- a/tasks/rhel7stig/main.yml
+++ b/tasks/rhel7stig/main.yml
@@ -65,6 +65,19 @@
   tags:
     - always
 
+# NOTE(mhayden): EPEL is only needed for the clamav packages. We should only
+# install EPEL if the deployer asked for clamav to be installed.
+- name: Install EPEL repository
+  yum:
+    name: epel-release
+    state: "{{ security_package_state }}"
+  when:
+    - ansible_pkg_mgr == 'yum'
+    - security_epel_install_repository | bool
+    - security_enable_virus_scanner | bool
+  tags:
+    - always
+
 # Package installations and removals must come first so that configuration
 # changes can be made later.
 - include: packages.yml