Add windows_patch role — KB version tracking, reboot detection, category filtering

roles/windows_patch/defaults/main.yml

@@ -1,2 +1,11 @@
 ---
-# windows_patch default variables
+auto_reboot: false
+pre_patch_reboot: false
+packages_updated: []
+windows_hotfixes_before: []
+windows_hotfixes_after: []
+windows_update_categories:
+  - SecurityUpdates
+  - CriticalUpdates
+  - UpdateRollups
+  - DefinitionUpdates

roles/windows_patch/tasks/main.yml

@@ -1,6 +1,95 @@
 ---
-# windows_patch tasks
-# Implementation to follow
-- name: Placeholder
+- name: Check for pending reboot before patching
+  ansible.windows.win_reboot:
+    reboot_timeout: 300
+    pre_reboot_delay: 10
+    post_reboot_delay: 30
+    msg: "Rebooting to clear pending reboot state before patching"
+  when: pre_patch_reboot | bool
+
+- name: Get installed updates before patching
+  ansible.windows.win_shell: |
+    Get-HotFix | Select-Object -Property HotFixID, Description, InstalledOn | ConvertTo-Json
+  register: hotfixes_before
+  changed_when: false
+
+- name: Store pre-patch hotfix list
+  ansible.builtin.set_fact:
+    windows_hotfixes_before: "{{ hotfixes_before.stdout | from_json }}"
+
+- name: Search for available updates
+  ansible.windows.win_updates:
+    category_names: "{{ windows_update_categories }}"
+    state: searched
+  register: updates_available
+
+- name: Log available updates
   ansible.builtin.debug:
-    msg: "windows_patch role - tasks to be implemented"
+    msg: "{{ updates_available.found_update_count }} updates available on {{ inventory_hostname }}"
+
+- name: Install Windows updates
+  ansible.windows.win_updates:
+    category_names: "{{ windows_update_categories }}"
+    state: installed
+    reboot: false
+  register: windows_update_result
+  when: updates_available.found_update_count > 0
+
+- name: Get installed updates after patching
+  ansible.windows.win_shell: |
+    Get-HotFix | Select-Object -Property HotFixID, Description, InstalledOn | ConvertTo-Json
+  register: hotfixes_after
+  changed_when: false
+
+- name: Store post-patch hotfix list
+  ansible.builtin.set_fact:
+    windows_hotfixes_after: "{{ hotfixes_after.stdout | from_json }}"
+
+- name: Build list of newly installed KBs
+  ansible.builtin.set_fact:
+    packages_updated: >-
+      {%- set before_ids = windows_hotfixes_before | map(attribute='HotFixID') | list -%}
+      {%- set updated = [] -%}
+      {%- for fix in windows_hotfixes_after -%}
+        {%- if fix.HotFixID not in before_ids -%}
+          {%- set _ = updated.append({
+            'name': fix.HotFixID,
+            'version_before': 'not installed',
+            'version_after': fix.InstalledOn,
+            'type': fix.Description
+          }) -%}
+        {%- endif -%}
+      {%- endfor -%}
+      {{ updated }}
+
+- name: Log newly installed KBs
+  ansible.builtin.debug:
+    msg: "Installed: {{ item.name }} — {{ item.type }}"
+  loop: "{{ packages_updated }}"
+
+- name: Check if reboot is required
+  ansible.windows.win_shell: |
+    $rebootPending = $false
+    if (Get-Item "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" -ErrorAction SilentlyContinue) { $rebootPending = $true }
+    if (Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations" -ErrorAction SilentlyContinue) { $rebootPending = $true }
+    Write-Output $rebootPending
+  register: windows_reboot_check
+  changed_when: false
+
+- name: Set reboot required fact
+  ansible.builtin.set_fact:
+    host_reboot_required: "{{ windows_reboot_check.stdout | trim | bool }}"
+
+- name: Reboot if required and auto_reboot is enabled
+  ansible.windows.win_reboot:
+    reboot_timeout: 300
+    pre_reboot_delay: 10
+    post_reboot_delay: 60
+    msg: "Rebooting after patch run — initiated by Ansible"
+  when:
+    - host_reboot_required | bool
+    - auto_reboot | bool
+
+- name: Patching complete
+  ansible.builtin.debug:
+    msg: "Windows patching complete on {{ inventory_hostname }} — {{ packages_updated | length }} KBs installed"