Added some "names" and made some tasks idempotent

tasks/Debian.yml

@@ -6,6 +6,8 @@
   shell: dpkg-query -f='${Version}' -W 'elasticsearch'
   register: installed_elasticsearch_version
   ignore_errors: yes
+  check_mode: no # this change was so we can run this role even in Check mode
+  changed_when: false # this is a discovery task, and shouldn't "change"
 
 - name: Abort when elasticsearch installed version < 1.8 and version >=5 is going to be installed
   fail:
@@ -55,18 +57,20 @@
     state: "present"
 
 # Configure user and group
-- name: Configuring user and group
+- name: Configure group
   group:
     name: "{{ elasticsearch_group }}"
-- user:
+- name: Configure user
+  user:
     name: "{{ elasticsearch_user }}"
     group: "{{ elasticsearch_group }}"
     createhome: "no"
 
-# Check whether we have aleady installed the same version
-- shell: if [ -e /usr/share/elasticsearch/lib/elasticsearch-{{ elasticsearch_version }}.jar ]; then echo yes; else echo no; fi;
+- name: Check whether we have aleady installed the same version
+  shell: if [ -e /usr/share/elasticsearch/lib/elasticsearch-{{ elasticsearch_version }}.jar ]; then echo yes; else echo no; fi;
   register: version_exists
   check_mode: no
+  changed_when: false # this is a discovery task, and shouldn't "change"
 
 # Download deb if needed (ES version < 5.0.0)
 - name: Download Elasticsearch deb (ES version < 5.0.0)
@@ -82,13 +86,22 @@
 - name: Uninstalling previous version if applicable
   shell: dpkg --remove elasticsearch
   when: version_exists.stdout == 'no'
-- file:
-    path: "/usr/share/elasticsearch"
-    state: "absent"
+
+- name: Ensure previous version directory is removed if applicable
+  file:
+    path: /usr/share/elasticsearch
+    state: absent
   when: version_exists.stdout == 'no'
 
 # Install the deb
 - name: Install Elasticsearch deb
   shell: dpkg -i -E --force-confnew /tmp/elasticsearch-{{ elasticsearch_version }}.deb
   when: version_exists.stdout == 'no'
-- file: path=/usr/share/elasticsearch state=directory owner={{ elasticsearch_user }} group={{ elasticsearch_group }} recurse=yes
+
+- name: Change ower/group of Elasticsearch directory
+  file:
+    path: /usr/share/elasticsearch
+    state: directory
+    owner: "{{ elasticsearch_user }}"
+    group: "{{ elasticsearch_group }}"
+    recurse: yes

tasks/cve-2021-4104-patch.yml

@@ -10,8 +10,10 @@
   shell:
     cmd: "unzip -l log4j-*.jar | grep JMSAppender.class"
     chdir: "/usr/share/elasticsearch/lib"
+    warn: no # This needs to be a cmd, and not the unzip module
   register: "__jmsappender_class"
   failed_when: "__jmsappender_class.rc not in [ 0, 1 ]"
+  changed_when: __jmsappender_class.rc == 0 # Filename should be in output
 
 - name: "Remove JMSAppender.class"
   become: "yes"

tasks/cve-2021-44228-patch.yml

@@ -10,8 +10,11 @@
   shell:
     cmd: "unzip -l log4j-core-*.jar | grep JndiLookup.class"
     chdir: "/usr/share/elasticsearch/lib"
+    warn: no # This needs to be a cmd, and not the unzip module
   register: "__jndulookup_class"
   failed_when: "__jndulookup_class.rc not in [ 0, 1 ]"
+  check_mode: no
+  changed_when: __jndulookup_class.rc == 0 # Filename should be in output
 
 - name: "Remove JndiLookup.class"
   become: "yes"