# platform = multi_platform_all
# reboot = true
# strategy = restrict
# complexity = low
# disruption = low

- name: {{{ rule_title }}} - Verify GRUB_DISABLE_RECOVERY=true
  ansible.builtin.lineinfile:
    path: /etc/default/grub
    regexp: '^GRUB_DISABLE_RECOVERY=.*'
    line: 'GRUB_DISABLE_RECOVERY=true'
    state: present
  register: grub_disable_recovery_changed

- name: {{{ rule_title }}} - Verify that Interactive Boot is Disabled in /etc/default/grub
  ansible.builtin.replace:
    dest: /etc/default/grub
    regexp: systemd.confirm_spawn(=(1|yes|true|on)|\b)
    replace: systemd.confirm_spawn=no
  register: grub_confirm_spawn_changed

- name: {{{ rule_title }}} - Verify that Interactive Boot is Disabled (runtime)
{{% if 'sle' in product %}}
  ansible.builtin.command: /usr/bin/grub2-editenv - unset systemd.confirm_spawn
{{% else %}}
  ansible.builtin.command: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
{{% endif %}}
  when: grub_confirm_spawn_changed is changed

- name: {{{ rule_title }}} - Regen grub.cfg handle updated GRUB_DISABLE_RECOVERY and confirm_spawn
  ansible.builtin.command: grub2-mkconfig -o  {{{ grub2_boot_path }}}/grub.cfg
  when: grub_disable_recovery_changed is changed or grub_confirm_spawn_changed is changed