Configure Time Synchronization

tasks/amazon_linux.yaml

@@ -1,3 +1,5 @@
 ---
+- name: Amazon Linux 2 | Configure Time Synchronization
+  include_tasks: configure_time_synchronization_al2.yaml
 - name: Amazon Linux 2 | Configure Filesystem Partitions
   include_tasks: configure_filesystem_partitions_al2.yaml

tasks/configure_time_synchronization_al2.yaml

@@ -0,0 +1,62 @@
+---
+# Ensure Chrony is installed for time synchronization
+- name: "Ensure Chrony time synchronization service is installed"
+  ansible.builtin.package:
+    name: chrony
+    state: present
+  become: true
+
+# Step 1: Check if Chrony has any configured NTP servers or pools
+- name: "Ensure chrony is configured"
+  ansible.builtin.shell: "grep -Prs -- '^\\h*(server|pool)\\h+[^#\\n\\r]+' {{ chrony_shell_check_path }}"
+  register: chrony_sources
+  changed_when: false
+  failed_when: false
+  become: true
+
+# Step 2: Add Amazon Time Sync Service configuration if none found
+- name: "Configure Chrony with Amazon Time Sync Service (if missing)"
+  ansible.builtin.blockinfile:
+    path: "{{ chrony_conf_path }}"
+    create: yes
+    block: "{{ chrony_amazon_timesync_block }}"
+  when: chrony_sources.stdout == ""
+  become: true
+
+# Step 3: Restart Chrony only if configuration was added
+- name: "Restart Chrony service to apply configuration (if modified)"
+  ansible.builtin.service:
+    name: "{{ chrony_service }}"
+    state: restarted
+    enabled: true
+  when: chrony_sources.stdout == ""
+  become: true
+
+# Step 4: Report status clearly
+- name: "Report Chrony configuration status"
+  ansible.builtin.debug:
+    msg: >
+      {% if chrony_sources.stdout != "" %}
+      Chrony is already configured with time sources
+      {% else %}
+      Chrony was missing configuration — Amazon Time Sync Service has been added.
+      {% endif %}
+
+# Ensure Chrony is not run as the root user
+- name: "Ensure Chrony is not configured to run as root"
+  ansible.builtin.lineinfile:
+    path: /etc/sysconfig/chronyd
+    regexp: '^OPTIONS='
+    line: '{{ chrony_user_opts }}'
+    state: present
+    create: yes
+    backup: yes
+  become: true
+
+- name: "Reload Chrony service to apply user configuration"
+  ansible.builtin.systemd:
+    name: "{{ chrony_service }}"
+    state: restarted
+    daemon_reload: true
+  become: true
+

vars/main.yml

@@ -89,6 +89,19 @@ os_services_name: ['avahi-daemon', 'slapd', 'named', 'cups', 'telnet', 'discard-
 minute_aide_cronjob: '0'
 hour_aide_cronjob: '5'
 
+# Configure Time Synchronization
+chrony_amazon_timesync_block: |
+  # Amazon Linux 2 default Chrony configuration
+  server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4
+  pool 0.amazon.pool.ntp.org iburst maxsources 1
+  pool 1.amazon.pool.ntp.org iburst maxsources 1
+  pool 2.amazon.pool.ntp.org iburst maxsources 2
+
+chrony_user_opts: 'OPTIONS="-u chrony"'
+
+chrony_conf_path: "/etc/chrony.d/amazon_time_sync.conf"
+chrony_service: "chronyd"
+chrony_shell_check_path: "/etc/chrony.d"
 # configure filesystem partitions for al2
 tmp_mount_options:
   - { name: "Ensure /tmp is a separate partition", opts: "defaults,rw,nosuid,nodev,noexec,relatime" }