Upgrade Security Compliance Management

Upgrade to the latest version of the Security Compliance Management. The upgrade plan handles backing up your data, pulling new container images, applying updated configuration, and migrating the database if required.

Before you begin:

  • Ensure you are running Bolt 3.27.2 or later.

  • Ensure your Bolt project directory and inventory are configured correctly for your installation.

  • We strongly recommend making a backup before upgrading. The upgrade plan prompts you to do this automatically.

  1. Update the version_requirement value for the puppetlabs-complyadm module in your bolt-project.yaml to the newer version.

    Editing the bolt-project.yaml file is covered in the Install Security Compliance Management section.

  2. Run bolt module install --force to update the complyadm module to the new version.

  3. Run the upgrade plan from your Bolt project directory:

    bolt plan run complyadm::upgrade

    The plan prompts you to make a backup. We strongly recommend you create a backup of your database and volumes before upgrading. Answer no only if you have already made a backup manually. Respond to this prompt with y to make a backup or n to decline.

Optional parameters

You can pass the following parameters to skip interactive prompts or modify upgrade behavior:

Parameter Type Default Description
ignore_failing_preflights Boolean false When true, the plan continues even if preflight checks (OS, memory, CPU, required packages) do not pass. Useful when a non-critical check is failing and you need to proceed.
upload_images Boolean true When true (default), the Bolt runner downloads container images from the Puppet image registry and uploads them to the target. When false, the target pulls images directly from the registry itself. Set to false only when the SCM host has direct outbound internet access to the container registry.

Examples

Skip preflight checks:

Copy 
bolt plan run complyadm::upgrade ignore_failing_preflights=true

Pull images directly on the target instead of via the Bolt runner:

Copy 
bolt plan run complyadm::upgrade upload_images=false

What the plan does

The upgrade plan performs the following steps in order:

  1. Verifies your Bolt version is supported.

  2. Optionally runs complyadm::backup to back up the database and volumes.

  3. Runs preflight checks (architecture, runtime, memory, OS, CPU, required packages).

  4. Installs or updates the container runtime (Docker or Podman) if install_runtime is set in your configuration.

  5. Pulls or uploads new container images depending on the upload_images parameter.

  6. Detects whether a major PostgreSQL version bump has occurred. If so, it automatically stops services, backs up the database, removes the old volume, applies the new version, and restores the backup.

  7. Applies updated configuration to all roles (database, backend, UI).

  8. Waits for services to become healthy.

  9. Runs cleanup tasks.

Results
Security Compliance Management is upgraded to the new version. You can verify the upgrade by navigating to your Security Compliance Management web console.