Skip to content

rhythmictech/terraform-aws-ssm-patch-manager

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits

.github

.github

 
 

bin

bin

 
 

examples/basic

examples/basic

 
 

.gitignore

.gitignore

 
 

.pre-commit-config.yaml

.pre-commit-config.yaml

 
 

.terraform-version

.terraform-version

 
 

.terraform.lock.hcl

.terraform.lock.hcl

 
 

.tflint.hcl

.tflint.hcl

 
 

.yamllint.yml

.yamllint.yml

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

main.tf

main.tf

 
 

variables.tf

variables.tf

 
 

versions.tf

versions.tf

 
 

Repository files navigation

terraform-aws-ssm-patch-manager

Creates a basic SSM Patch Manager setup

tflint tfsec yamllint misspell pre-commit-check follow on Twitter

Example

Here's what using the module will look like

module "patch_manager" {
  source  = "rhythmictech/ssm-patch-manager/aws"
  version = "~> 1.0.0"

  log_bucket = var.log_bucket
  tags       = var.tags
}

About

This module creates the needed resources to use the default Patch Baselines for any (or all) platforms supported by SSM Patch Manager.

NOTE:

Patches will only be applied to instances tagged with TAG_GROUP : $PLATFORM where $PLATFORM is the name of the platform running on that instance.

Supported Platforms:

  • AMAZON_LINUX_2
  • AMAZON_LINUX
  • CENTOS
  • ORACLE_LINUX
  • SUSE
  • WINDOWS
  • DEBIAN
  • UBUNTU
  • REDHAT_ENTERPRISE_LINUX
  • MACOS

Requirements

Name Version
terraform >= 0.13.5
aws >= 3.28

Providers

Name Version
aws 4.53.0

Modules

No modules.

Resources

Name Type
aws_ssm_maintenance_window.install resource
aws_ssm_maintenance_window.scan resource
aws_ssm_maintenance_window_target.install resource
aws_ssm_maintenance_window_target.scan resource
aws_ssm_maintenance_window_task.install resource
aws_ssm_maintenance_window_task.scan resource
aws_ssm_patch_group.patchgroup resource
aws_ssm_patch_baseline.this data source

Inputs

Name Description Type Default Required
install_cloudwatch_configs A set of objects containing cloudwatch_configs docs 
set(object({
    cloudwatch_log_group_name = string
    cloudwatch_output_enabled = bool
  }))
 [] no
install_cutoff How many hours before the end of the maintenance Window to stop scheduling new instances to install patches number 1 no
install_duration How long in hours for the install maintenance window number 3 no
install_log_prefix The S3 bucket subfolder to store install logs in string "/patch_manager/install/" no
install_notification_configs A set of objects containing notification_configs docs 
set(object({
    notification_arn    = string
    notification_events = list(string)
    notification_type   = string
  }))
 [] no
install_notification_role_arn The role arn to use for notifications string null no
install_schedule 6-field Cron expression describing the install maintenance schedule string n/a yes
log_bucket S3 bucket that logs should be sent to string null no
max_install_concurrency The maximum number of instances to operate on at once number 2 no
max_install_errors The maximum number of errors before stopping the install task scheduling number 2 no
max_scan_concurrency The maximum number of instances to operate on at once number 20 no
max_scan_errors The maximum number of errors before stopping the install task scheduling number 20 no
name Name to assign to resources in this module string "patch-manager" no
platforms The list of platforms you want to support set(string) 
[
  "AMAZON_LINUX_2",
  "AMAZON_LINUX",
  "CENTOS",
  "ORACLE_LINUX",
  "SUSE",
  "WINDOWS",
  "DEBIAN",
  "UBUNTU",
  "REDHAT_ENTERPRISE_LINUX",
  "MACOS"
]
 no
scan_cloudwatch_configs A set of objects containing cloudwatch_configs docs 
set(object({
    cloudwatch_log_group_name = string
    cloudwatch_output_enabled = bool
  }))
 [] no
scan_cutoff How many hours before the end of the maintenance Window to stop scheduling new instances to scan number 1 no
scan_duration How long in hours for the scan maintenance window number 4 no
scan_log_prefix The S3 bucket subfolder to store scan logs in string "/patch_manager/scan/" no
scan_notification_configs A set of objects containing notification_configs docs 
set(object({
    notification_arn    = string
    notification_events = list(string)
    notification_type   = string
  }))
 [] no
scan_notification_role_arn The role arn to use for notifications string null no
scan_schedule 6-field Cron expression describing the scan maintenance schedule string n/a yes
schedule_timezone IANA format timezone to use for Maintenance Window scheduling string "UTC" no
service_role_arn The role that should be assumed when executing the task string null no
tags A map of tags to be added to associated resources map(string) 
{
  "terraform_managed": "True"
}
 no

Outputs

No outputs.

Getting Started

This workflow has a few prerequisites which are installed through the ./bin/install-x.sh scripts and are linked below. The install script will also work on your local machine.

We use tfenv to manage terraform versions, so the version is defined in the versions.tf and tfenv installs the latest compliant version. pre-commit is like a package manager for scripts that integrate with git hooks. We use them to run the rest of the tools before apply. terraform-docs creates the beautiful docs (above), tfsec scans for security no-nos, tflint scans for best practices.

About

Sets up Patch Manager in an AWS account

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

6 stars

Watchers

3 watching

Forks

17 forks
Report repository

Releases 10

v1.4.1 Latest
Feb 23, 2023
+ 9 releases

Packages

No packages published

Contributors 7

Languages