Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS aws_ssm_patch_baseline: Specify Microsoft applications for a approval rule #8942

Closed
hashibot bot opened this issue Jun 11, 2019 · 3 comments
Closed

AWS aws_ssm_patch_baseline: Specify Microsoft applications for a approval rule #8942

hashibot bot opened this issue Jun 11, 2019 · 3 comments

Comments

@hashibot
Copy link

@hashibot hashibot bot commented Jun 11, 2019

This issue was originally opened by @aidancasey1 as hashicorp/terraform#21678. It was migrated here as a result of the provider split. The original body of the issue is below.


Current Terraform Version

Terraform v0.11.13

  • provider.aws v2.3.0
  • provider.local v1.2.2
  • provider.null v2.1.2
  • provider.template v2.1.2

Use-cases

I want to create custom baselines that I can use to patch Microsoft applications such as Office.

It seems that I can only select OS specific products
PRODUCT, valid values are: Windows7, Windows8, Windows8.1, Windows8Embedded, Windows10, Windows10LTSB, WindowsServer2008, WindowsServer2008R2, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsServer2019

Attempted Solutions

Add additional applications that AWS baselines supports such as Office 2013, Office 2016

References

@jdheyburn

This comment has been minimized.

Copy link
Contributor

@jdheyburn jdheyburn commented Nov 13, 2019

This functionality is available in aws-sdk-go. From AWS Support:

While configuring a custom patch baseline for the Systems Manager, you would have to specify patch properties in the CreatePatchBaseline API requests which contains the following request parameter [1] under DescribePatchProperties [2] Action -

• PatchSet - Indicates whether to list patches for the Windows operating system or for Microsoft applications. Not applicable for Linux operating systems.
Type: String
Valid Values: OS | APPLICATION

So for "Approval rules for Microsoft applications" you would have to specify value as "APPLICATION".

Similarly in AWS SDK for Go Library, you'll find the implementation here [3][4].

=======================================================

const (
  // PatchSetOs is a PatchSet enum value
  PatchSetOs = "OS"
  // PatchSetApplication is a PatchSet enum value
  PatchSetApplication = "APPLICATION"
)
  • This PATCH_SET should be an additional key that can be added to a PatchFilterGroup
    • it should default to OS to maintain backward compatibility
  • With the user specifying APPLICATION to set a rule for Microsoft applications
  • The AWS API can perform server-side validation of whether the rule is valid
    • must be WINDOWS operating_system - which is the default here too

I'll look to implement this in the coming week or so.

@jdheyburn

This comment has been minimized.

Copy link
Contributor

@jdheyburn jdheyburn commented Nov 21, 2019

Looks like no change is needed and this can be done today. As an example:

resource "aws_ssm_patch_baseline" "windows_test" {
  name             = "TestWindowsApplication"
  description      = "Test Windows Application"
  operating_system = "WINDOWS"

  approval_rule {
    approve_after_days = "7"
    compliance_level   = "CRITICAL"

    patch_filter {
      key = "PATCH_SET"

      values = [
        "APPLICATION",
      ]
    }

    patch_filter {
      key = "PRODUCT"

      values = [
        "Office 2013",
        "Office 2016",
      ]
    }
  }
}

Let me know if this wasn't what you expected, I'll reevaluate and see if there's something additional.

cc @aidancasey1

@bflad

This comment has been minimized.

Copy link
Contributor

@bflad bflad commented Nov 25, 2019

Thanks @jdheyburn! Since this appears to be working today, I'm going to close this feature request, but you or someone would like to submit this to the aws_ssm_patch_baseline resource documentation, the source for that file can be found at website/docs/r/ssm_patch_baseline.html.markdown 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.