Skip to content

Resource: awsSsmPatchBaseline

Provides an SSM Patch Baseline resource.

\~> NOTE on Patch Baselines: The approvedPatches and approvalRule are both marked as optional fields, but the Patch Baseline requires that at least one of them is specified.

Example Usage

Basic Usage

Using approvedPatches only.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssmPatchBaseline.SsmPatchBaseline(this, "production", {
  approvedPatches: ["KB123456"],
  name: "patch-baseline",
});

Advanced Usage, specifying patch filters

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssmPatchBaseline.SsmPatchBaseline(this, "production", {
  approvalRule: [
    {
      approveAfterDays: 7,
      complianceLevel: "HIGH",
      patchFilter: [
        {
          key: "PRODUCT",
          values: ["WindowsServer2016"],
        },
        {
          key: "CLASSIFICATION",
          values: ["CriticalUpdates", "SecurityUpdates", "Updates"],
        },
        {
          key: "MSRC_SEVERITY",
          values: ["Critical", "Important", "Moderate"],
        },
      ],
    },
    {
      approveAfterDays: 7,
      patchFilter: [
        {
          key: "PRODUCT",
          values: ["WindowsServer2012"],
        },
      ],
    },
  ],
  approvedPatches: ["KB123456", "KB456789"],
  description: "Patch Baseline Description",
  globalFilter: [
    {
      key: "PRODUCT",
      values: ["WindowsServer2008"],
    },
    {
      key: "CLASSIFICATION",
      values: ["ServicePacks"],
    },
    {
      key: "MSRC_SEVERITY",
      values: ["Low"],
    },
  ],
  name: "patch-baseline",
  rejectedPatches: ["KB987654"],
});

Advanced usage, specifying Microsoft application and Windows patch rules

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssmPatchBaseline.SsmPatchBaseline(this, "windows_os_apps", {
  approvalRule: [
    {
      approveAfterDays: 7,
      patchFilter: [
        {
          key: "CLASSIFICATION",
          values: ["CriticalUpdates", "SecurityUpdates"],
        },
        {
          key: "MSRC_SEVERITY",
          values: ["Critical", "Important"],
        },
      ],
    },
    {
      approveAfterDays: 7,
      patchFilter: [
        {
          key: "PATCH_SET",
          values: ["APPLICATION"],
        },
        {
          key: "PRODUCT",
          values: ["Office 2013", "Office 2016"],
        },
      ],
    },
  ],
  description: "Patch both Windows and Microsoft apps",
  name: "WindowsOSAndMicrosoftApps",
  operatingSystem: "WINDOWS",
});

Advanced usage, specifying alternate patch source repository

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssmPatchBaseline.SsmPatchBaseline(this, "al_2017_09", {
  approvalRule: [{}],
  description: "My patch repository for Amazon Linux 2017.09",
  name: "Amazon-Linux-2017.09",
  operatingSystem: "AMAZON_LINUX",
  source: [
    {
      configuration:
        "[amzn-main]\nname=amzn-main-Base\nmirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list\nmirrorlist_expire=300\nmetadata_expire=300\npriority=10\nfailovermethod=priority\nfastestmirror_enabled=0\ngpgcheck=1\ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga\nenabled=1\nretries=3\ntimeout=5\nreport_instanceid=yes\n",
      name: "My-AL2017.09",
      products: ["AmazonLinux2017.09"],
    },
  ],
});

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the patch baseline.
  • description - (Optional) The description of the patch baseline.
  • operatingSystem - (Optional) The operating system the patch baseline applies to. Valid values are AMAZON_LINUX, AMAZON_LINUX_2, AMAZON_LINUX_2022, centos, debian, macos, ORACLE_LINUX, raspbian, REDHAT_ENTERPRISE_LINUX, ROCKY_LINUX, suse, ubuntu, and windows. The default value is windows.
  • approvedPatchesComplianceLevel - (Optional) The compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid values are critical, high, medium, low, informational, unspecified. The default value is unspecified.
  • approvedPatches - (Optional) A list of explicitly approved patches for the baseline. Cannot be specified with approvalRule.
  • rejectedPatches - (Optional) A list of rejected patches.
  • globalFilter - (Optional) A set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are product, classification, MSRC_SEVERITY, and PATCH_ID.
  • approvalRule - (Optional) A set of rules used to include patches in the baseline. Up to 10 approval rules can be specified. See approvalRule below.
  • source - (Optional) Configuration block with alternate sources for patches. Applies to Linux instances only. See source below.
  • rejectedPatchesAction - (Optional) The action for Patch Manager to take on patches included in the rejectedPatches list. Valid values are ALLOW_AS_DEPENDENCY and block.
  • approvedPatchesEnableNonSecurity - (Optional) Indicates whether the list of approved patches includes non-security updates that should be applied to the instances. Applies to Linux instances only.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

approvalRule Block

The approvalRule block supports:

  • approveAfterDays - (Optional) The number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 100. Conflicts with approveUntilDate.
  • approveUntilDate - (Optional) The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Date is formatted as yyyyMmDd. Conflicts with approveAfterDays
  • patchFilter - (Required) The patch filter group that defines the criteria for the rule. Up to 5 patch filters can be specified per approval rule using Key/Value pairs. Valid combinations of these Keys and the operatingSystem value can be found in the SSM DescribePatchProperties API Reference. Valid Values are exact values for the patch property given as the key, or a wildcard *, which matches all values.
  • PATCH_SET defaults to os if unspecified
  • complianceLevel - (Optional) The compliance level for patches approved by this rule. Valid values are critical, high, medium, low, informational, and unspecified. The default value is unspecified.
  • enableNonSecurity - (Optional) Boolean enabling the application of non-security updates. The default value is false. Valid for Linux instances only.

source Block

The source block supports:

  • name - (Required) The name specified to identify the patch source.
  • configuration - (Required) The value of the yum repo configuration. For information about other options available for your yum repository configuration, see the dnfConf documentation
  • products - (Required) The specific operating system versions a patch repository applies to, such as "ubuntu1604", "amazonLinux201609", "redhatEnterpriseLinux72" or "suse127". For lists of supported product values, see PatchFilter.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The ID of the patch baseline.
  • arn - The ARN of the patch baseline.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

SSM Patch Baselines can be imported by their baseline ID, e.g.,

$ terraform import aws_ssm_patch_baseline.example pb-12345678