Resource: awsSsmPatchBaseline
Provides an SSM Patch Baseline resource.
\~> NOTE on Patch Baselines: The approvedPatches
and approvalRule
are both marked as optional fields, but the Patch Baseline requires that at least one of them is specified.
Example Usage
Basic Usage
Using approvedPatches
only.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssmPatchBaseline.SsmPatchBaseline(this, "production", {
approvedPatches: ["KB123456"],
name: "patch-baseline",
});
Advanced Usage, specifying patch filters
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssmPatchBaseline.SsmPatchBaseline(this, "production", {
approvalRule: [
{
approveAfterDays: 7,
complianceLevel: "HIGH",
patchFilter: [
{
key: "PRODUCT",
values: ["WindowsServer2016"],
},
{
key: "CLASSIFICATION",
values: ["CriticalUpdates", "SecurityUpdates", "Updates"],
},
{
key: "MSRC_SEVERITY",
values: ["Critical", "Important", "Moderate"],
},
],
},
{
approveAfterDays: 7,
patchFilter: [
{
key: "PRODUCT",
values: ["WindowsServer2012"],
},
],
},
],
approvedPatches: ["KB123456", "KB456789"],
description: "Patch Baseline Description",
globalFilter: [
{
key: "PRODUCT",
values: ["WindowsServer2008"],
},
{
key: "CLASSIFICATION",
values: ["ServicePacks"],
},
{
key: "MSRC_SEVERITY",
values: ["Low"],
},
],
name: "patch-baseline",
rejectedPatches: ["KB987654"],
});
Advanced usage, specifying Microsoft application and Windows patch rules
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssmPatchBaseline.SsmPatchBaseline(this, "windows_os_apps", {
approvalRule: [
{
approveAfterDays: 7,
patchFilter: [
{
key: "CLASSIFICATION",
values: ["CriticalUpdates", "SecurityUpdates"],
},
{
key: "MSRC_SEVERITY",
values: ["Critical", "Important"],
},
],
},
{
approveAfterDays: 7,
patchFilter: [
{
key: "PATCH_SET",
values: ["APPLICATION"],
},
{
key: "PRODUCT",
values: ["Office 2013", "Office 2016"],
},
],
},
],
description: "Patch both Windows and Microsoft apps",
name: "WindowsOSAndMicrosoftApps",
operatingSystem: "WINDOWS",
});
Advanced usage, specifying alternate patch source repository
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssmPatchBaseline.SsmPatchBaseline(this, "al_2017_09", {
approvalRule: [{}],
description: "My patch repository for Amazon Linux 2017.09",
name: "Amazon-Linux-2017.09",
operatingSystem: "AMAZON_LINUX",
source: [
{
configuration:
"[amzn-main]\nname=amzn-main-Base\nmirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list\nmirrorlist_expire=300\nmetadata_expire=300\npriority=10\nfailovermethod=priority\nfastestmirror_enabled=0\ngpgcheck=1\ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga\nenabled=1\nretries=3\ntimeout=5\nreport_instanceid=yes\n",
name: "My-AL2017.09",
products: ["AmazonLinux2017.09"],
},
],
});
Argument Reference
The following arguments are supported:
name
- (Required) The name of the patch baseline.description
- (Optional) The description of the patch baseline.operatingSystem
- (Optional) The operating system the patch baseline applies to. Valid values areAMAZON_LINUX
,AMAZON_LINUX_2
,AMAZON_LINUX_2022
,centos
,debian
,macos
,ORACLE_LINUX
,raspbian
,REDHAT_ENTERPRISE_LINUX
,ROCKY_LINUX
,suse
,ubuntu
, andwindows
. The default value iswindows
.approvedPatchesComplianceLevel
- (Optional) The compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid values arecritical
,high
,medium
,low
,informational
,unspecified
. The default value isunspecified
.approvedPatches
- (Optional) A list of explicitly approved patches for the baseline. Cannot be specified withapprovalRule
.rejectedPatches
- (Optional) A list of rejected patches.globalFilter
- (Optional) A set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys areproduct
,classification
,MSRC_SEVERITY
, andPATCH_ID
.approvalRule
- (Optional) A set of rules used to include patches in the baseline. Up to 10 approval rules can be specified. SeeapprovalRule
below.source
- (Optional) Configuration block with alternate sources for patches. Applies to Linux instances only. Seesource
below.rejectedPatchesAction
- (Optional) The action for Patch Manager to take on patches included in therejectedPatches
list. Valid values areALLOW_AS_DEPENDENCY
andblock
.approvedPatchesEnableNonSecurity
- (Optional) Indicates whether the list of approved patches includes non-security updates that should be applied to the instances. Applies to Linux instances only.tags
- (Optional) A map of tags to assign to the resource. If configured with a providerdefaultTags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
approvalRule
Block
The approvalRule
block supports:
approveAfterDays
- (Optional) The number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 100. Conflicts withapproveUntilDate
.approveUntilDate
- (Optional) The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Date is formatted asyyyyMmDd
. Conflicts withapproveAfterDays
patchFilter
- (Required) The patch filter group that defines the criteria for the rule. Up to 5 patch filters can be specified per approval rule using Key/Value pairs. Valid combinations of these Keys and theoperatingSystem
value can be found in the SSM DescribePatchProperties API Reference. Valid Values are exact values for the patch property given as the key, or a wildcard*
, which matches all values.PATCH_SET
defaults toos
if unspecifiedcomplianceLevel
- (Optional) The compliance level for patches approved by this rule. Valid values arecritical
,high
,medium
,low
,informational
, andunspecified
. The default value isunspecified
.enableNonSecurity
- (Optional) Boolean enabling the application of non-security updates. The default value isfalse
. Valid for Linux instances only.
source
Block
The source
block supports:
name
- (Required) The name specified to identify the patch source.configuration
- (Required) The value of the yum repo configuration. For information about other options available for your yum repository configuration, see thednfConf
documentationproducts
- (Required) The specific operating system versions a patch repository applies to, such as"ubuntu1604"
,"amazonLinux201609"
,"redhatEnterpriseLinux72"
or"suse127"
. For lists of supported product values, see PatchFilter.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- The ID of the patch baseline.arn
- The ARN of the patch baseline.tagsAll
- A map of tags assigned to the resource, including those inherited from the providerdefaultTags
configuration block.
Import
SSM Patch Baselines can be imported by their baseline ID, e.g.,