From 55583961653be15b674016a4fce62610a8978402 Mon Sep 17 00:00:00 2001
From: Paul Stack <public@paulstack.co.uk>
Date: Wed, 16 Aug 2017 18:49:18 +0300
Subject: [PATCH] Support updates for aws_ssm_association &
 aws_ssm_patch_baseline resources (#1421)

* Update SSM Association Schedule Expression

* Update SSM Association Output Location

* Add support for SSM Association Document Version

* Add acceptance test for AWS SSM Assocation with Parameters

* Add support for SSM Association Parameter Updates

* Add support for ssm_patch_baseline resource updates
---
 aws/resource_aws_ssm_association.go          |  47 ++-
 aws/resource_aws_ssm_association_test.go     | 342 +++++++++++++++++++
 aws/resource_aws_ssm_patch_baseline.go       |  50 ++-
 aws/resource_aws_ssm_patch_baseline_test.go  |  79 ++++-
 website/docs/r/ssm_association.html.markdown |   1 +
 5 files changed, 505 insertions(+), 14 deletions(-)

diff --git a/aws/resource_aws_ssm_association.go b/aws/resource_aws_ssm_association.go
index c1ea0c8a6c4..e3f080dedd0 100644
--- a/aws/resource_aws_ssm_association.go
+++ b/aws/resource_aws_ssm_association.go
@@ -14,6 +14,7 @@ func resourceAwsSsmAssociation() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceAwsSsmAssociationCreate,
 		Read:   resourceAwsSsmAssociationRead,
+		Update: resourceAwsSsmAssocationUpdate,
 		Delete: resourceAwsSsmAssociationDelete,
 
 		Schema: map[string]*schema.Schema{
@@ -26,6 +27,11 @@ func resourceAwsSsmAssociation() *schema.Resource {
 				ForceNew: true,
 				Optional: true,
 			},
+			"document_version": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
 			"name": {
 				Type:     schema.TypeString,
 				ForceNew: true,
@@ -34,19 +40,16 @@ func resourceAwsSsmAssociation() *schema.Resource {
 			"parameters": {
 				Type:     schema.TypeMap,
 				Optional: true,
-				ForceNew: true,
 				Computed: true,
 			},
 			"schedule_expression": {
 				Type:     schema.TypeString,
 				Optional: true,
-				ForceNew: true,
 			},
 			"output_location": {
 				Type:     schema.TypeList,
 				MaxItems: 1,
 				Optional: true,
-				ForceNew: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"s3_bucket_name": {
@@ -97,6 +100,10 @@ func resourceAwsSsmAssociationCreate(d *schema.ResourceData, meta interface{}) e
 		assosciationInput.InstanceId = aws.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("document_version"); ok {
+		assosciationInput.DocumentVersion = aws.String(v.(string))
+	}
+
 	if v, ok := d.GetOk("schedule_expression"); ok {
 		assosciationInput.ScheduleExpression = aws.String(v.(string))
 	}
@@ -152,6 +159,7 @@ func resourceAwsSsmAssociationRead(d *schema.ResourceData, meta interface{}) err
 	d.Set("parameters", association.Parameters)
 	d.Set("association_id", association.AssociationId)
 	d.Set("schedule_expression", association.ScheduleExpression)
+	d.Set("document_version", association.DocumentVersion)
 
 	if err := d.Set("targets", flattenAwsSsmTargets(association.Targets)); err != nil {
 		return fmt.Errorf("[DEBUG] Error setting targets error: %#v", err)
@@ -164,6 +172,39 @@ func resourceAwsSsmAssociationRead(d *schema.ResourceData, meta interface{}) err
 	return nil
 }
 
+func resourceAwsSsmAssocationUpdate(d *schema.ResourceData, meta interface{}) error {
+	ssmconn := meta.(*AWSClient).ssmconn
+
+	log.Printf("[DEBUG] SSM association update: %s", d.Id())
+
+	associationInput := &ssm.UpdateAssociationInput{
+		AssociationId: aws.String(d.Get("association_id").(string)),
+	}
+
+	if d.HasChange("schedule_expression") {
+		associationInput.ScheduleExpression = aws.String(d.Get("schedule_expression").(string))
+	}
+
+	if d.HasChange("document_version") {
+		associationInput.DocumentVersion = aws.String(d.Get("document_version").(string))
+	}
+
+	if d.HasChange("parameters") {
+		associationInput.Parameters = expandSSMDocumentParameters(d.Get("parameters").(map[string]interface{}))
+	}
+
+	if d.HasChange("output_location") {
+		associationInput.OutputLocation = expandSSMAssociationOutputLocation(d.Get("output_location").([]interface{}))
+	}
+
+	_, err := ssmconn.UpdateAssociation(associationInput)
+	if err != nil {
+		return errwrap.Wrapf("[ERROR] Error updating SSM association: {{err}}", err)
+	}
+
+	return resourceAwsSsmAssociationRead(d, meta)
+}
+
 func resourceAwsSsmAssociationDelete(d *schema.ResourceData, meta interface{}) error {
 	ssmconn := meta.(*AWSClient).ssmconn
 
diff --git a/aws/resource_aws_ssm_association_test.go b/aws/resource_aws_ssm_association_test.go
index 5d084e45499..bea24bd3158 100644
--- a/aws/resource_aws_ssm_association_test.go
+++ b/aws/resource_aws_ssm_association_test.go
@@ -46,6 +46,52 @@ func TestAccAWSSSMAssociation_withTargets(t *testing.T) {
 	})
 }
 
+func TestAccAWSSSMAssociation_withParameters(t *testing.T) {
+	name := acctest.RandString(10)
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSSSMAssociationDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSSSMAssociationBasicConfigWithParameters(name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSSMAssociationExists("aws_ssm_association.foo"),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_association.foo", "parameters.Directory", "myWorkSpace"),
+				),
+			},
+			{
+				Config: testAccAWSSSMAssociationBasicConfigWithParametersUpdated(name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSSMAssociationExists("aws_ssm_association.foo"),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_association.foo", "parameters.Directory", "myWorkSpaceUpdated"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSSSMAssociation_withDocumentVersion(t *testing.T) {
+	name := acctest.RandString(10)
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSSSMAssociationDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSSSMAssociationBasicConfigWithDocumentVersion(name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSSMAssociationExists("aws_ssm_association.foo"),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_association.foo", "document_version", "1"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAWSSSMAssociation_withOutputLocation(t *testing.T) {
 	name := acctest.RandString(10)
 	resource.Test(t, resource.TestCase{
@@ -63,6 +109,26 @@ func TestAccAWSSSMAssociation_withOutputLocation(t *testing.T) {
 						"aws_ssm_association.foo", "output_location.0.s3_key_prefix", "SSMAssociation"),
 				),
 			},
+			{
+				Config: testAccAWSSSMAssociationBasicConfigWithOutPutLocationUpdateBucketName(name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSSMAssociationExists("aws_ssm_association.foo"),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_association.foo", "output_location.0.s3_bucket_name", fmt.Sprintf("tf-acc-test-ssmoutput-updated-%s", name)),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_association.foo", "output_location.0.s3_key_prefix", "SSMAssociation"),
+				),
+			},
+			{
+				Config: testAccAWSSSMAssociationBasicConfigWithOutPutLocationUpdateKeyPrefix(name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSSMAssociationExists("aws_ssm_association.foo"),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_association.foo", "output_location.0.s3_bucket_name", fmt.Sprintf("tf-acc-test-ssmoutput-updated-%s", name)),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_association.foo", "output_location.0.s3_key_prefix", "UpdatedAssociation"),
+				),
+			},
 		},
 	})
 }
@@ -82,6 +148,14 @@ func TestAccAWSSSMAssociation_withScheduleExpression(t *testing.T) {
 						"aws_ssm_association.foo", "schedule_expression", "cron(0 16 ? * TUE *)"),
 				),
 			},
+			{
+				Config: testAccAWSSSMAssociationBasicConfigWithScheduleExpressionUpdated(name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSSMAssociationExists("aws_ssm_association.foo"),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_association.foo", "schedule_expression", "cron(0 16 ? * WED *)"),
+				),
+			},
 		},
 	})
 }
@@ -141,6 +215,92 @@ func testAccCheckAWSSSMAssociationDestroy(s *terraform.State) error {
 	return fmt.Errorf("Default error in SSM Association Test")
 }
 
+func testAccAWSSSMAssociationBasicConfigWithParameters(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_ssm_document" "foo_document" {
+  name = "test_document_association-%s",
+  document_type = "Command"
+  content = <<-DOC
+  {
+    "schemaVersion": "1.2",
+    "description": "Check ip configuration of a Linux instance.",
+    "parameters": {
+	  "Directory": {
+		"description":"(Optional) The path to the working directory on your instance.",
+		"default":"",
+		"type": "String",
+		"maxChars": 4096
+	  }
+	},
+    "runtimeConfig": {
+      "aws:runShellScript": {
+        "properties": [
+          {
+            "id": "0.aws:runShellScript",
+            "runCommand": ["ifconfig"]
+          }
+        ]
+      }
+    }
+  }
+  DOC
+}
+
+resource "aws_ssm_association" "foo" {
+  name = "${aws_ssm_document.foo_document.name}",
+  parameters {
+  	Directory = "myWorkSpace"
+  }
+  targets {
+    key = "tag:Name"
+    values = ["acceptanceTest"]
+  }
+}`, rName)
+}
+
+func testAccAWSSSMAssociationBasicConfigWithParametersUpdated(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_ssm_document" "foo_document" {
+  name = "test_document_association-%s",
+  document_type = "Command"
+  content = <<-DOC
+  {
+    "schemaVersion": "1.2",
+    "description": "Check ip configuration of a Linux instance.",
+    "parameters": {
+	  "Directory": {
+		"description":"(Optional) The path to the working directory on your instance.",
+		"default":"",
+		"type": "String",
+		"maxChars": 4096
+	  }
+	},
+    "runtimeConfig": {
+      "aws:runShellScript": {
+        "properties": [
+          {
+            "id": "0.aws:runShellScript",
+            "runCommand": ["ifconfig"]
+          }
+        ]
+      }
+    }
+  }
+  DOC
+}
+
+resource "aws_ssm_association" "foo" {
+  name = "${aws_ssm_document.foo_document.name}",
+  parameters {
+  	Directory = "myWorkSpaceUpdated"
+  }
+  targets {
+    key = "tag:Name"
+    values = ["acceptanceTest"]
+  }
+}`, rName)
+}
+
 func testAccAWSSSMAssociationBasicConfigWithTargets(rName string) string {
 	return fmt.Sprintf(`
 resource "aws_ssm_document" "foo_document" {
@@ -227,6 +387,54 @@ resource "aws_ssm_association" "foo" {
 `, rName, rName, rName)
 }
 
+func testAccAWSSSMAssociationBasicConfigWithDocumentVersion(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_security_group" "tf_test_foo" {
+  name = "tf_test_foo-%s"
+  description = "foo"
+  ingress {
+    protocol = "icmp"
+    from_port = -1
+    to_port = -1
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_ssm_document" "foo_document" {
+  name    = "test_document_association-%s",
+	document_type = "Command"
+  content = <<DOC
+  {
+    "schemaVersion": "1.2",
+    "description": "Check ip configuration of a Linux instance.",
+    "parameters": {
+
+    },
+    "runtimeConfig": {
+      "aws:runShellScript": {
+        "properties": [
+          {
+            "id": "0.aws:runShellScript",
+            "runCommand": ["ifconfig"]
+          }
+        ]
+      }
+    }
+  }
+DOC
+}
+
+resource "aws_ssm_association" "foo" {
+  name        = "test_document_association-%s",
+  document_version = "${aws_ssm_document.foo_document.latest_version}"
+  targets {
+    key = "tag:Name"
+    values = ["acceptanceTest"]
+  }
+}
+`, rName, rName, rName)
+}
+
 func testAccAWSSSMAssociationBasicConfigWithScheduleExpression(rName string) string {
 	return fmt.Sprintf(`
 resource "aws_ssm_document" "foo_document" {
@@ -263,6 +471,42 @@ resource "aws_ssm_association" "foo" {
 }`, rName)
 }
 
+func testAccAWSSSMAssociationBasicConfigWithScheduleExpressionUpdated(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_ssm_document" "foo_document" {
+  name = "test_document_association-%s",
+  document_type = "Command"
+  content = <<DOC
+  {
+    "schemaVersion": "1.2",
+    "description": "Check ip configuration of a Linux instance.",
+    "parameters": {
+
+    },
+    "runtimeConfig": {
+      "aws:runShellScript": {
+        "properties": [
+          {
+            "id": "0.aws:runShellScript",
+            "runCommand": ["ifconfig"]
+          }
+        ]
+      }
+    }
+  }
+DOC
+}
+
+resource "aws_ssm_association" "foo" {
+  name = "${aws_ssm_document.foo_document.name}",
+  schedule_expression = "cron(0 16 ? * WED *)"
+  targets {
+    key = "tag:Name"
+    values = ["acceptanceTest"]
+  }
+}`, rName)
+}
+
 func testAccAWSSSMAssociationBasicConfigWithOutPutLocation(rName string) string {
 	return fmt.Sprintf(`
 resource "aws_s3_bucket" "output_location" {
@@ -306,3 +550,101 @@ resource "aws_ssm_association" "foo" {
   }
 }`, rName, rName)
 }
+
+func testAccAWSSSMAssociationBasicConfigWithOutPutLocationUpdateBucketName(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_s3_bucket" "output_location" {
+  bucket = "tf-acc-test-ssmoutput-%s"
+  force_destroy = true
+}
+
+resource "aws_s3_bucket" "output_location_updated" {
+  bucket = "tf-acc-test-ssmoutput-updated-%s"
+  force_destroy = true
+}
+
+resource "aws_ssm_document" "foo_document" {
+  name = "test_document_association-%s",
+  document_type = "Command"
+  content = <<DOC
+  {
+    "schemaVersion": "1.2",
+    "description": "Check ip configuration of a Linux instance.",
+    "parameters": {
+
+    },
+    "runtimeConfig": {
+      "aws:runShellScript": {
+        "properties": [
+          {
+            "id": "0.aws:runShellScript",
+            "runCommand": ["ifconfig"]
+          }
+        ]
+      }
+    }
+  }
+DOC
+}
+
+resource "aws_ssm_association" "foo" {
+  name = "${aws_ssm_document.foo_document.name}",
+  targets {
+    key = "tag:Name"
+    values = ["acceptanceTest"]
+  }
+  output_location {
+    s3_bucket_name = "${aws_s3_bucket.output_location_updated.id}"
+    s3_key_prefix = "SSMAssociation"
+  }
+}`, rName, rName, rName)
+}
+
+func testAccAWSSSMAssociationBasicConfigWithOutPutLocationUpdateKeyPrefix(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_s3_bucket" "output_location" {
+  bucket = "tf-acc-test-ssmoutput-%s"
+  force_destroy = true
+}
+
+resource "aws_s3_bucket" "output_location_updated" {
+  bucket = "tf-acc-test-ssmoutput-updated-%s"
+  force_destroy = true
+}
+
+resource "aws_ssm_document" "foo_document" {
+  name = "test_document_association-%s",
+  document_type = "Command"
+  content = <<DOC
+  {
+    "schemaVersion": "1.2",
+    "description": "Check ip configuration of a Linux instance.",
+    "parameters": {
+
+    },
+    "runtimeConfig": {
+      "aws:runShellScript": {
+        "properties": [
+          {
+            "id": "0.aws:runShellScript",
+            "runCommand": ["ifconfig"]
+          }
+        ]
+      }
+    }
+  }
+DOC
+}
+
+resource "aws_ssm_association" "foo" {
+  name = "${aws_ssm_document.foo_document.name}",
+  targets {
+    key = "tag:Name"
+    values = ["acceptanceTest"]
+  }
+  output_location {
+    s3_bucket_name = "${aws_s3_bucket.output_location_updated.id}"
+    s3_key_prefix = "UpdatedAssociation"
+  }
+}`, rName, rName, rName)
+}
diff --git a/aws/resource_aws_ssm_patch_baseline.go b/aws/resource_aws_ssm_patch_baseline.go
index 917cefe53f7..c16cc4f3e71 100644
--- a/aws/resource_aws_ssm_patch_baseline.go
+++ b/aws/resource_aws_ssm_patch_baseline.go
@@ -14,25 +14,23 @@ func resourceAwsSsmPatchBaseline() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceAwsSsmPatchBaselineCreate,
 		Read:   resourceAwsSsmPatchBaselineRead,
+		Update: resourceAwsSsmPatchBaselineUpdate,
 		Delete: resourceAwsSsmPatchBaselineDelete,
 
 		Schema: map[string]*schema.Schema{
 			"name": {
 				Type:     schema.TypeString,
 				Required: true,
-				ForceNew: true,
 			},
 
 			"description": {
 				Type:     schema.TypeString,
 				Optional: true,
-				ForceNew: true,
 			},
 
 			"global_filter": {
 				Type:     schema.TypeList,
 				Optional: true,
-				ForceNew: true,
 				MaxItems: 4,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
@@ -52,7 +50,6 @@ func resourceAwsSsmPatchBaseline() *schema.Resource {
 			"approval_rule": {
 				Type:     schema.TypeList,
 				Optional: true,
-				ForceNew: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"approve_after_days": {
@@ -85,7 +82,6 @@ func resourceAwsSsmPatchBaseline() *schema.Resource {
 			"approved_patches": {
 				Type:     schema.TypeSet,
 				Optional: true,
-				ForceNew: true,
 				Elem:     &schema.Schema{Type: schema.TypeString},
 				Set:      schema.HashString,
 			},
@@ -93,7 +89,6 @@ func resourceAwsSsmPatchBaseline() *schema.Resource {
 			"rejected_patches": {
 				Type:     schema.TypeSet,
 				Optional: true,
-				ForceNew: true,
 				Elem:     &schema.Schema{Type: schema.TypeString},
 				Set:      schema.HashString,
 			},
@@ -109,7 +104,6 @@ func resourceAwsSsmPatchBaseline() *schema.Resource {
 			"approved_patches_compliance_level": {
 				Type:         schema.TypeString,
 				Optional:     true,
-				ForceNew:     true,
 				Default:      "UNSPECIFIED",
 				ValidateFunc: validation.StringInSlice([]string{"CRITICAL", "HIGH", "MEDIUM", "LOW", "INFORMATIONAL", "UNSPECIFIED"}, false),
 			},
@@ -155,6 +149,48 @@ func resourceAwsSsmPatchBaselineCreate(d *schema.ResourceData, meta interface{})
 	return resourceAwsSsmPatchBaselineRead(d, meta)
 }
 
+func resourceAwsSsmPatchBaselineUpdate(d *schema.ResourceData, meta interface{}) error {
+	ssmconn := meta.(*AWSClient).ssmconn
+
+	params := &ssm.UpdatePatchBaselineInput{
+		BaselineId: aws.String(d.Id()),
+	}
+
+	if d.HasChange("name") {
+		params.Name = aws.String(d.Get("name").(string))
+	}
+
+	if d.HasChange("description") {
+		params.Description = aws.String(d.Get("description").(string))
+	}
+
+	if d.HasChange("approved_patches") {
+		params.ApprovedPatches = expandStringList(d.Get("approved_patches").(*schema.Set).List())
+	}
+
+	if d.HasChange("rejected_patches") {
+		params.RejectedPatches = expandStringList(d.Get("rejected_patches").(*schema.Set).List())
+	}
+
+	if d.HasChange("approved_patches_compliance_level") {
+		params.ApprovedPatchesComplianceLevel = aws.String(d.Get("approved_patches_compliance_level").(string))
+	}
+
+	if d.HasChange("approval_rule") {
+		params.ApprovalRules = expandAwsSsmPatchRuleGroup(d)
+	}
+
+	if d.HasChange("global_filter") {
+		params.GlobalFilters = expandAwsSsmPatchFilterGroup(d)
+	}
+
+	_, err := ssmconn.UpdatePatchBaseline(params)
+	if err != nil {
+		return err
+	}
+
+	return resourceAwsSsmPatchBaselineRead(d, meta)
+}
 func resourceAwsSsmPatchBaselineRead(d *schema.ResourceData, meta interface{}) error {
 	ssmconn := meta.(*AWSClient).ssmconn
 
diff --git a/aws/resource_aws_ssm_patch_baseline_test.go b/aws/resource_aws_ssm_patch_baseline_test.go
index 42a25a5747a..464c76c1a72 100644
--- a/aws/resource_aws_ssm_patch_baseline_test.go
+++ b/aws/resource_aws_ssm_patch_baseline_test.go
@@ -12,6 +12,7 @@ import (
 )
 
 func TestAccAWSSSMPatchBaseline_basic(t *testing.T) {
+	var before, after ssm.PatchBaselineIdentity
 	name := acctest.RandString(10)
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -21,19 +22,23 @@ func TestAccAWSSSMPatchBaseline_basic(t *testing.T) {
 			{
 				Config: testAccAWSSSMPatchBaselineBasicConfig(name),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAWSSSMPatchBaselineExists("aws_ssm_patch_baseline.foo"),
+					testAccCheckAWSSSMPatchBaselineExists("aws_ssm_patch_baseline.foo", &before),
 					resource.TestCheckResourceAttr(
 						"aws_ssm_patch_baseline.foo", "approved_patches.#", "1"),
 					resource.TestCheckResourceAttr(
 						"aws_ssm_patch_baseline.foo", "approved_patches.2062620480", "KB123456"),
 					resource.TestCheckResourceAttr(
 						"aws_ssm_patch_baseline.foo", "name", fmt.Sprintf("patch-baseline-%s", name)),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_patch_baseline.foo", "approved_patches_compliance_level", "CRITICAL"),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_patch_baseline.foo", "description", "Baseline containing all updates approved for production systems"),
 				),
 			},
 			{
 				Config: testAccAWSSSMPatchBaselineBasicConfigUpdated(name),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAWSSSMPatchBaselineExists("aws_ssm_patch_baseline.foo"),
+					testAccCheckAWSSSMPatchBaselineExists("aws_ssm_patch_baseline.foo", &after),
 					resource.TestCheckResourceAttr(
 						"aws_ssm_patch_baseline.foo", "approved_patches.#", "2"),
 					resource.TestCheckResourceAttr(
@@ -42,6 +47,16 @@ func TestAccAWSSSMPatchBaseline_basic(t *testing.T) {
 						"aws_ssm_patch_baseline.foo", "approved_patches.2291496788", "KB456789"),
 					resource.TestCheckResourceAttr(
 						"aws_ssm_patch_baseline.foo", "name", fmt.Sprintf("updated-patch-baseline-%s", name)),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_patch_baseline.foo", "approved_patches_compliance_level", "HIGH"),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_patch_baseline.foo", "description", "Baseline containing all updates approved for production systems - August 2017"),
+					func(*terraform.State) error {
+						if *before.BaselineId != *after.BaselineId {
+							t.Fatal("Baseline IDs changed unexpectedly")
+						}
+						return nil
+					},
 				),
 			},
 		},
@@ -49,6 +64,7 @@ func TestAccAWSSSMPatchBaseline_basic(t *testing.T) {
 }
 
 func TestAccAWSSSMPatchBaselineWithOperatingSystem(t *testing.T) {
+	var before, after ssm.PatchBaselineIdentity
 	name := acctest.RandString(10)
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -58,7 +74,7 @@ func TestAccAWSSSMPatchBaselineWithOperatingSystem(t *testing.T) {
 			{
 				Config: testAccAWSSSMPatchBaselineConfigWithOperatingSystem(name),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAWSSSMPatchBaselineExists("aws_ssm_patch_baseline.foo"),
+					testAccCheckAWSSSMPatchBaselineExists("aws_ssm_patch_baseline.foo", &before),
 					resource.TestCheckResourceAttr(
 						"aws_ssm_patch_baseline.foo", "approval_rule.#", "1"),
 					resource.TestCheckResourceAttr(
@@ -69,11 +85,36 @@ func TestAccAWSSSMPatchBaselineWithOperatingSystem(t *testing.T) {
 						"aws_ssm_patch_baseline.foo", "operating_system", "AMAZON_LINUX"),
 				),
 			},
+			{
+				Config: testAccAWSSSMPatchBaselineConfigWithOperatingSystemUpdated(name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSSMPatchBaselineExists("aws_ssm_patch_baseline.foo", &after),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_patch_baseline.foo", "approval_rule.#", "1"),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_patch_baseline.foo", "approval_rule.0.approve_after_days", "7"),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_patch_baseline.foo", "approval_rule.0.patch_filter.#", "2"),
+					resource.TestCheckResourceAttr(
+						"aws_ssm_patch_baseline.foo", "operating_system", "WINDOWS"),
+					testAccCheckAwsSsmPatchBaselineRecreated(t, &before, &after),
+				),
+			},
 		},
 	})
 }
 
-func testAccCheckAWSSSMPatchBaselineExists(n string) resource.TestCheckFunc {
+func testAccCheckAwsSsmPatchBaselineRecreated(t *testing.T,
+	before, after *ssm.PatchBaselineIdentity) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		if *before.BaselineId == *after.BaselineId {
+			t.Fatalf("Expected change of SSM Patch Baseline IDs, but both were %v", *before.BaselineId)
+		}
+		return nil
+	}
+}
+
+func testAccCheckAWSSSMPatchBaselineExists(n string, patch *ssm.PatchBaselineIdentity) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
 		if !ok {
@@ -97,6 +138,7 @@ func testAccCheckAWSSSMPatchBaselineExists(n string) resource.TestCheckFunc {
 
 		for _, i := range resp.BaselineIdentities {
 			if *i.BaselineId == rs.Primary.ID {
+				*patch = *i
 				return nil
 			}
 		}
@@ -144,7 +186,9 @@ func testAccAWSSSMPatchBaselineBasicConfig(rName string) string {
 
 resource "aws_ssm_patch_baseline" "foo" {
   name  = "patch-baseline-%s"
+  description = "Baseline containing all updates approved for production systems"
   approved_patches = ["KB123456"]
+  approved_patches_compliance_level = "CRITICAL"
 }
 
 `, rName)
@@ -155,7 +199,9 @@ func testAccAWSSSMPatchBaselineBasicConfigUpdated(rName string) string {
 
 resource "aws_ssm_patch_baseline" "foo" {
   name  = "updated-patch-baseline-%s"
+  description = "Baseline containing all updates approved for production systems - August 2017"
   approved_patches = ["KB123456","KB456789"]
+  approved_patches_compliance_level = "HIGH"
 }
 
 `, rName)
@@ -185,3 +231,28 @@ resource "aws_ssm_patch_baseline" "foo" {
 
 `, rName)
 }
+
+func testAccAWSSSMPatchBaselineConfigWithOperatingSystemUpdated(rName string) string {
+	return fmt.Sprintf(`
+
+resource "aws_ssm_patch_baseline" "foo" {
+  name  = "patch-baseline-%s"
+  operating_system = "WINDOWS"
+  description = "Baseline containing all updates approved for production systems"
+  approval_rule {
+  	approve_after_days = 7
+
+  	patch_filter {
+		key = "PRODUCT"
+		values = ["WindowsServer2012R2"]
+  	}
+
+  	patch_filter {
+		key = "MSRC_SEVERITY"
+		values = ["Critical","Important"]
+  	}
+  }
+}
+
+`, rName)
+}
diff --git a/website/docs/r/ssm_association.html.markdown b/website/docs/r/ssm_association.html.markdown
index b6748583b66..d1e7d2ab372 100644
--- a/website/docs/r/ssm_association.html.markdown
+++ b/website/docs/r/ssm_association.html.markdown
@@ -73,6 +73,7 @@ The following arguments are supported:
 * `targets` - (Optional) The targets (either instances or tags). Instances are specified using Key=instanceids,Values=instanceid1,instanceid2. Tags are specified using Key=tag name,Values=tag value. Only 1 target is currently supported by AWS.
 * `schedule_expression` - (Optional) A cron expression when the association will be applied to the target(s).
 * `output_location` - (Optional) An output location block. OutputLocation documented below.
+* `document_version` - (Optional) The document version you want to associate with the target(s). Can be a specific version or the default version.
 
 Output Location (`output_location`) is an S3 bucket where you want to store the results of this association: