-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Resource]: SSM (Systems Manager) - Patch Policy #29549
Comments
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
Is there a defined schedule to implement this resource? |
Hello - In researching this issue we've determined there are currently no public API's for managing SSM patch policies. AWS has confirmed this via a support case, stating at this time the only method for utilizing Quick Setup (and therefore managing patch policies) is the AWS console. For users interested in this functionality for Terraform, raising a feature request with AWS is the best course of action at this time. Until APIs are available and exposed to the AWS SDK for Go we unfortunately won't be able to take any action. |
Hey, in my understanding Quick Setup are pre-configured CloudFormation StackSets. I assume those can be found through CloudFormation APIs? |
@breathingdust @justinretzolk Do you have updates around delivery timeline of this resource? |
any update? |
Hello everyone, It seems that the API for configuring a Patch Policy through Quick Setup has been released. You can find an example here and the official documentation here. Please let us know if this will be implemented in a future AWS Terraform provider release. Thanks! |
Hi @jar-b 👋! I saw your PR on the client, will you continue with the resources as well? Otherwise I would happily contribute, but your PRs would probably go through a bit faster 🤣 |
Hey @aristosvo - thanks for checking! Yes, I meant to assign myself yesterday and missed that step. I'm planning to implement a |
Keen for this one too. We are looking into ways to set up a Patch policy for our AWS organization and would love to do it with Terraform if we can. |
Warning This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them. Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed. |
For those following this issue we'd like to provide some additional context on how to provision patch policies since the final implementation differs a bit from the originally proposed design. The data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}
data "aws_region" "current" {}
data "aws_ssm_patch_baselines" "example" {
default_baselines = true
}
locals {
# transform the output of the aws_ssm_patch_baselines data source
# into the format expected by the SelectedPatchBaselines parameter
selected_patch_baselines = jsonencode({
for baseline in data.aws_ssm_patch_baselines.example.baseline_identities : baseline.operating_system => {
"value" : baseline.baseline_id
"label" : baseline.baseline_name
"description" : baseline.baseline_description
"disabled" : !baseline.default_baseline
}
})
}
resource "aws_ssmquicksetup_configuration_manager" "example" {
name = "example"
configuration_definition {
local_deployment_administration_role_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/AWS-QuickSetup-PatchPolicy-LocalAdministrationRole"
local_deployment_execution_role_name = "AWS-QuickSetup-PatchPolicy-LocalExecutionRole"
type = "AWSQuickSetupType-PatchPolicy"
parameters = {
"ConfigurationOptionsPatchOperation" : "Scan",
"ConfigurationOptionsScanValue" : "cron(0 1 * * ? *)",
"ConfigurationOptionsScanNextInterval" : "false",
"PatchBaselineRegion" : data.aws_region.current.name,
"PatchBaselineUseDefault" : "default",
"PatchPolicyName" : "example",
"SelectedPatchBaselines" : local.selected_patch_baselines,
"OutputLogEnableS3" : "false",
"RateControlConcurrency" : "10%",
"RateControlErrorThreshold" : "2%",
"IsPolicyAttachAllowed" : "false",
"TargetAccounts" : data.aws_caller_identity.current.account_id,
"TargetRegions" : data.aws_region.current.name,
"TargetType" : "*"
}
}
} The administration and execution roles ( The AWS documentation contains a full description of all the keys which can be provided to the Lastly, the |
This functionality has been released in v5.74.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
@jar-b I tried to use your example but got an error message
and if I remove the setting it throws this other error
|
Hey @pcastro-handover 👋 - If you haven't previously created patch policies via the AWS console, these roles may not yet exist. Here's a relevant snippet from above:
I have a TODO item to update the registry example with customer managed IAM roles, but have not yet gotten to it. In the meantime you can create a patch policy once in the console to get the roles generated and then re-use them in your Terraform configuration, or create your own roles following the AWS Quick Setup documentation: |
thank you very much @jar-b ! yeah, that is what I ended up doing. I was under the impression that the TF module would do it for us as well (triggering the same cloudformation that AWS does behind the scenes). if there is a place where I can open a PR to add the example to the docs pls let me know. more than happy to help. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Description
Add support for patch policies. Beginning December 22, 2022, Patch Manager offers a new, recommended method to configure patching for your organization and AWS accounts through the use of patch policies.
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-policies-about.html
Requested Resource(s) and/or Data Source(s)
aws_ssm_patch_policy
Potential Terraform Configuration
References
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-policies-about.html
https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-patch-manager.html
https://aws.amazon.com/blogs/mt/centrally-deploy-patching-operations-across-your-aws-organization-using-systems-manager-quick-setup/
Would you like to implement a fix?
No
The text was updated successfully, but these errors were encountered: