Can't use patch source(s) with ssm_patch_baseline

[karnauskas]

Looks like terraform module is missing configuration parameters to specify alternative patch sources/repositories.

This is available via sdk/api: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/SSM/Types/PatchSource.html.

[vpadronblanco]

Any reason why put this as a separate resource rather than a nested attribute?

[egirard78]

Any news on this fix?? Currently we have to use a script with Boto3 (or AWS SDK) or the AWS CLI to configure the SSM patch baseline sources.

[jdheyburn]

This is feasible - although it is only for Linux OSs - I trust AWS are validating this against their API.

• https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-how-it-works-alt-source-repository.html

Proposed configuration:

resource "aws_ssm_patch_baseline" "production" {
  name             = "patch-baseline"
  description      = "Patch Baseline Description"
  operating_system = "CENTOS"

  # New param below
  patch_sources = ["abc123.com"]

  ...
}

Will try to pick this up in next few weeks.

[jdheyburn]

Revising the proposed configuration for this:

resource "aws_ssm_patch_baseline" "production" {
  name             = "patch-baseline"
  description      = "Patch Baseline Description"
  operating_system = "CENTOS"

  # New param below
  patch_source {
    configuration = <<EOF
        <configuration_here>
    EOF

    name = "name123"
    products = ["Ubuntu..", "OtherProduct"]
  }

patch_source {
    ... # Another patch source
  }
  ...
}

These will then translate to a list of patch_sources. Validation to be performed on:

patch_source

• type array of PatchSource objects
• Max of 20 defined

PatchSource.Configuration

• type string
• Max length of 1024

PatchSource.Name

• type string
• regex: ^[a-zA-Z0-9_\-.]{3,50}$

PatchSource.Products

• type array of strings
• minimum of 1 item, maximum of 20
• string length between 1 and 128 chars
• must be defined in https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribePatchProperties.html - but will have AWS validate this since it is a dynamic list (i.e. not defined in aws-sdk-go)

[bflad]

This functionality has been merged and will release with version 3.28.0 of the Terraform AWS Provider, later today. Thank you to @jdheyburn for the implementation. 👍

[ghost]

This has been released in version 3.28.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!