Home

Awesome

Modernisation Platform Terraform SSM Patching

Standards Icon Format Code Icon Scorecards Icon SCA Icon Terraform SCA Icon

Usage

To use this module, you must have instances with the SSM agent installed (Comes as default with many AMIS), as well as have a tag of "Patching: Yes"

We're looking to add more functionality with tagging, so these requirements may change in further releases.


module "ssm-auto-patching" {
  source = "github.com/ministryofjustice/modernisation-platform-terraform-ssm-patching.git?ref="
  count  = local.environment == "development" ? 1 : 0
  providers = {
    aws.bucket-replication = aws
  }

  account_number             = local.environment_management.account_ids[terraform.workspace]
  application_name           = local.application_name
  tags = merge(
    local.tags,
    {
      Name = "ssm-patching"
    },
  )
}
<!--- BEGIN_TF_DOCS ---> <!--- END_TF_DOCS --->

Looking for issues?

If you're looking to raise an issue with this module, please create a new issue in the Modernisation Platform repository.

<!-- BEGIN_TF_DOCS -->

Requirements

NameVersion
<a name="requirement_terraform"></a> terraform>= 1.0.1
<a name="requirement_aws"></a> aws~> 5.0
<a name="requirement_http"></a> http~> 3.3

Providers

NameVersion
<a name="provider_aws"></a> aws~> 5.0

Modules

NameSourceVersion
<a name="module_s3-bucket"></a> s3-bucketgithub.com/ministryofjustice/modernisation-platform-terraform-s3-bucket8688bc15a08fbf5a4f4eef9b7433c5a417df8df1

Resources

NameType
aws_iam_policy.ssm-patching-iam-policyresource
aws_iam_role.ssm-patching-iam-roleresource
aws_iam_role_policy_attachment.ssm-admin-automationresource
aws_resourcegroups_group.patch-resource-groupresource
aws_ssm_default_patch_baseline.ssm-default-patch-baselineresource
aws_ssm_maintenance_window.ssm-maintenance-windowresource
aws_ssm_maintenance_window_target.ssm-maintenance-window-targetresource
aws_ssm_maintenance_window_task.ssm-maintenance-window-automation-taskresource
aws_ssm_patch_baseline.ssm-patch-baselineresource
aws_elb_service_account.defaultdata source
aws_iam_policy_document.bucket_policydata source
aws_iam_policy_document.ssm-admin-policy-docdata source

Inputs

NameDescriptionTypeDefaultRequired
<a name="input_account_number"></a> account_numberAccount number of current environmentstringn/ayes
<a name="input_application_name"></a> application_nameName of applicationstringn/ayes
<a name="input_approval_days"></a> approval_daysNumber of days before the package is approved, used by the approval rule only, and is not required for the automation scriptstring"7"no
<a name="input_compliance_level"></a> compliance_levelSelect the level of compliance, used by the approval rule only, and is not required for the automation script. By default it's CRITICALstring"CRITICAL"no
<a name="input_existing_bucket_name"></a> existing_bucket_nameThe name of the existing bucket name. If no bucket is provided one will be created for them.string""no
<a name="input_force_destroy_bucket"></a> force_destroy_bucketA boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable.boolfalseno
<a name="input_operating_system"></a> operating_systemOperating system on the ec2 instance, used by the approval rule only, and is not required for the automation scriptstring"CENTOS"no
<a name="input_patch_classification"></a> patch_classificationWindows Options=(CriticalUpdates,SecurityUpdates,DefinitionUpdates,Drivers,FeaturePacks,ServicePacks,Tools,UpdateRollups,Updates,Upgrades), Linux Options=(Security,Bugfix,Enhancement,Recommended,Newpackage)list(string)<pre>[<br/> "*"<br/>]</pre>no
<a name="input_patch_key"></a> patch_keyDefaults as tag:Patching, but can be customised if pre existing tags and values want to be usedstring"Patching"no
<a name="input_patch_schedule"></a> patch_scheduleCrontab on when to run the automation script.string"cron(00 22 ? * MON *)"no
<a name="input_patch_tag"></a> patch_tagDefaults as yes, but can be customised if pre existing tags and values want to be usedstring"Yes"no
<a name="input_product"></a> productThe specific product the patch is applicable for e.g. RedhatEnterpriseLinux8.5, WindowsServer2022list(string)<pre>[<br/> "*"<br/>]</pre>no
<a name="input_rejected_patches"></a> rejected_patchesList of patches to be rejectedlist(string)[]no
<a name="input_severity"></a> severitySeverity of the patch e.g. Critical, Important, Medium, Lowlist(string)<pre>[<br/> "*"<br/>]</pre>no
<a name="input_suffix"></a> suffixWhen creating multiple patch schedules per environment, a suffix can be used to differentiate resourcesstring""no
<a name="input_tags"></a> tagsCommon tags to be used by all resourcesmap(string)n/ayes

Outputs

NameDescription
<a name="output_iam-policy-arn"></a> iam-policy-arnThe policy arn for the IAM policy used by the automation script
<a name="output_maintenance-window-id"></a> maintenance-window-idThe maintenance window id
<a name="output_maintenance-window-target-id"></a> maintenance-window-target-idThe target id for the maintenance window
<a name="output_patch-resource-group-arn"></a> patch-resource-group-arnThe resource group arn for patching
<!-- END_TF_DOCS -->