To use this module, you must have instances with the SSM agent installed (Comes as default with many AMIS), as well as have a tag of "Patching: Yes"
We're looking to add more functionality with tagging, so these requirements may change in further releases.
module "ssm-auto-patching" {
source = "github.com/ministryofjustice/modernisation-platform-terraform-ssm-patching.git?ref="
count = local.environment == "development" ? 1 : 0
providers = {
aws.bucket-replication = aws
}
account_number = local.environment_management.account_ids[terraform.workspace]
application_name = local.application_name
tags = merge(
local.tags,
{
Name = "ssm-patching"
},
)
}
If you're looking to raise an issue with this module, please create a new issue in the Modernisation Platform repository.
| Name | Version |
|---|---|
| terraform | >= 1.0.1 |
| aws | ~> 5.0 |
| http | ~> 3.3 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
| Name | Source | Version |
|---|---|---|
| s3-bucket | github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket | 8688bc15a08fbf5a4f4eef9b7433c5a417df8df1 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_number | Account number of current environment | string |
n/a | yes |
| application_name | Name of application | string |
n/a | yes |
| approval_days | Number of days before the package is approved, used by the approval rule only, and is not required for the automation script | string |
"7" |
no |
| compliance_level | Select the level of compliance, used by the approval rule only, and is not required for the automation script. By default it's CRITICAL | string |
"CRITICAL" |
no |
| existing_bucket_name | The name of the existing bucket name. If no bucket is provided one will be created for them. | string |
"" |
no |
| force_destroy_bucket | A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
false |
no |
| operating_system | Operating system on the ec2 instance, used by the approval rule only, and is not required for the automation script | string |
"CENTOS" |
no |
| patch_classification | Windows Options=(CriticalUpdates,SecurityUpdates,DefinitionUpdates,Drivers,FeaturePacks,ServicePacks,Tools,UpdateRollups,Updates,Upgrades), Linux Options=(Security,Bugfix,Enhancement,Recommended,Newpackage) | list(string) |
[ |
no |
| patch_key | Defaults as tag:Patching, but can be customised if pre existing tags and values want to be used | string |
"Patching" |
no |
| patch_schedule | Crontab on when to run the automation script. | string |
"cron(00 22 ? * MON *)" |
no |
| patch_tag | Defaults as yes, but can be customised if pre existing tags and values want to be used | string |
"Yes" |
no |
| product | The specific product the patch is applicable for e.g. RedhatEnterpriseLinux8.5, WindowsServer2022 | list(string) |
[ |
no |
| rejected_patches | List of patches to be rejected | list(string) |
[] |
no |
| severity | Severity of the patch e.g. Critical, Important, Medium, Low | list(string) |
[ |
no |
| suffix | When creating multiple patch schedules per environment, a suffix can be used to differentiate resources | string |
"" |
no |
| tags | Common tags to be used by all resources | map(string) |
n/a | yes |
| Name | Description |
|---|---|
| iam-policy-arn | The policy arn for the IAM policy used by the automation script |
| maintenance-window-id | The maintenance window id |
| maintenance-window-target-id | The target id for the maintenance window |
| patch-resource-group-arn | The resource group arn for patching |