Skip to content

Latest commit

 

History

History
117 lines (93 loc) · 12.2 KB

README.md

File metadata and controls

117 lines (93 loc) · 12.2 KB
Raw

Modernisation Platform Terraform SSM Patching

Standards Icon Format Code Icon Scorecards Icon SCA Icon Terraform SCA Icon

Usage

To use this module, you must have instances with the SSM agent installed (Comes as default with many AMIS), as well as have a tag of "Patching: Yes"

We're looking to add more functionality with tagging, so these requirements may change in further releases.

module "ssm-auto-patching" {
  source = "github.com/ministryofjustice/modernisation-platform-terraform-ssm-patching.git?ref="
  count  = local.environment == "development" ? 1 : 0
  providers = {
    aws.bucket-replication = aws
  }

  account_number             = local.environment_management.account_ids[terraform.workspace]
  application_name           = local.application_name
  tags = merge(
    local.tags,
    {
      Name = "ssm-patching"
    },
  )
}

Looking for issues?

If you're looking to raise an issue with this module, please create a new issue in the Modernisation Platform repository.

Requirements

Name Version
terraform >= 1.0.1
aws ~> 5.0
http ~> 3.3

Providers

Name Version
aws ~> 5.0

Modules

Name Source Version
s3-bucket github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket 8688bc15a08fbf5a4f4eef9b7433c5a417df8df1

Resources

Name Type
aws_iam_policy.ssm-patching-iam-policy resource
aws_iam_role.ssm-patching-iam-role resource
aws_iam_role_policy_attachment.ssm-admin-automation resource
aws_resourcegroups_group.patch-resource-group resource
aws_ssm_default_patch_baseline.ssm-default-patch-baseline resource
aws_ssm_maintenance_window.ssm-maintenance-window resource
aws_ssm_maintenance_window_target.ssm-maintenance-window-target resource
aws_ssm_maintenance_window_task.ssm-maintenance-window-automation-task resource
aws_ssm_patch_baseline.ssm-patch-baseline resource
aws_elb_service_account.default data source
aws_iam_policy_document.bucket_policy data source
aws_iam_policy_document.ssm-admin-policy-doc data source

Inputs

Name Description Type Default Required
account_number Account number of current environment string n/a yes
application_name Name of application string n/a yes
approval_days Number of days before the package is approved, used by the approval rule only, and is not required for the automation script string "7" no
compliance_level Select the level of compliance, used by the approval rule only, and is not required for the automation script. By default it's CRITICAL string "CRITICAL" no
existing_bucket_name The name of the existing bucket name. If no bucket is provided one will be created for them. string "" no
force_destroy_bucket A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. bool false no
operating_system Operating system on the ec2 instance, used by the approval rule only, and is not required for the automation script string "CENTOS" no
patch_classification Windows Options=(CriticalUpdates,SecurityUpdates,DefinitionUpdates,Drivers,FeaturePacks,ServicePacks,Tools,UpdateRollups,Updates,Upgrades), Linux Options=(Security,Bugfix,Enhancement,Recommended,Newpackage) list(string) 
[
  "*"
]
 no
patch_key Defaults as tag:Patching, but can be customised if pre existing tags and values want to be used string "Patching" no
patch_schedule Crontab on when to run the automation script. string "cron(00 22 ? * MON *)" no
patch_tag Defaults as yes, but can be customised if pre existing tags and values want to be used string "Yes" no
product The specific product the patch is applicable for e.g. RedhatEnterpriseLinux8.5, WindowsServer2022 list(string) 
[
  "*"
]
 no
rejected_patches List of patches to be rejected list(string) [] no
severity Severity of the patch e.g. Critical, Important, Medium, Low list(string) 
[
  "*"
]
 no
suffix When creating multiple patch schedules per environment, a suffix can be used to differentiate resources string "" no
tags Common tags to be used by all resources map(string) n/a yes

Outputs

Name Description
iam-policy-arn The policy arn for the IAM policy used by the automation script
maintenance-window-id The maintenance window id
maintenance-window-target-id The target id for the maintenance window
patch-resource-group-arn The resource group arn for patching