Merge pull request #39949 from stefanfreitag/b-aws_ssm_patch_baseline…

…-update-validation fix: update approve_after_days validation in ssm patch baseline resource
hashicorp · Oct 31, 2024 · 485918f · 485918f
2 parents ce1c31d + 23402a1
commit 485918f
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 2 deletions.
diff --git a/.changelog/39949.txt b/.changelog/39949.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_ssm_patch_baseline: Update `approval_rule.approve_after_days` validation to allow a maximum value of `360`
+```
diff --git a/internal/service/ssm/patch_baseline.go b/internal/service/ssm/patch_baseline.go
@@ -54,7 +54,7 @@ func resourcePatchBaseline() *schema.Resource {
 						"approve_after_days": {
 							Type:         schema.TypeInt,
 							Optional:     true,
-							ValidateFunc: validation.IntBetween(0, 100),
+							ValidateFunc: validation.IntBetween(0, 360),
 						},
 						"approve_until_date": {
 							Type:         schema.TypeString,

diff --git a/internal/service/ssm/patch_baseline_test.go b/internal/service/ssm/patch_baseline_test.go
@@ -221,6 +221,31 @@ func TestAccSSMPatchBaseline_approveUntilDateParam(t *testing.T) {
 	})
 }
 
+func TestAccSSMPatchBaseline_approveAfterDays(t *testing.T) {
+	ctx := acctest.Context(t)
+	var baseline ssm.GetPatchBaselineOutput
+	name := sdkacctest.RandString(10)
+	resourceName := "aws_ssm_patch_baseline.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.SSMServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckPatchBaselineDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPatchBaselineConfig_approveAfterDays(name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckPatchBaselineExists(ctx, resourceName, &baseline),
+					resource.TestCheckResourceAttr(resourceName, "approval_rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "approval_rule.0.approve_after_days", "360"),
+					resource.TestCheckResourceAttr(resourceName, "approval_rule.0.patch_filter.#", "2"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccSSMPatchBaseline_sources(t *testing.T) {
 	ctx := acctest.Context(t)
 	var before, after ssm.GetPatchBaselineOutput
@@ -615,6 +640,32 @@ resource "aws_ssm_patch_baseline" "test" {
 `, rName)
 }
 
+func testAccPatchBaselineConfig_approveAfterDays(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_ssm_patch_baseline" "test" {
+  name             = %[1]q
+  operating_system = "AMAZON_LINUX"
+  description      = "Baseline containing all updates approved for production systems"
+
+  approval_rule {
+    approve_after_days  = 360
+    enable_non_security = true
+    compliance_level    = "CRITICAL"
+
+    patch_filter {
+      key    = "PRODUCT"
+      values = ["AmazonLinux2016.03", "AmazonLinux2016.09", "AmazonLinux2017.03", "AmazonLinux2017.09"]
+    }
+
+    patch_filter {
+      key    = "SEVERITY"
+      values = ["Critical", "Important"]
+    }
+  }
+}
+`, rName)
+}
+
 func testAccPatchBaselineConfig_source(rName string) string {
 	return fmt.Sprintf(`
 resource "aws_ssm_patch_baseline" "test" {

diff --git a/website/docs/r/ssm_patch_baseline.html.markdown b/website/docs/r/ssm_patch_baseline.html.markdown
@@ -180,7 +180,7 @@ The following arguments are optional:
 
 The `approval_rule` block supports:
 
-* `approve_after_days` - (Optional) Number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 100. Conflicts with `approve_until_date`.
+* `approve_after_days` - (Optional) Number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 360. Conflicts with `approve_until_date`.
 * `approve_until_date` - (Optional) Cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Date is formatted as `YYYY-MM-DD`. Conflicts with `approve_after_days`
 * `compliance_level` - (Optional) Compliance level for patches approved by this rule. Valid values are `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`, and `UNSPECIFIED`. The default value is `UNSPECIFIED`.
 * `enable_non_security` - (Optional) Boolean enabling the application of non-security updates. The default value is `false`. Valid for Linux instances only.