Resource aws_ssm_patch_group cannot handle multiple baselines of differing OS in a single patch group

[jdheyburn]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

$ terraform -v
Terraform v0.12.6
+ provider.aws v2.22.0

Affected Resource(s)

• aws_ssm_patch_group

Terraform Configuration Files

resource "aws_ssm_patch_baseline" "centos" {
  name             = "centos-patch-baseline"
  description      = "Patch baseline for centos"
  operating_system = "CENTOS"

  approval_rule {
    approve_after_days = "0"

    patch_filter {
      key    = "CLASSIFICATION"
      values = ["*"]
    }
  }
}

resource "aws_ssm_patch_baseline" "amazon_linux_2" {
  name             = "amazon_linux_2-patch-baseline"
  description      = "Patch baseline for amazon_linux_2"
  operating_system = "AMAZON_LINUX_2"

  approval_rule {
    approve_after_days = "0"

    patch_filter {
      key    = "CLASSIFICATION"
      values = ["*"]
    }
  }
}

resource "aws_ssm_patch_baseline" "amazon_linux" {
  name             = "amazon_linux-patch-baseline"
  description      = "Patch baseline for amazon_linux"
  operating_system = "AMAZON_LINUX"

  approval_rule {
    approve_after_days = "0"

    patch_filter {
      key    = "CLASSIFICATION"
      values = ["*"]
    }
  }
}

resource "aws_ssm_patch_group" "centos" {
    patch_group = "patch_group"
    baseline_id = "${aws_ssm_patch_baseline.centos.id}"
}

resource "aws_ssm_patch_group" "amazon_linux_2" {
    patch_group = "patch_group"
    baseline_id = "${aws_ssm_patch_baseline.amazon_linux_2.id}"
}

resource "aws_ssm_patch_group" "amazon_linux" {
    patch_group = "patch_group"
    baseline_id = "${aws_ssm_patch_baseline.amazon_linux.id}"
}

Debug Output

Apply output: https://gist.github.com/jdheyburn/e8298fa7b182f39948c98b34909fe2eb

Panic Output

N/A

Expected Behavior

• Patch group should be unaltered, keeping all baselines

Actual Behavior

• A baseline is removed from patch group

Output of the apply

Terraform will perform the following actions:

  # aws_ssm_patch_group.amazon_linux must be replaced
-/+ resource "aws_ssm_patch_group" "amazon_linux" {
      ~ baseline_id = "pb-01ad30a5a012192ed" -> "pb-0a38d8d0f7b2d56ce" # forces replacement
      ~ id          = "patch_group" -> (known after apply)
        patch_group = "patch_group"
    }

  # aws_ssm_patch_group.amazon_linux_2 must be replaced
-/+ resource "aws_ssm_patch_group" "amazon_linux_2" {
      ~ baseline_id = "pb-01ad30a5a012192ed" -> "pb-00fb43e57d24e1b2c" # forces replacement
      ~ id          = "patch_group" -> (known after apply)
        patch_group = "patch_group"
    }

Plan: 2 to add, 0 to change, 2 to destroy.

Note the following baseline IDs for referencing the above plan outpuit:
amazon_linux_2 = pb-00fb43e57d24e1b2c
centos = pb-01ad30a5a012192ed
amazon_linux = pb-0a38d8d0f7b2d56ce

Steps to Reproduce

With the above HCL:

1. Build out the scenario of 3 baselines added to 1 patch group: terraform apply
2. View the results on the console, there are 3 baselines to the new patch group
3. With no changes to the code, apply again: terraform apply
4. See how the plan wants to alter the baseline
5. After apply, view patch group in console, it removes a baseline
6. This will then cycle forever

Important Factoids

N/A

References

Patch groups can be assigned many baselines, but only one baseline per OS - this is the how it functions in AWS console. Terraform here is assuming that a patch group can only have one baseline - or that it is only reading the first patch group entry retrieved from describe-patch-groups and then making changes from there.

[XDanny322]

FWIW - Just reproduced this issue on version 0.12.18, on provider:

./plugins/darwin_amd64/terraform-provider-null_v2.1.2_x4
./plugins/darwin_amd64/terraform-provider-archive_v1.3.0_x4
./plugins/darwin_amd64/terraform-provider-aws_v2.44.0_x4

[jdheyburn]

Hope to take a look at this over the next coming weeks.

[andycohen]

Your comments don't follow with AWS own documentation:

https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-patch-patchgroups.html

Note
A patch group can only be registered with one patch baseline.

Therefore the Terraform behaviour is correct, no?

[jdheyburn]

Correct, however a patch baseline can have multiple patch groups. This is what Terraform fails to pick up. On the Modify Patch Groups page in AWS Console:

Patch groups
You can create up to 25 tag values to define patch groups for this patch baseline. Tag keys are > automatically named Patch Group. Learn more

My original example should ideally have separate patch group names to highlight this.

[rentiak]

Your comments don't follow with AWS own documentation:

https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-patch-patchgroups.html

Note
A patch group can only be registered with one patch baseline.

Therefore the Terraform behaviour is correct, no?

This is actually not correct as the docs are somewhat misleading. You can have a single patch group registered with multiple patch baselines if they are for different operating systems. That line should really read "A patch group can only be registered with one patch baseline per operating system"

See below as an example where I've created an Internal Systems patch baseline for each OS (Windows, Amzn1 and Amzn2) and associated them with a single patch group:

[eerkunt]

We are having the same problem. Even though it is written as above in the documentation, even aws-cli allows to register multiple patch baseline to one group. IMHO, the problem looks like, the id that is used as a resource reference within the terraform state is set to baseline_id which is making any sequential plan/apply operation confused.

[varun1231]

Terraform has aws_ssm_patch_group resource while there is no CreatePatchGroup in the AWS API. it is basically registering a patch baseline with a patch group. the workaround is probably using a null resource to run the register-patch-baseline-for-patch-group cli to do this task with a sha trigger based on the baseline resource and patch group input and obviously run deregister-patch-baseline-for-patch-group for a destroy operation to keep it clean - thanks @eerkunt for this steer.

[meons]

👍

[ghost]

This has been released in version 3.33.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!