Merge pull request #434 from ministryofjustice/ssm-patch-module-refactor

Baseline Refactor
ministryofjustice · Jul 15, 2024 · 58f4d7e · 58f4d7e
2 parents 8e862c5 + 50b6cdb
commit 58f4d7e
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 52 deletions.
diff --git a/README.md b/README.md
@@ -65,11 +65,11 @@ If you're looking to raise an issue with this module, please create a new issue
 | [aws_iam_role.ssm-patching-iam-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.ssm-admin-automation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_resourcegroups_group.patch-resource-group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource |
+| [aws_ssm_default_patch_baseline.ssm-default-patch-baseline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_default_patch_baseline) | resource |
 | [aws_ssm_maintenance_window.ssm-maintenance-window](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_maintenance_window) | resource |
 | [aws_ssm_maintenance_window_target.ssm-maintenance-window-target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_maintenance_window_target) | resource |
 | [aws_ssm_maintenance_window_task.ssm-maintenance-window-automation-task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_maintenance_window_task) | resource |
-| [aws_ssm_patch_baseline.oracle-database-baseline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_patch_baseline) | resource |
-| [aws_ssm_patch_baseline.oracle-database-patch-baseline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_patch_baseline) | resource |
+| [aws_ssm_patch_baseline.ssm-patch-baseline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_patch_baseline) | resource |
 | [aws_elb_service_account.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source |
 | [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ssm-admin-policy-doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -85,11 +85,13 @@ If you're looking to raise an issue with this module, please create a new issue
 | <a name="input_existing_bucket_name"></a> [existing\_bucket\_name](#input\_existing\_bucket\_name) | The name of the existing bucket name. If no bucket is provided one will be created for them. | `string` | `""` | no |
 | <a name="input_force_destroy_bucket"></a> [force\_destroy\_bucket](#input\_force\_destroy\_bucket) | A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no |
 | <a name="input_operating_system"></a> [operating\_system](#input\_operating\_system) | Operating system on the ec2 instance, used by the approval rule only, and is not required for the automation script | `string` | `"CENTOS"` | no |
-| <a name="input_patch_classification"></a> [patch\_classification](#input\_patch\_classification) | Operating system on the ec2 instance | `list(string)` | <pre>[<br>  "Security"<br>]</pre> | no |
+| <a name="input_patch_classification"></a> [patch\_classification](#input\_patch\_classification) | Windows Options=(CriticalUpdates,SecurityUpdates,DefinitionUpdates,Drivers,FeaturePacks,ServicePacks,Tools,UpdateRollups,Updates,Upgrades), Linux Options=(Security,Bugfix,Enhancement,Recommended,Newpackage) | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_patch_key"></a> [patch\_key](#input\_patch\_key) | Defaults as tag:Patching, but can be customised if pre existing tags and values want to be used | `string` | `"Patching"` | no |
 | <a name="input_patch_schedule"></a> [patch\_schedule](#input\_patch\_schedule) | Crontab on when to run the automation script. | `string` | `"cron(00 22 ? * MON *)"` | no |
 | <a name="input_patch_tag"></a> [patch\_tag](#input\_patch\_tag) | Defaults as yes, but can be customised if pre existing tags and values want to be used | `string` | `"Yes"` | no |
+| <a name="input_product"></a> [product](#input\_product) | The specific product the patch is applicable for e.g. RedhatEnterpriseLinux8.5, WindowsServer2022 | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_rejected_patches"></a> [rejected\_patches](#input\_rejected\_patches) | List of patches to be rejected | `list(string)` | `[]` | no |
+| <a name="input_severity"></a> [severity](#input\_severity) | Severity of the patch e.g. Critical, Important, Medium, Low | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_suffix"></a> [suffix](#input\_suffix) | When creating multiple patch schedules per environment, a suffix can be used to differentiate resources | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Common tags to be used by all resources | `map(string)` | n/a | yes |
 

diff --git a/main.tf b/main.tf
@@ -213,6 +213,7 @@ resource "aws_ssm_maintenance_window_target" "ssm-maintenance-window-target" {
 
 resource "aws_ssm_maintenance_window_task" "ssm-maintenance-window-automation-task" {
   name             = "${var.application_name}-automation-patching-task${var.suffix}"
+  description      = "${var.application_name}-automation-patching-task${var.suffix}"
   max_concurrency  = 20
   max_errors       = 10
   priority         = 1
@@ -236,7 +237,7 @@ resource "aws_ssm_maintenance_window_task" "ssm-maintenance-window-automation-ta
       }
       parameter {
         name   = "ReportS3Bucket"
-        values = ["${var.application_name}-ssm-patching-logs"]
+        values = [var.existing_bucket_name != "" ? "arn:aws:s3:::${var.existing_bucket_name}" : "${module.s3-bucket[0].bucket.id}"]
       }
     }
   }
@@ -283,67 +284,35 @@ JSON
 #  }
 #}
 
-resource "aws_ssm_patch_baseline" "oracle-database-baseline" {
+
+resource "aws_ssm_patch_baseline" "ssm-patch-baseline" {
   name             = "${var.application_name}-baseline${var.suffix}"
+  description      = "${var.application_name}-baseline${var.suffix}"
   operating_system = var.operating_system
+  rejected_patches = var.rejected_patches
 
   approval_rule {
     approve_after_days = var.approval_days
     compliance_level   = var.compliance_level
 
-    patch_filter {
-      key    = "CLASSIFICATION"
-      values = var.patch_classification
-    }
-  }
-}
-
-resource "aws_ssm_patch_baseline" "oracle-database-patch-baseline" {
-  name             = "oracle-database-patch-baseline${var.suffix}"
-  description      = "Patch Baseline Description"
-  rejected_patches = var.rejected_patches
-
-  global_filter {
-    key    = "PRODUCT"
-    values = ["WindowsServer2008"]
-  }
-
-  global_filter {
-    key    = "CLASSIFICATION"
-    values = ["ServicePacks"]
-  }
-
-  global_filter {
-    key    = "MSRC_SEVERITY"
-    values = ["Low"]
-  }
-
-  approval_rule {
-    approve_after_days = 7
-    compliance_level   = "HIGH"
-
     patch_filter {
       key    = "PRODUCT"
-      values = ["WindowsServer2016"]
+      values = var.product
     }
 
     patch_filter {
       key    = "CLASSIFICATION"
-      values = ["CriticalUpdates", "SecurityUpdates", "Updates"]
-    }
-
-    patch_filter {
-      key    = "MSRC_SEVERITY"
-      values = ["Critical", "Important", "Moderate"]
+      values = var.patch_classification
     }
-  }
-
-  approval_rule {
-    approve_after_days = 7
 
     patch_filter {
-      key    = "PRODUCT"
-      values = ["WindowsServer2012"]
+      key    = var.operating_system == "WINDOWS" ? "MSRC_SEVERITY" : "SEVERITY"
+      values = var.severity
     }
   }
 }
+
+resource "aws_ssm_default_patch_baseline" "ssm-default-patch-baseline" {
+  baseline_id      = aws_ssm_patch_baseline.ssm-patch-baseline.id
+  operating_system = var.operating_system
+}
diff --git a/variables.tf b/variables.tf
@@ -37,8 +37,18 @@ variable "compliance_level" {
 }
 variable "patch_classification" {
   type        = list(string)
-  description = "Operating system on the ec2 instance"
-  default     = ["Security"]
+  description = "Windows Options=(CriticalUpdates,SecurityUpdates,DefinitionUpdates,Drivers,FeaturePacks,ServicePacks,Tools,UpdateRollups,Updates,Upgrades), Linux Options=(Security,Bugfix,Enhancement,Recommended,Newpackage)"
+  default     = ["*"]
+}
+variable "severity" {
+  type        = list(string)
+  description = "Severity of the patch e.g. Critical, Important, Medium, Low"
+  default     = ["*"]
+}
+variable "product" {
+  type        = list(string)
+  description = "The specific product the patch is applicable for e.g. RedhatEnterpriseLinux8.5, WindowsServer2022"
+  default     = ["*"]
 }
 variable "patch_schedule" {
   type        = string
@@ -60,7 +70,6 @@ variable "rejected_patches" {
   description = "List of patches to be rejected"
   default     = []
 }
-
 variable "suffix" {
   type        = string
   description = "When creating multiple patch schedules per environment, a suffix can be used to differentiate resources"