From e0f0c3366844a50175c213eeeb9be239f3043b53 Mon Sep 17 00:00:00 2001 From: pav Date: Thu, 11 Jul 2024 18:59:48 +0100 Subject: [PATCH 01/13] refactor --- main.tf | 34 +++++++++++++++++++++++++++++++++- variables.tf | 15 ++++++++++++--- 2 files changed, 45 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index a5ee131..f6290fd 100644 --- a/main.tf +++ b/main.tf @@ -236,7 +236,7 @@ resource "aws_ssm_maintenance_window_task" "ssm-maintenance-window-automation-ta } parameter { name = "ReportS3Bucket" - values = ["${var.application_name}-ssm-patching-logs"] + values = ["${var.application_name}-ssm${var.suffix}"] } } } @@ -283,6 +283,38 @@ JSON # } #} + +resource "aws_ssm_patch_baseline" ssm-patch-baseline { + name = "${var.application_name}-baseline${var.suffix}" + description = "${var.application_name}-baseline${var.suffix}" + operating_system = var.operating_system + rejected_patches = var.rejected_patches + + approval_rule { + approve_after_days = var.approval_days + + patch_filter { + key = "PRODUCT" + values = var.product + } + + patch_filter { + key = "CLASSIFICATION" + values = var.patch_classification + } + + patch_filter { + key = var.operating_system == "WINDOWS" ? "MSRC_SEVERITY" : "SEVERITY" + values = var.severity #["Critical", "Important"] + } + } +} + +resource "aws_ssm_default_patch_baseline" "ssm-default-patch-baseline" { + baseline_id = aws_ssm_patch_baseline.ssm-patch-baseline.id + operating_system = var.operating_system +} + resource "aws_ssm_patch_baseline" "oracle-database-baseline" { name = "${var.application_name}-baseline${var.suffix}" operating_system = var.operating_system diff --git a/variables.tf b/variables.tf index 1ed75cd..7dab299 100644 --- a/variables.tf +++ b/variables.tf @@ -37,8 +37,18 @@ variable "compliance_level" { } variable "patch_classification" { type = list(string) - description = "Operating system on the ec2 instance" - default = ["Security"] + description = "Classification of the patch" + default = ["*"] +} +variable "severity" { + type = list(string) + description = "Severity of the patch" + default = ["*"] +} +variable "product" { + type = list(string) + description = "The specific product the patch is applicable for" + default = ["*"] } variable "patch_schedule" { type = string @@ -60,7 +70,6 @@ variable "rejected_patches" { description = "List of patches to be rejected" default = [] } - variable "suffix" { type = string description = "When creating multiple patch schedules per environment, a suffix can be used to differentiate resources" From 458d203822a7889e5832eaef1027e0e8c85f9410 Mon Sep 17 00:00:00 2001 From: pav Date: Thu, 11 Jul 2024 22:28:06 +0100 Subject: [PATCH 02/13] test new branch --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index f6290fd..fe5c1d4 100644 --- a/main.tf +++ b/main.tf @@ -292,6 +292,7 @@ resource "aws_ssm_patch_baseline" ssm-patch-baseline { approval_rule { approve_after_days = var.approval_days + compliance_level = var.compliance_level patch_filter { key = "PRODUCT" From 06476b42c96aacc01bd36bdc10b593595873c554 Mon Sep 17 00:00:00 2001 From: pav Date: Thu, 11 Jul 2024 22:33:11 +0100 Subject: [PATCH 03/13] test new branch --- main.tf | 130 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/main.tf b/main.tf index fe5c1d4..8bb212c 100644 --- a/main.tf +++ b/main.tf @@ -315,68 +315,68 @@ resource "aws_ssm_default_patch_baseline" "ssm-default-patch-baseline" { baseline_id = aws_ssm_patch_baseline.ssm-patch-baseline.id operating_system = var.operating_system } - -resource "aws_ssm_patch_baseline" "oracle-database-baseline" { - name = "${var.application_name}-baseline${var.suffix}" - operating_system = var.operating_system - - approval_rule { - approve_after_days = var.approval_days - compliance_level = var.compliance_level - - patch_filter { - key = "CLASSIFICATION" - values = var.patch_classification - } - } -} - -resource "aws_ssm_patch_baseline" "oracle-database-patch-baseline" { - name = "oracle-database-patch-baseline${var.suffix}" - description = "Patch Baseline Description" - rejected_patches = var.rejected_patches - - global_filter { - key = "PRODUCT" - values = ["WindowsServer2008"] - } - - global_filter { - key = "CLASSIFICATION" - values = ["ServicePacks"] - } - - global_filter { - key = "MSRC_SEVERITY" - values = ["Low"] - } - - approval_rule { - approve_after_days = 7 - compliance_level = "HIGH" - - patch_filter { - key = "PRODUCT" - values = ["WindowsServer2016"] - } - - patch_filter { - key = "CLASSIFICATION" - values = ["CriticalUpdates", "SecurityUpdates", "Updates"] - } - - patch_filter { - key = "MSRC_SEVERITY" - values = ["Critical", "Important", "Moderate"] - } - } - - approval_rule { - approve_after_days = 7 - - patch_filter { - key = "PRODUCT" - values = ["WindowsServer2012"] - } - } -} +# +# resource "aws_ssm_patch_baseline" "oracle-database-baseline" { +# name = "${var.application_name}-baseline${var.suffix}" +# operating_system = var.operating_system +# +# approval_rule { +# approve_after_days = var.approval_days +# compliance_level = var.compliance_level +# +# patch_filter { +# key = "CLASSIFICATION" +# values = var.patch_classification +# } +# } +# } +# +# resource "aws_ssm_patch_baseline" "oracle-database-patch-baseline" { +# name = "oracle-database-patch-baseline${var.suffix}" +# description = "Patch Baseline Description" +# rejected_patches = var.rejected_patches +# +# global_filter { +# key = "PRODUCT" +# values = ["WindowsServer2008"] +# } +# +# global_filter { +# key = "CLASSIFICATION" +# values = ["ServicePacks"] +# } +# +# global_filter { +# key = "MSRC_SEVERITY" +# values = ["Low"] +# } +# +# approval_rule { +# approve_after_days = 7 +# compliance_level = "HIGH" +# +# patch_filter { +# key = "PRODUCT" +# values = ["WindowsServer2016"] +# } +# +# patch_filter { +# key = "CLASSIFICATION" +# values = ["CriticalUpdates", "SecurityUpdates", "Updates"] +# } +# +# patch_filter { +# key = "MSRC_SEVERITY" +# values = ["Critical", "Important", "Moderate"] +# } +# } +# +# approval_rule { +# approve_after_days = 7 +# +# patch_filter { +# key = "PRODUCT" +# values = ["WindowsServer2012"] +# } +# } +# } From d848871512088371513a031c2ed196b840b7a2c7 Mon Sep 17 00:00:00 2001 From: pav Date: Thu, 11 Jul 2024 22:48:28 +0100 Subject: [PATCH 04/13] remove old baselines --- main.tf | 65 --------------------------------------------------------- 1 file changed, 65 deletions(-) diff --git a/main.tf b/main.tf index 8bb212c..9d19ee7 100644 --- a/main.tf +++ b/main.tf @@ -315,68 +315,3 @@ resource "aws_ssm_default_patch_baseline" "ssm-default-patch-baseline" { baseline_id = aws_ssm_patch_baseline.ssm-patch-baseline.id operating_system = var.operating_system } -# -# resource "aws_ssm_patch_baseline" "oracle-database-baseline" { -# name = "${var.application_name}-baseline${var.suffix}" -# operating_system = var.operating_system -# -# approval_rule { -# approve_after_days = var.approval_days -# compliance_level = var.compliance_level -# -# patch_filter { -# key = "CLASSIFICATION" -# values = var.patch_classification -# } -# } -# } -# -# resource "aws_ssm_patch_baseline" "oracle-database-patch-baseline" { -# name = "oracle-database-patch-baseline${var.suffix}" -# description = "Patch Baseline Description" -# rejected_patches = var.rejected_patches -# -# global_filter { -# key = "PRODUCT" -# values = ["WindowsServer2008"] -# } -# -# global_filter { -# key = "CLASSIFICATION" -# values = ["ServicePacks"] -# } -# -# global_filter { -# key = "MSRC_SEVERITY" -# values = ["Low"] -# } -# -# approval_rule { -# approve_after_days = 7 -# compliance_level = "HIGH" -# -# patch_filter { -# key = "PRODUCT" -# values = ["WindowsServer2016"] -# } -# -# patch_filter { -# key = "CLASSIFICATION" -# values = ["CriticalUpdates", "SecurityUpdates", "Updates"] -# } -# -# patch_filter { -# key = "MSRC_SEVERITY" -# values = ["Critical", "Important", "Moderate"] -# } -# } -# -# approval_rule { -# approve_after_days = 7 -# -# patch_filter { -# key = "PRODUCT" -# values = ["WindowsServer2012"] -# } -# } -# } From 7c6015e64e35d3b9020b05d3e385df80f05cc1f0 Mon Sep 17 00:00:00 2001 From: pav Date: Fri, 12 Jul 2024 16:53:29 +0100 Subject: [PATCH 05/13] test new branch --- main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 9d19ee7..c8cb9bc 100644 --- a/main.tf +++ b/main.tf @@ -236,7 +236,8 @@ resource "aws_ssm_maintenance_window_task" "ssm-maintenance-window-automation-ta } parameter { name = "ReportS3Bucket" - values = ["${var.application_name}-ssm${var.suffix}"] +# values = ["${var.application_name}-ssm${var.suffix}"] + values = ["${module.s3-bucket.bucket.id}"] } } } From d76dd1b459cd3bd4c33a87cf531fc7c3c01d76f7 Mon Sep 17 00:00:00 2001 From: pav Date: Fri, 12 Jul 2024 17:36:45 +0100 Subject: [PATCH 06/13] test new branch --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index c8cb9bc..950d844 100644 --- a/main.tf +++ b/main.tf @@ -213,6 +213,7 @@ resource "aws_ssm_maintenance_window_target" "ssm-maintenance-window-target" { resource "aws_ssm_maintenance_window_task" "ssm-maintenance-window-automation-task" { name = "${var.application_name}-automation-patching-task${var.suffix}" + description = "${var.application_name}-automation-patching-task${var.suffix}" max_concurrency = 20 max_errors = 10 priority = 1 From e91441b88e8c9d5ac2b36b8eca7459b33fbba6a5 Mon Sep 17 00:00:00 2001 From: pav Date: Fri, 12 Jul 2024 18:00:09 +0100 Subject: [PATCH 07/13] test new branch --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 950d844..a204026 100644 --- a/main.tf +++ b/main.tf @@ -238,7 +238,7 @@ resource "aws_ssm_maintenance_window_task" "ssm-maintenance-window-automation-ta parameter { name = "ReportS3Bucket" # values = ["${var.application_name}-ssm${var.suffix}"] - values = ["${module.s3-bucket.bucket.id}"] + values = ["${module.s3-bucket[0].bucket.id}"] } } } From d7e1c5c3c1841842397a91bb4dab64baaa40fbd1 Mon Sep 17 00:00:00 2001 From: pav Date: Mon, 15 Jul 2024 10:19:49 +0100 Subject: [PATCH 08/13] Add bucket conditional --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index a204026..94ced02 100644 --- a/main.tf +++ b/main.tf @@ -238,7 +238,7 @@ resource "aws_ssm_maintenance_window_task" "ssm-maintenance-window-automation-ta parameter { name = "ReportS3Bucket" # values = ["${var.application_name}-ssm${var.suffix}"] - values = ["${module.s3-bucket[0].bucket.id}"] + values = [var.existing_bucket_name != "" ? "arn:aws:s3:::${var.existing_bucket_name}" : "${module.s3-bucket[0].bucket.id}"] } } } @@ -316,4 +316,4 @@ resource "aws_ssm_patch_baseline" ssm-patch-baseline { resource "aws_ssm_default_patch_baseline" "ssm-default-patch-baseline" { baseline_id = aws_ssm_patch_baseline.ssm-patch-baseline.id operating_system = var.operating_system -} +} \ No newline at end of file From 108211c63ee75efdedd3c369b8901ebe84d3312b Mon Sep 17 00:00:00 2001 From: pav Date: Mon, 15 Jul 2024 12:12:31 +0100 Subject: [PATCH 09/13] clean up --- main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/main.tf b/main.tf index 94ced02..affcbcf 100644 --- a/main.tf +++ b/main.tf @@ -237,7 +237,6 @@ resource "aws_ssm_maintenance_window_task" "ssm-maintenance-window-automation-ta } parameter { name = "ReportS3Bucket" -# values = ["${var.application_name}-ssm${var.suffix}"] values = [var.existing_bucket_name != "" ? "arn:aws:s3:::${var.existing_bucket_name}" : "${module.s3-bucket[0].bucket.id}"] } } From 8a1941f5be329aaaefea1931e11964d1508fe720 Mon Sep 17 00:00:00 2001 From: pav Date: Mon, 15 Jul 2024 12:27:43 +0100 Subject: [PATCH 10/13] clean up --- main.tf | 2 +- variables.tf | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index affcbcf..6b36679 100644 --- a/main.tf +++ b/main.tf @@ -307,7 +307,7 @@ resource "aws_ssm_patch_baseline" ssm-patch-baseline { patch_filter { key = var.operating_system == "WINDOWS" ? "MSRC_SEVERITY" : "SEVERITY" - values = var.severity #["Critical", "Important"] + values = var.severity # } } } diff --git a/variables.tf b/variables.tf index 7dab299..963c68b 100644 --- a/variables.tf +++ b/variables.tf @@ -37,17 +37,17 @@ variable "compliance_level" { } variable "patch_classification" { type = list(string) - description = "Classification of the patch" + description = "Windows Options=(CriticalUpdates,SecurityUpdates,DefinitionUpdates,Drivers,FeaturePacks,ServicePacks,Tools,UpdateRollups,Updates,Upgrades), Linux Options=(Security,Bugfix,Enhancement,Recommended,Newpackage)" default = ["*"] } variable "severity" { type = list(string) - description = "Severity of the patch" + description = "Severity of the patch e.g. Critical, Important, Medium, Low" default = ["*"] } variable "product" { type = list(string) - description = "The specific product the patch is applicable for" + description = "The specific product the patch is applicable for e.g. RedhatEnterpriseLinux8.5, WindowsServer2022" default = ["*"] } variable "patch_schedule" { From 8ce1a2b3fbea219cd98038b38edf346cc366878b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 15 Jul 2024 14:55:28 +0000 Subject: [PATCH 11/13] terraform-docs: automated action --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b0979ae..6b86bda 100644 --- a/README.md +++ b/README.md @@ -65,11 +65,11 @@ If you're looking to raise an issue with this module, please create a new issue | [aws_iam_role.ssm-patching-iam-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.ssm-admin-automation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_resourcegroups_group.patch-resource-group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | +| [aws_ssm_default_patch_baseline.ssm-default-patch-baseline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_default_patch_baseline) | resource | | [aws_ssm_maintenance_window.ssm-maintenance-window](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_maintenance_window) | resource | | [aws_ssm_maintenance_window_target.ssm-maintenance-window-target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_maintenance_window_target) | resource | | [aws_ssm_maintenance_window_task.ssm-maintenance-window-automation-task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_maintenance_window_task) | resource | -| [aws_ssm_patch_baseline.oracle-database-baseline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_patch_baseline) | resource | -| [aws_ssm_patch_baseline.oracle-database-patch-baseline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_patch_baseline) | resource | +| [aws_ssm_patch_baseline.ssm-patch-baseline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_patch_baseline) | resource | | [aws_elb_service_account.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | | [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.ssm-admin-policy-doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -85,11 +85,13 @@ If you're looking to raise an issue with this module, please create a new issue | [existing\_bucket\_name](#input\_existing\_bucket\_name) | The name of the existing bucket name. If no bucket is provided one will be created for them. | `string` | `""` | no | | [force\_destroy\_bucket](#input\_force\_destroy\_bucket) | A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no | | [operating\_system](#input\_operating\_system) | Operating system on the ec2 instance, used by the approval rule only, and is not required for the automation script | `string` | `"CENTOS"` | no | -| [patch\_classification](#input\_patch\_classification) | Operating system on the ec2 instance | `list(string)` | 
[
  "Security"
]
| no | +| [patch\_classification](#input\_patch\_classification) | Windows Options=(CriticalUpdates,SecurityUpdates,DefinitionUpdates,Drivers,FeaturePacks,ServicePacks,Tools,UpdateRollups,Updates,Upgrades), Linux Options=(Security,Bugfix,Enhancement,Recommended,Newpackage) | `list(string)` | 
[
  "*"
]
| no | | [patch\_key](#input\_patch\_key) | Defaults as tag:Patching, but can be customised if pre existing tags and values want to be used | `string` | `"Patching"` | no | | [patch\_schedule](#input\_patch\_schedule) | Crontab on when to run the automation script. | `string` | `"cron(00 22 ? * MON *)"` | no | | [patch\_tag](#input\_patch\_tag) | Defaults as yes, but can be customised if pre existing tags and values want to be used | `string` | `"Yes"` | no | +| [product](#input\_product) | The specific product the patch is applicable for e.g. RedhatEnterpriseLinux8.5, WindowsServer2022 | `list(string)` | 
[
  "*"
]
| no | | [rejected\_patches](#input\_rejected\_patches) | List of patches to be rejected | `list(string)` | `[]` | no | +| [severity](#input\_severity) | Severity of the patch e.g. Critical, Important, Medium, Low | `list(string)` | 
[
  "*"
]
| no | | [suffix](#input\_suffix) | When creating multiple patch schedules per environment, a suffix can be used to differentiate resources | `string` | `""` | no | | [tags](#input\_tags) | Common tags to be used by all resources | `map(string)` | n/a | yes | From 604e1ecd90f13b0e4c4c8da764e284df7dffae0a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 15 Jul 2024 14:55:56 +0000 Subject: [PATCH 12/13] Commit changes made by code formatters --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 6b36679..48c7f3e 100644 --- a/main.tf +++ b/main.tf @@ -285,9 +285,9 @@ JSON #} -resource "aws_ssm_patch_baseline" ssm-patch-baseline { - name = "${var.application_name}-baseline${var.suffix}" - description = "${var.application_name}-baseline${var.suffix}" +resource "aws_ssm_patch_baseline" "ssm-patch-baseline" { + name = "${var.application_name}-baseline${var.suffix}" + description = "${var.application_name}-baseline${var.suffix}" operating_system = var.operating_system rejected_patches = var.rejected_patches From 50b6cdb3f9b9d28c724b6d1718c2d33eb3e94d8c Mon Sep 17 00:00:00 2001 From: pav Date: Mon, 15 Jul 2024 15:56:03 +0100 Subject: [PATCH 13/13] reformat --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 48c7f3e..632b47b 100644 --- a/main.tf +++ b/main.tf @@ -307,7 +307,7 @@ resource "aws_ssm_patch_baseline" "ssm-patch-baseline" { patch_filter { key = var.operating_system == "WINDOWS" ? "MSRC_SEVERITY" : "SEVERITY" - values = var.severity # + values = var.severity } } }