AWS Systems Manager Patch Baseline
This page shows how to write Terraform and CloudFormation for Systems Manager Patch Baseline and write them securely.
aws_ssm_patch_baseline (Terraform)
The Patch Baseline in Systems Manager can be configured in Terraform with the resource name aws_ssm_patch_baseline
. The following sections describe 1 example of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ssm_patch_baseline" "test-baseline" {
name = "test-amazon-linux"
description = "Approves all Amazon Linux operating system patches that are classified as Security, Bugfix or Recommended"
operating_system = "AMAZON_LINUX"
global_filter {
Parameters
-
approved_patches
optional - set of string -
approved_patches_compliance_level
optional - string -
approved_patches_enable_non_security
optional - bool -
arn
optional computed - string -
description
optional - string -
id
optional computed - string -
name
required - string -
operating_system
optional - string -
rejected_patches
optional - set of string -
rejected_patches_action
optional computed - string -
tags
optional - map from string to string -
approval_rule
list block-
approve_after_days
optional - number -
approve_until_date
optional - string -
compliance_level
optional - string -
enable_non_security
optional - bool -
patch_filter
list block
-
-
global_filter
list block -
source
list block-
configuration
required - string -
name
required - string -
products
required - list of string
-
Explanation in Terraform Registry
Provides an SSM Patch Baseline resource
NOTE on Patch Baselines: The
approved_patches
andapproval_rule
are both marked as optional fields, but the Patch Baseline requires that at least one of them is specified.
AWS::SSM::PatchBaseline (CloudFormation)
The PatchBaseline in SSM can be configured in CloudFormation with the resource name AWS::SSM::PatchBaseline
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: "AWS::SSM::PatchBaseline"
Properties:
Name: "Custom-Patch-Baseline"
Description: "Custom Patch Baseline"
OperatingSystem: "REDHAT_ENTERPRISE_LINUX"
PatchGroups:
Type: "AWS::SSM::PatchBaseline"
Properties:
Name: "Custom-Patch-Baseline"
Description: "Custom Patch Baseline"
OperatingSystem: "CENTOS"
PatchGroups:
Type: "AWS::SSM::PatchBaseline"
Properties:
Name: "Custom-Patch-Baseline"
Description: "Custom Patch Baseline"
OperatingSystem: "AMAZON_LINUX_2"
PatchGroups:
Type: "AWS::SSM::PatchBaseline"
Properties:
Name: "Custom-Patch-Baseline"
Description: "Custom Patch Baseline"
OperatingSystem: "WINDOWS"
PatchGroups:
Type: AWS::SSM::PatchBaseline
Properties:
ApprovalRules:
PatchRules:
- ApproveAfterDays: 7
PatchFilterGroup:
"Type": "AWS::SSM::PatchBaseline",
"Condition": "CreateDevRHEL",
"Properties": {
"OperatingSystem": "REDHAT_ENTERPRISE_LINUX",
"PatchGroups": [
"RHEL-Dev"
"Type": "AWS::SSM::PatchBaseline",
"Properties": {
"OperatingSystem": "AMAZON_LINUX",
"ApprovedPatches": [],
"PatchGroups": [],
"Description": "Create Patch Baselines for Amazon Linux",
"Type": "AWS::SSM::PatchBaseline",
"Properties": {
"Name": "mywindownsPatchBaseline-1",
"Description": "Baseline containing all updates approved for Windows instances",
"OperatingSystem": "WINDOWS",
"PatchGroups": [
"Type": "AWS::SSM::PatchBaseline",
"Properties": {
"Name": "WindowsApprovedPatches",
"Description": "Baseline containing all updates approved for Windows instances",
"OperatingSystem": "WINDOWS",
"PatchGroups": [
"Type": "AWS::SSM::PatchBaseline",
"Properties": {
"Name": "WindowsApprovedPatches",
"Description": "Baseline containing all updates approved for Windows instances",
"OperatingSystem": "WINDOWS",
"PatchGroups": [
Parameters
-
OperatingSystem
optional - String -
Description
optional - String -
ApprovalRules
optional - RuleGroup -
Sources
optional - List of PatchSource -
Name
required - String -
RejectedPatches
optional - List -
ApprovedPatches
optional - List -
RejectedPatchesAction
optional - String -
PatchGroups
optional - List -
ApprovedPatchesComplianceLevel
optional - String -
ApprovedPatchesEnableNonSecurity
optional - Boolean -
GlobalFilters
optional - PatchFilterGroup -
Tags
optional - List of Tag
Explanation in CloudFormation Registry
The
AWS::SSM::PatchBaseline
resource defines the basic information for an AWS Systems Manager patch baseline. A patch baseline defines which patches are approved for installation on your instances. For more information, see CreatePatchBaseline in the AWS Systems Manager API Reference.
Frequently asked questions
What is AWS Systems Manager Patch Baseline?
AWS Systems Manager Patch Baseline is a resource for Systems Manager of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Systems Manager Patch Baseline?
For Terraform, the csa-bconnors/ssm-tf-demo source code example is useful. See the Terraform Example section for further details.
For CloudFormation, the mobious999/Cloudformation, mobious999/Cloudformation and mobious999/Cloudformation source code examples are useful. See the CloudFormation Example section for further details.