AWS Systems Manager Patch Baseline

This page shows how to write Terraform and CloudFormation for Systems Manager Patch Baseline and write them securely.

aws_ssm_patch_baseline (Terraform)

The Patch Baseline in Systems Manager can be configured in Terraform with the resource name aws_ssm_patch_baseline. The following sections describe 1 example of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L7
resource "aws_ssm_patch_baseline" "test-baseline" {
  name             = "test-amazon-linux"
  description      = "Approves all Amazon Linux operating system patches that are classified as Security, Bugfix or Recommended"
  operating_system = "AMAZON_LINUX"

  global_filter {

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Provides an SSM Patch Baseline resource

NOTE on Patch Baselines: The approved_patches and approval_rule are both marked as optional fields, but the Patch Baseline requires that at least one of them is specified.

AWS::SSM::PatchBaseline (CloudFormation)

The PatchBaseline in SSM can be configured in CloudFormation with the resource name AWS::SSM::PatchBaseline. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

rhel_approve_all.yml#L5
    Type: "AWS::SSM::PatchBaseline"
    Properties:
      Name: "Custom-Patch-Baseline"
      Description: "Custom Patch Baseline"
      OperatingSystem: "REDHAT_ENTERPRISE_LINUX"
      PatchGroups:
centos_approve_all.yml#L5
    Type: "AWS::SSM::PatchBaseline"
    Properties:
      Name: "Custom-Patch-Baseline"
      Description: "Custom Patch Baseline"
      OperatingSystem: "CENTOS"
      PatchGroups:
amazon_linux2_approve_all.yml#L5
    Type: "AWS::SSM::PatchBaseline"
    Properties:
      Name: "Custom-Patch-Baseline"
      Description: "Custom Patch Baseline"
      OperatingSystem: "AMAZON_LINUX_2"
      PatchGroups:
windows_approve_all.yml#L5
    Type: "AWS::SSM::PatchBaseline"
    Properties:
      Name: "Custom-Patch-Baseline"
      Description: "Custom Patch Baseline"
      OperatingSystem: "WINDOWS"
      PatchGroups:
enable-ssm-patch.yml#L16
    Type: AWS::SSM::PatchBaseline
    Properties:
      ApprovalRules:
        PatchRules:
          - ApproveAfterDays: 7
            PatchFilterGroup:
ssm-PatchBaseline.json#L712
            "Type": "AWS::SSM::PatchBaseline",
            "Condition": "CreateDevRHEL",
            "Properties": {
                "OperatingSystem": "REDHAT_ENTERPRISE_LINUX",
                "PatchGroups": [
                    "RHEL-Dev"
MyAmazonLinuxPatchBaseline.json#L5
            "Type": "AWS::SSM::PatchBaseline",
            "Properties": {
                "OperatingSystem": "AMAZON_LINUX",
                "ApprovedPatches": [],
                "PatchGroups": [],
                "Description": "Create Patch Baselines for Amazon Linux",
resourcemodel.json#L4
      "Type": "AWS::SSM::PatchBaseline",
      "Properties": {
        "Name": "mywindownsPatchBaseline-1",
        "Description": "Baseline containing all updates approved for Windows instances",
        "OperatingSystem": "WINDOWS",
        "PatchGroups": [
CF_DeploySSMResource.json#L203
            "Type": "AWS::SSM::PatchBaseline",
            "Properties": {
                "Name": "WindowsApprovedPatches",
                "Description": "Baseline containing all updates approved for Windows instances",
                "OperatingSystem": "WINDOWS",
                "PatchGroups": [
CF_DeployNoRebootSSMResource_NewPB.json#L197
            "Type": "AWS::SSM::PatchBaseline",
            "Properties": {
                "Name": "WindowsApprovedPatches",
                "Description": "Baseline containing all updates approved for Windows instances",
                "OperatingSystem": "WINDOWS",
                "PatchGroups": [

Parameters

Explanation in CloudFormation Registry

The AWS::SSM::PatchBaseline resource defines the basic information for an AWS Systems Manager patch baseline. A patch baseline defines which patches are approved for installation on your instances. For more information, see CreatePatchBaseline in the AWS Systems Manager API Reference.

Frequently asked questions

What is AWS Systems Manager Patch Baseline?

AWS Systems Manager Patch Baseline is a resource for Systems Manager of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Systems Manager Patch Baseline?

For Terraform, the csa-bconnors/ssm-tf-demo source code example is useful. See the Terraform Example section for further details.

For CloudFormation, the mobious999/Cloudformation, mobious999/Cloudformation and mobious999/Cloudformation source code examples are useful. See the CloudFormation Example section for further details.