Top / Google Cloud Platform / Google OS Config / Patch Deployment

Google OS Config Patch Deployment

This page shows how to write Terraform for OS Config Patch Deployment and write them securely.

terraform-logo

Review your .tf file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

google_os_config_patch_deployment (Terraform)

The Patch Deployment in OS Config can be configured in Terraform with the resource name google_os_config_patch_deployment. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

os-patch.tf#L1
resource "google_os_config_patch_deployment" "blue-windows" {
  patch_deployment_id = var.deployment_id_1


  instance_filter {
    group_labels {
vm-manager.tf#L1
resource "google_os_config_patch_deployment" "patch" {
  patch_deployment_id = "patch-deploy-apt"

  instance_filter {
    group_labels {
      labels = {

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Time the patch deployment was created. Timestamp is in RFC3339 text format. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

Description of the patch deployment. Length of the description is limited to 1024 characters.

Duration of the patch. After the duration ends, the patch times out. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s"

The last time a patch job was started by this deployment. Timestamp is in RFC3339 text format. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

  • name optional computed - string

Unique name for the patch deployment resource in a project. The patch deployment name is in the form: projects/[project_id]/patchDeployments/[patchDeploymentId].

A name for the patch deployment in the project. When creating a name the following rules apply: Must contain only lowercase letters, numbers, and hyphens. Must start with a letter. Must be between 1-63 characters. Must end with a number or a letter. * Must be unique within the project.

Time the patch deployment was last updated. Timestamp is in RFC3339 text format. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

  • instance_filter list block
    • all optional - bool

    Target all VM instances in the project. If true, no other criteria is permitted.

    Targets VMs whose name starts with one of these prefixes. Similar to labels, this is another way to group VMs when targeting configs, for example prefix="prod-".

    Targets any of the VM instances specified. Instances are specified by their URI in the 'form zones/[[zone]]/instances/[[instance_name]]', 'projects/[[project_id]]/zones/[[zone]]/instances/[[instance_name]]', or 'https://www.googleapis.com/compute/v1/projects/[[project_id]]/zones/[[zone]]/instances/[[instance_name]]'

    • zones optional - list of string

    Targets VM instances in ANY of these zones. Leave empty to target VM instances in any zone.

    • group_labels list block
      • labels required - map from string to string

      Compute Engine instance labels that must be present for a VM instance to be targeted by this filter

  • one_time_schedule list block

    The desired patch job execution time. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

  • patch_config list block

    Post-patch reboot settings. Possible values: ["DEFAULT", "ALWAYS", "NEVER"]

    • apt list block

      List of packages to exclude from update. These packages will be excluded.

      An exclusive list of packages to be updated. These are the only packages that will be updated. If these packages are not installed, they will be ignored. This field cannot be specified with any other patch configuration fields.

      By changing the type to DIST, the patching is performed using apt-get dist-upgrade instead. Possible values: ["DIST", "UPGRADE"]

    • goo list block

      goo update settings. Use this setting to override the default goo patch rules.

    • post_step list block
      • linux_exec_step_config list block

        Defaults to [0]. A list of possible return values that the execution can return to indicate a success.

        The script interpreter to use to run the script. If no interpreter is specified the script will be executed directly, which will likely only succeed for scripts with shebang lines. Possible values: ["SHELL", "POWERSHELL"]

        An absolute path to the executable on the VM.

        • gcs_object list block

          Bucket of the Cloud Storage object.

          Generation number of the Cloud Storage object. This is used to ensure that the ExecStep specified by this PatchJob does not change.

          Name of the Cloud Storage object.

      • windows_exec_step_config list block

        Defaults to [0]. A list of possible return values that the execution can return to indicate a success.

        The script interpreter to use to run the script. If no interpreter is specified the script will be executed directly, which will likely only succeed for scripts with shebang lines. Possible values: ["SHELL", "POWERSHELL"]

        An absolute path to the executable on the VM.

        • gcs_object list block

          Bucket of the Cloud Storage object.

          Generation number of the Cloud Storage object. This is used to ensure that the ExecStep specified by this PatchJob does not change.

          Name of the Cloud Storage object.

    • pre_step list block
      • linux_exec_step_config list block

        Defaults to [0]. A list of possible return values that the execution can return to indicate a success.

        The script interpreter to use to run the script. If no interpreter is specified the script will be executed directly, which will likely only succeed for scripts with shebang lines. Possible values: ["SHELL", "POWERSHELL"]

        An absolute path to the executable on the VM.

        • gcs_object list block

          Bucket of the Cloud Storage object.

          Generation number of the Cloud Storage object. This is used to ensure that the ExecStep specified by this PatchJob does not change.

          Name of the Cloud Storage object.

      • windows_exec_step_config list block

        Defaults to [0]. A list of possible return values that the execution can return to indicate a success.

        The script interpreter to use to run the script. If no interpreter is specified the script will be executed directly, which will likely only succeed for scripts with shebang lines. Possible values: ["SHELL", "POWERSHELL"]

        An absolute path to the executable on the VM.

        • gcs_object list block

          Bucket of the Cloud Storage object.

          Generation number of the Cloud Storage object. This is used to ensure that the ExecStep specified by this PatchJob does not change.

          Name of the Cloud Storage object.

    • windows_update list block

      Only apply updates of these windows update classifications. If empty, all updates are applied. Possible values: ["CRITICAL", "SECURITY", "DEFINITION", "DRIVER", "FEATURE_PACK", "SERVICE_PACK", "TOOL", "UPDATE_ROLLUP", "UPDATE"]

      List of KBs to exclude from update.

      An exclusive list of kbs to be updated. These are the only patches that will be updated. This field must not be used with other patch configurations.

    • yum list block

      List of packages to exclude from update. These packages will be excluded.

      An exclusive list of packages to be updated. These are the only packages that will be updated. If these packages are not installed, they will be ignored. This field cannot be specified with any other patch configuration fields.

      Will cause patch to run yum update-minimal instead.

      Adds the --security flag to yum update. Not supported on all platforms.

    • zypper list block

      Install only patches with these categories. Common categories include security, recommended, and feature.

      List of packages to exclude from update.

      An exclusive list of patches to be updated. These are the only patches that will be installed using 'zypper patch patch:' command. This field must not be used with any other patch configuration fields.

      Install only patches with these severities. Common severities include critical, important, moderate, and low.

      Adds the --with-optional flag to zypper patch.

      Adds the --with-update flag, to zypper patch.

  • recurring_schedule list block

    The end time at which a recurring patch deployment schedule is no longer active. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

    The time the last patch job ran successfully. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

    The time the next patch job is scheduled to run. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

    The time that the recurring schedule becomes effective. Defaults to createTime of the patch deployment. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

    • monthly list block

      One day of the month. 1-31 indicates the 1st to the 31st day. -1 indicates the last day of the month. Months without the target day will be skipped. For example, a schedule to run "every month on the 31st" will not run in February, April, June, etc.

      • week_day_of_month list block

        A day of the week. Possible values: ["MONDAY", "TUESDAY", "WEDNESDAY", "THURSDAY", "FRIDAY", "SATURDAY", "SUNDAY"]

        Week number in a month. 1-4 indicates the 1st to 4th week of the month. -1 indicates the last week of the month.

    • time_of_day list block

      Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

      Minutes of hour of day. Must be from 0 to 59.

      Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

      Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

    • time_zone list block
      • id required - string

      IANA Time Zone Database time zone, e.g. "America/New_York".

      IANA Time Zone Database version number, e.g. "2019a".

    • weekly list block

      IANA Time Zone Database time zone, e.g. "America/New_York". Possible values: ["MONDAY", "TUESDAY", "WEDNESDAY", "THURSDAY", "FRIDAY", "SATURDAY", "SUNDAY"]

  • rollout list block

    Mode of the patch rollout. Possible values: ["ZONE_BY_ZONE", "CONCURRENT_ZONES"]

    • disruption_budget list block

      Specifies a fixed value.

      Specifies the relative value defined as a percentage, which will be multiplied by a reference value.

  • timeouts single block

>> from Terraform Registry

Explanation in Terraform Registry

Patch deployments are configurations that individual patch jobs use to complete a patch. These configurations include instance filter, package repository settings, and a schedule. To get more information about PatchDeployment, see:

>> from Terraform Registry

The Other Related Google OS Config Resources

Frequently asked questions

What is Google OS Config Patch Deployment?

Google OS Config Patch Deployment is a resource for OS Config of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google OS Config Patch Deployment?

For Terraform, the rackspace-infrastructure-automation/mgcp-terraform-modules and jeremychauvet/gcp-terramearth-showroom source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents