ssm-patch-management
claranet/ssm-patch-management/aws
Terraform module for AWS SSM Patch Management
tf-aws-ssm-patch-mgmt ----- This module should be used to patch Windows instances based on a schedule. The schedule must be in cron or rate format, for example by default the patch scan schedule occurs on a Wednesday 6PM, the patch install schedule occurs at 9PM. For further information on these formats please see the AWS user docs here . Instance tagging The instances that you wish to be covered by SSM patch management must be tagged with their corresponding "Patch Group". For example we have used the defaults here of "static" and "disposable" for patch scanning, and "automatic" if you want patches automatically installed. _By default:_ Instances that are tagged with Key: 'Patch Group', Value: 'Automatic' will be scanned for Windows updates and then will have the updates installed. Instan
| Name | Type | Description | Default |
|---|---|---|---|
| s3_bucket_name | string | The name of the S3 bucket to create for log storage | |
| name | string | This name will prefix all resources, and be added as the value for the 'Name' ta | |
| envname | string | This label will be added after 'name' on all resources, and be added as the valu | |
| envtype | string | This label will be added after 'envname' on all resources, and be added as the v | |
| install_maintenance_window_schedule | string | The schedule of the install Maintenance Window in the form of a cron or rate exp | "cron(0 0 21 ? * WED *)" |
| install_patch_groups | list | The list of install patching groups, one target will be created per entry in thi | [
"automatic"
] |
| approved_patches | list | The list of approved patches for the SSM baseline | [] |
| rejected_patches | list | The list of rejected patches for the SSM baseline | [] |
| scan_maintenance_window_schedule | string | The schedule of the scan Maintenance Window in the form of a cron or rate expres | "cron(0 0 18 ? * WED *)" |
| aws_region | string | The AWS region to create this SSM resource in | "eu-west-1" |
| max_errors | string | The maximum amount of errors that instances of a task will tollerate before bein | "50" |
| profile | string | This label will be added to the SSM baseline description | "Windows" |
| max_concurrency | string | The maximum amount of concurrent instances of a task that will be executed in pa | "20" |
| patch_classification | list | The list of patch classifications for the SSM baseline | [
"CriticalUpdates",
"SecurityUpdate |
| patch_severity | list | The list of patch severities for the SSM baseline | [
"Critical",
"Important"
] |
| maintenance_window_duration | string | The duration of the maintenence windows (hours) | "3" |
| maintenance_window_cutoff | string | The number of hours before the end of the Maintenance Window that Systems Manage | "1" |
| scan_patch_groups | list | The list of scan patching groups, one target will be created per entry in this l | [
"static",
"disposable"
] |
| product_versions | list | The list of product versions for the SSM baseline | [
"WindowsServer2016",
"WindowsServe |