Creates a basic SSM Patch Manager setup
Here's what using the module will look like
module "patch_manager" {
source = "rhythmictech/ssm-patch-manager/aws"
version = "~> 1.0.0"
log_bucket = var.log_bucket
tags = var.tags
}
This module creates the needed resources to use the default Patch Baselines for any (or all) platforms supported by SSM Patch Manager.
Patches will only be applied to instances tagged with TAG_GROUP : $PLATFORM
where $PLATFORM
is the name of the platform running on that instance.
- AMAZON_LINUX_2
- AMAZON_LINUX
- CENTOS
- ORACLE_LINUX
- SUSE
- WINDOWS
- DEBIAN
- UBUNTU
- REDHAT_ENTERPRISE_LINUX
- MACOS
Name | Version |
---|---|
terraform | >= 0.13.5 |
aws | >= 3.28 |
Name | Version |
---|---|
aws | >= 3.28 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
install_schedule | 6-field Cron expression describing the install maintenance schedule | string |
n/a | yes |
scan_schedule | 6-field Cron expression describing the scan maintenance schedule | string |
n/a | yes |
install_cutoff | How many hours before the end of the maintenance Window to stop scheduling new instances to install patches | number |
1 |
no |
install_duration | How long in hours for the install maintenance window | number |
3 |
no |
install_log_prefix | The S3 bucket subfolder to store install logs in | string |
"/patch_manager/install/" |
no |
install_notification_configs | A set of objects containing notification_config s docs |
set(object({ |
[] |
no |
log_bucket | S3 bucket that logs should be sent to | string |
null |
no |
max_install_concurrency | The maximum number of instances to operate on at once | number |
2 |
no |
max_install_errors | The maximum number of errors before stopping the install task scheduling | number |
2 |
no |
max_scan_concurrency | The maximum number of instances to operate on at once | number |
20 |
no |
max_scan_errors | The maximum number of errors before stopping the install task scheduling | number |
20 |
no |
name | Name to assign to resources in this module | string |
"patch-manager" |
no |
platforms | The list of platforms you want to support | set(string) |
[ |
no |
scan_cutoff | How many hours before the end of the maintenance Window to stop scheduling new instances to scan | number |
1 |
no |
scan_duration | How long in hours for the scan maintenance window | number |
4 |
no |
scan_log_prefix | The S3 bucket subfolder to store scan logs in | string |
"/patch_manager/scan/" |
no |
scan_notification_configs | A set of objects containing notification_config s docs |
set(object({ |
[] |
no |
schedule_timezone | IANA format timezone to use for Maintenance Window scheduling | string |
"UTC" |
no |
tags | A map of tags to be added to associated resources | map(string) |
{ |
no |
No output.
This workflow has a few prerequisites which are installed through the ./bin/install-x.sh
scripts and are linked below. The install script will also work on your local machine.
We use tfenv
to manage terraform
versions, so the version is defined in the versions.tf
and tfenv
installs the latest compliant version.
pre-commit
is like a package manager for scripts that integrate with git hooks. We use them to run the rest of the tools before apply.
terraform-docs
creates the beautiful docs (above), tfsec
scans for security no-nos, tflint
scans for best practices.