├── CHANGELOG.md
├── LICENSE
├── README.md
├── iam.tf
├── outputs.tf
├── s3.tf
├── ssm.tf
├── terraform.tf
└── variables.tf


/CHANGELOG.md:
--------------------------------------------------------------------------------
 1 | ## 1.3.1 (September 22, 2017)
 2 | 
 3 | IMPROVEMENTS:
 4 | * Updated the examples in the README
 5 | * Added descriptions to the variables
 6 | * Added LICENSE and CHANGELOG
 7 | 
 8 | ## 1.3.0 (July 21, 2017)
 9 | 
10 | FEATURES:
11 | * Added s3 logging
12 | 
13 | IMPROVEMENTS:
14 | * Refactored module into seperate files
15 | * Updated patch group tags
16 | 
17 | ## 1.2.0 (June 23, 2017)
18 | 
19 | BUG FIXES:
20 | 
21 | * Fixed `max_concurrency` and `max_errors` which were not passed through to resource.
22 | 
23 | ## 1.1.0 (June 21, 2017)
24 | 
25 | IMPROVEMENTS:
26 | 
27 | * Added support for customizing `max_concurrency` and `max_errors` in the maintaince_window_task
28 | * Added `required_version` to terraform
29 | 
30 | BUG FIXES:
31 | 
32 | * Fixed `approved_patches` and `rejected_patches` variable defaults
33 | * Added missing `envtype` variable
34 | 
35 | ## 1.0.0 (June 14, 2017)
36 | 
37 | Initial version
38 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 Claranet
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | tf-aws-ssm-patch-mgmt
 2 | -----
 3 | 
 4 | This module should be used to patch Windows instances based on a schedule.
 5 | 
 6 | The schedule must be in cron or rate format, for example by default the patch scan schedule occurs on a Wednesday 6PM, the patch install schedule occurs at 9PM. For further information on these formats please see the AWS user docs <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-maintenance-cron.html" _target="blank">here</a>.
 7 | 
 8 | #### Instance tagging
 9 | The instances that you wish to be covered by SSM patch management must be tagged with their corresponding "Patch Group". For example we have used the defaults here of "static" and "disposable" for patch scanning, and "automatic" if you want patches automatically installed.
10 | 
11 | _By default:_
12 | * Instances that are tagged with Key: 'Patch Group', Value: 'automatic' will be scanned for Windows updates and then will have the updates installed.
13 | 
14 | * Instances that are tagged with Key: 'Patch Group', Value: 'static' and or 'disposable' will just be scanned and not installed.
15 | 
16 | <br />
17 | 
18 | Usage
19 | -----
20 | 
21 | ```js
22 | 
23 | module "ssm-patching" {
24 |   source = "../modules/tf-aws-ssm-patch-mgmt"
25 | 
26 |   envtype                             = "${var.envtype}"
27 |   scan_maintenance_window_schedule    = "cron(0 0 17 ? * SUN *)"
28 |   install_maintenance_window_schedule = "cron(0 0 20 ? * SUN *)"
29 | }
30 | 
31 | ```
32 | 
33 | 
34 | Variables
35 | ---------
36 | _Variables marked with [*] are mandatory._
37 | 
38 | ###### General variables
39 |  - `source` - The source path to the terraform module, see <a href="https://www.terraform.io/docs/modules/sources.html" target="_blank">here</a> for further information on the `source` variable. [*]
40 | 
41 |  - `name` - This value will prefix all resources, and be added as the value for the `Name` tag where supported. [*]
42 | 
43 |  - `envname` - This label will be added after `name` on all resources, and be added as the value for the `Environment` tag where supported. [*]
44 | 
45 |  - `envtype` - This label will be added after `envname` on all resources, and be added as the value for the `Envtype` tag where supported. [*]
46 | 
47 | ###### Patch baseline variables
48 |  - `approved_patches` - An explicit list of approved patches for the SSM baseline. [Default: []]
49 | 
50 |  - `rejected_patches` - An explicit list of rejected patches for the SSM baseline. [Default: []]
51 | 
52 |  - `product_versions` - An explicit list of rejected patches for the SSM baseline. [Default: []]
53 | 
54 |  - `product_versions` - The list of product versions for the SSM baseline. [Default: ["WindowsServer2016", "WindowsServer2012R2"]]
55 | 
56 |  - `patch_classification` - The list of patch classifications for the SSM baseline. [Default: ["CriticalUpdates", "SecurityUpdates"]]
57 | 
58 |  - `patch_severity` - The list of patch severities for the SSM baseline. [Default: ["Critical", "Important"]]
59 | 
60 | ###### Maintenance Window variables
61 |  - `scan_maintenance_window_schedule` - The schedule of the _scan_ Maintenance Window in the form of a cron or rate expression. You can find further information on the cron format <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-maintenance-cron.html" _target="blank">here</a>. [Default: "cron(0 0 18 ? * SUN *)"]
62 | 
63 |  - `install_maintenance_window_schedule` - The schedule of the _install_ Maintenance Window in the form of a cron or rate expression. You can find further information on the cron format <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-maintenance-cron.html" _target="blank">here</a>. [Default: "cron(0 0 21 ? * SUN *)"]
64 | 
65 |  - `maintenance_window_duration` - The duration of the _all_ Maintenance Windows in hours. [Default: "3"]
66 | 
67 |  - `maintenance_window_cutoff` - The number of hours before the end of any Maintenance Window that Systems Manager stops scheduling new tasks for execution. [Default: "1"]
68 | 
69 |  - `install_patch_groups` - The list of _install_ patching groups, one target will be created per entry in this list. [Default: ["automatic"]]
70 | 
71 |   - `scan_patch_groups` - The list of _scan_ patching groups, one target will be created per entry in this list. [Default: ["static", "disposable"]]
72 | 
73 | 
74 | <br />
75 | 
76 | Outputs
77 | ---------
78 | _(None)_
79 | 


--------------------------------------------------------------------------------
/iam.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_role" "ssm_maintenance_window" {
 2 |   name = "${var.name}-${var.envname}-${var.envtype}-ssm-mw-role"
 3 |   path = "/system/"
 4 | 
 5 |   assume_role_policy = <<EOF
 6 | {
 7 |   "Version": "2012-10-17",
 8 |   "Statement": [
 9 |     {
10 |       "Action": "sts:AssumeRole",
11 |       "Principal": {
12 |         "Service": ["ec2.amazonaws.com","ssm.amazonaws.com"]
13 |       },
14 |       "Effect": "Allow",
15 |       "Sid": ""
16 |     }
17 |   ]
18 | }
19 | EOF
20 | }
21 | 
22 | resource "aws_iam_role_policy_attachment" "role_attach_ssm_mw" {
23 |   role       = "${aws_iam_role.ssm_maintenance_window.name}"
24 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMMaintenanceWindowRole"
25 | }
26 | 


--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/s3.tf:
--------------------------------------------------------------------------------
 1 | // S3 Bucket For Logs
 2 | resource "aws_s3_bucket" "ssm_patch_log_bucket" {
 3 |   bucket        = "${var.name}-${var.envname}-${var.envtype}-ssm-patch-logs"
 4 |   force_destroy = true
 5 | 
 6 |   tags {
 7 |     Name        = "${var.name}"
 8 |     Environment = "${var.envname}"
 9 |     Envtype     = "${var.envtype}"
10 |     Profile     = "${var.profile}"
11 |   }
12 | }
13 | 


--------------------------------------------------------------------------------
/ssm.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_ssm_patch_baseline" "baseline" {
  2 |   name             = "${var.name}-${var.envname}-${var.envtype}-patch-baseline"
  3 |   description      = "${var.profile} patch baseline"
  4 |   approved_patches = ["${var.approved_patches}"]
  5 |   rejected_patches = ["${var.rejected_patches}"]
  6 | 
  7 |   approval_rule {
  8 |     approve_after_days = 7
  9 | 
 10 |     patch_filter {
 11 |       key    = "PRODUCT"
 12 |       values = ["${var.product_versions}"]
 13 |     }
 14 | 
 15 |     patch_filter {
 16 |       key    = "CLASSIFICATION"
 17 |       values = ["${var.patch_classification}"]
 18 |     }
 19 | 
 20 |     patch_filter {
 21 |       key    = "MSRC_SEVERITY"
 22 |       values = ["${var.patch_severity}"]
 23 |     }
 24 |   }
 25 | }
 26 | 
 27 | resource "aws_ssm_patch_group" "scan_patchgroup" {
 28 |   count       = "${length(var.scan_patch_groups)}"
 29 |   baseline_id = "${aws_ssm_patch_baseline.baseline.id}"
 30 |   patch_group = "${element(var.scan_patch_groups, count.index)}"
 31 | }
 32 | 
 33 | resource "aws_ssm_patch_group" "install_patchgroup" {
 34 |   count       = "${length(var.install_patch_groups)}"
 35 |   baseline_id = "${aws_ssm_patch_baseline.baseline.id}"
 36 |   patch_group = "${element(var.install_patch_groups, count.index)}"
 37 | }
 38 | 
 39 | resource "aws_ssm_maintenance_window" "scan_window" {
 40 |   name     = "${var.name}-${var.envname}-patch-maintenance-scan-mw"
 41 |   schedule = "${var.scan_maintenance_window_schedule}"
 42 |   duration = "${var.maintenance_window_duration}"
 43 |   cutoff   = "${var.maintenance_window_cutoff}"
 44 | }
 45 | 
 46 | resource "aws_ssm_maintenance_window" "install_window" {
 47 |   name     = "${var.name}-${var.envname}-patch-maintenance-install-mw"
 48 |   schedule = "${var.install_maintenance_window_schedule}"
 49 |   duration = "${var.maintenance_window_duration}"
 50 |   cutoff   = "${var.maintenance_window_cutoff}"
 51 | }
 52 | 
 53 | resource "aws_ssm_maintenance_window_target" "target_scan" {
 54 |   count         = "${length(var.scan_patch_groups)}"
 55 |   window_id     = "${aws_ssm_maintenance_window.scan_window.id}"
 56 |   resource_type = "INSTANCE"
 57 | 
 58 |   targets {
 59 |     key    = "tag:Patch Group"
 60 |     values = ["${element(var.scan_patch_groups, count.index)}"]
 61 |   }
 62 | }
 63 | 
 64 | resource "aws_ssm_maintenance_window_task" "task_scan_patches" {
 65 |   window_id        = "${aws_ssm_maintenance_window.scan_window.id}"
 66 |   task_type        = "RUN_COMMAND"
 67 |   task_arn         = "AWS-ApplyPatchBaseline"
 68 |   priority         = 1
 69 |   service_role_arn = "${aws_iam_role.ssm_maintenance_window.arn}"
 70 |   max_concurrency  = "${var.max_concurrency}"
 71 |   max_errors       = "${var.max_errors}"
 72 | 
 73 |   targets {
 74 |     key    = "WindowTargetIds"
 75 |     values = ["${aws_ssm_maintenance_window_target.target_scan.*.id}"]
 76 |   }
 77 | 
 78 |   task_parameters {
 79 |     name   = "Operation"
 80 |     values = ["Scan"]
 81 |   }
 82 | 
 83 |   logging_info {
 84 |     s3_bucket_name = "${aws_s3_bucket.ssm_patch_log_bucket.id}"
 85 |     s3_region      = "${var.aws_region}"
 86 |   }
 87 | }
 88 | 
 89 | resource "aws_ssm_maintenance_window_target" "target_install" {
 90 |   window_id     = "${aws_ssm_maintenance_window.install_window.id}"
 91 |   resource_type = "INSTANCE"
 92 | 
 93 |   targets {
 94 |     key    = "tag:Patch Group"
 95 |     values = ["${element(var.install_patch_groups, count.index)}"]
 96 |   }
 97 | }
 98 | 
 99 | resource "aws_ssm_maintenance_window_task" "task_install_patches" {
100 |   window_id        = "${aws_ssm_maintenance_window.install_window.id}"
101 |   task_type        = "RUN_COMMAND"
102 |   task_arn         = "AWS-ApplyPatchBaseline"
103 |   priority         = 1
104 |   service_role_arn = "${aws_iam_role.ssm_maintenance_window.arn}"
105 |   max_concurrency  = "${var.max_concurrency}"
106 |   max_errors       = "${var.max_errors}"
107 | 
108 |   targets {
109 |     key    = "WindowTargetIds"
110 |     values = ["${aws_ssm_maintenance_window_target.target_install.*.id}"]
111 |   }
112 | 
113 |   task_parameters {
114 |     name   = "Operation"
115 |     values = ["Install"]
116 |   }
117 | 
118 |   logging_info {
119 |     s3_bucket_name = "${aws_s3_bucket.ssm_patch_log_bucket.id}"
120 |     s3_region      = "${var.aws_region}"
121 |   }
122 | }
123 | 


--------------------------------------------------------------------------------
/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 |   required_version = "> 0.9.0"
3 | }


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
  1 | ## General vars
  2 | variable "name" {
  3 |   description = "This name will prefix all resources, and be added as the value for the 'Name' tag where supported"
  4 |   type = "string"
  5 | }
  6 | 
  7 | variable "envname" {
  8 |   description = "This label will be added after 'name' on all resources, and be added as the value for the 'Environment' tag where supported"
  9 |   type = "string"
 10 | }
 11 | 
 12 | variable "envtype" {
 13 |   description = "This label will be added after 'envname' on all resources, and be added as the value for the 'Envtype' tag where supported"
 14 |   type = "string"
 15 | }
 16 | 
 17 | variable "profile" {
 18 |   description = "This label will be added to the SSM baseline description"
 19 |   type = "string"
 20 |   default = "Windows"
 21 | }
 22 | 
 23 | variable "aws_region" {
 24 |   description = "The AWS region to create this SSM resource in"
 25 |   type = "string"
 26 |   default = "eu-west-1"
 27 | }
 28 | 
 29 | ## Patch baseline vars
 30 | variable "approved_patches" {
 31 |   description = "The list of approved patches for the SSM baseline"
 32 |   type    = "list"
 33 |   default = []
 34 | }
 35 | 
 36 | variable "rejected_patches" {
 37 |   description = "The list of rejected patches for the SSM baseline"
 38 |   type    = "list"
 39 |   default = []
 40 | }
 41 | 
 42 | variable "product_versions" {
 43 |   description = "The list of product versions for the SSM baseline"
 44 |   type    = "list"
 45 |   default = ["WindowsServer2016", "WindowsServer2012R2"]
 46 | }
 47 | 
 48 | variable "patch_classification" {
 49 |   description = "The list of patch classifications for the SSM baseline"
 50 |   type    = "list"
 51 |   default = ["CriticalUpdates", "SecurityUpdates"]
 52 | }
 53 | 
 54 | variable "patch_severity" {
 55 |   description = "The list of patch severities for the SSM baseline"
 56 |   type    = "list"
 57 |   default = ["Critical", "Important"]
 58 | }
 59 | 
 60 | ## Maintenance window vars
 61 | variable "scan_maintenance_window_schedule" {
 62 |   description = "The schedule of the scan Maintenance Window in the form of a cron or rate expression"
 63 |   type = "string"
 64 |   default = "cron(0 0 18 ? * WED *)"
 65 | }
 66 | 
 67 | variable "install_maintenance_window_schedule" {
 68 |   description = "The schedule of the install Maintenance Window in the form of a cron or rate expression"
 69 |   type = "string"
 70 |   default = "cron(0 0 21 ? * WED *)"
 71 | }
 72 | 
 73 | variable "maintenance_window_duration" {
 74 |   description = "The duration of the maintenence windows (hours)"
 75 |   type = "string"
 76 |   default = "3"
 77 | }
 78 | 
 79 | variable "maintenance_window_cutoff" {
 80 |   description = "The number of hours before the end of the Maintenance Window that Systems Manager stops scheduling new tasks for execution"
 81 |   type = "string"
 82 |   default = "1"
 83 | }
 84 | 
 85 | variable "scan_patch_groups" {
 86 |   description = "The list of scan patching groups, one target will be created per entry in this list"
 87 |   type    = "list"
 88 |   default = ["static", "disposable"]
 89 | }
 90 | 
 91 | variable "install_patch_groups" {
 92 |   description = "The list of install patching groups, one target will be created per entry in this list"
 93 |   type    = "list"
 94 |   default = ["automatic"]
 95 | }
 96 | 
 97 | variable "max_concurrency" {
 98 |   description = "The maximum amount of concurrent instances of a task that will be executed in parallel"
 99 |   type    = "string"
100 |   default = "20"
101 | }
102 | 
103 | variable "max_errors" {
104 |   description = "The maximum amount of errors that instances of a task will tollerate before being de-scheduled"
105 |   type    = "string"
106 |   default = "50"
107 | }
108 | 
109 | ## logging info
110 | variable "s3_bucket_name" {
111 |   description = "The name of the S3 bucket to create for log storage"
112 |   type    = "string"
113 | }
114 | 


--------------------------------------------------------------------------------