pulumi-aws-kotlin/com.pulumi.aws.ssm.kotlin/PatchBaselineArgs

PatchBaselineArgs

data class PatchBaselineArgs(val approvalRules: Output<List<PatchBaselineApprovalRuleArgs>>? = null, val approvedPatches: Output<List<String>>? = null, val approvedPatchesComplianceLevel: Output<String>? = null, val approvedPatchesEnableNonSecurity: Output<Boolean>? = null, val description: Output<String>? = null, val globalFilters: Output<List<PatchBaselineGlobalFilterArgs>>? = null, val name: Output<String>? = null, val operatingSystem: Output<String>? = null, val rejectedPatches: Output<List<String>>? = null, val rejectedPatchesAction: Output<String>? = null, val sources: Output<List<PatchBaselineSourceArgs>>? = null, val tags: Output<Map<String, String>>? = null) : ConvertibleToJava<PatchBaselineArgs>

Provides an SSM Patch Baseline resource.

NOTE on Patch Baselines: The approved_patches and approval_rule are both marked as optional fields, but the Patch Baseline requires that at least one of them is specified.

Example Usage

Basic Usage

Using approved_patches only.

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssm.PatchBaseline;
import com.pulumi.aws.ssm.PatchBaselineArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var production = new PatchBaseline("production", PatchBaselineArgs.builder()
            .approvedPatches("KB123456")
            .build());
    }
}
Content copied to clipboard

Advanced Usage, specifying patch filters

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssm.PatchBaseline;
import com.pulumi.aws.ssm.PatchBaselineArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineApprovalRuleArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineGlobalFilterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var production = new PatchBaseline("production", PatchBaselineArgs.builder()
            .approvalRules(
                PatchBaselineApprovalRuleArgs.builder()
                    .approveAfterDays(7)
                    .complianceLevel("HIGH")
                    .patchFilters(
                        PatchBaselineApprovalRulePatchFilterArgs.builder()
                            .key("PRODUCT")
                            .values("WindowsServer2016")
                            .build(),
                        PatchBaselineApprovalRulePatchFilterArgs.builder()
                            .key("CLASSIFICATION")
                            .values(
                                "CriticalUpdates",
                                "SecurityUpdates",
                                "Updates")
                            .build(),
                        PatchBaselineApprovalRulePatchFilterArgs.builder()
                            .key("MSRC_SEVERITY")
                            .values(
                                "Critical",
                                "Important",
                                "Moderate")
                            .build())
                    .build(),
                PatchBaselineApprovalRuleArgs.builder()
                    .approveAfterDays(7)
                    .patchFilters(PatchBaselineApprovalRulePatchFilterArgs.builder()
                        .key("PRODUCT")
                        .values("WindowsServer2012")
                        .build())
                    .build())
            .approvedPatches(
                "KB123456",
                "KB456789")
            .description("Patch Baseline Description")
            .globalFilters(
                PatchBaselineGlobalFilterArgs.builder()
                    .key("PRODUCT")
                    .values("WindowsServer2008")
                    .build(),
                PatchBaselineGlobalFilterArgs.builder()
                    .key("CLASSIFICATION")
                    .values("ServicePacks")
                    .build(),
                PatchBaselineGlobalFilterArgs.builder()
                    .key("MSRC_SEVERITY")
                    .values("Low")
                    .build())
            .rejectedPatches("KB987654")
            .build());
    }
}
Content copied to clipboard

Advanced usage, specifying Microsoft application and Windows patch rules

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssm.PatchBaseline;
import com.pulumi.aws.ssm.PatchBaselineArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineApprovalRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var windowsOsApps = new PatchBaseline("windowsOsApps", PatchBaselineArgs.builder()
            .approvalRules(
                PatchBaselineApprovalRuleArgs.builder()
                    .approveAfterDays(7)
                    .patchFilters(
                        PatchBaselineApprovalRulePatchFilterArgs.builder()
                            .key("CLASSIFICATION")
                            .values(
                                "CriticalUpdates",
                                "SecurityUpdates")
                            .build(),
                        PatchBaselineApprovalRulePatchFilterArgs.builder()
                            .key("MSRC_SEVERITY")
                            .values(
                                "Critical",
                                "Important")
                            .build())
                    .build(),
                PatchBaselineApprovalRuleArgs.builder()
                    .approveAfterDays(7)
                    .patchFilters(
                        PatchBaselineApprovalRulePatchFilterArgs.builder()
                            .key("PATCH_SET")
                            .values("APPLICATION")
                            .build(),
                        PatchBaselineApprovalRulePatchFilterArgs.builder()
                            .key("PRODUCT")
                            .values(
                                "Office 2013",
                                "Office 2016")
                            .build())
                    .build())
            .description("Patch both Windows and Microsoft apps")
            .operatingSystem("WINDOWS")
            .build());
    }
}
Content copied to clipboard

Advanced usage, specifying alternate patch source repository

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssm.PatchBaseline;
import com.pulumi.aws.ssm.PatchBaselineArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineApprovalRuleArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var al201709 = new PatchBaseline("al201709", PatchBaselineArgs.builder()
            .approvalRules()
            .description("My patch repository for Amazon Linux 2017.09")
            .operatingSystem("AMAZON_LINUX")
            .sources(PatchBaselineSourceArgs.builder()
                .configuration("""
[amzn-main]
name=amzn-main-Base
mirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list
mirrorlist_expire=300
metadata_expire=300
priority=10
failovermethod=priority
fastestmirror_enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga
enabled=1
retries=3
timeout=5
report_instanceid=yes
                """)
                .name("My-AL2017.09")
                .products("AmazonLinux2017.09")
                .build())
            .build());
    }
}
Content copied to clipboard

Import

SSM Patch Baselines can be imported by their baseline ID, e.g.,

$ pulumi import aws:ssm/patchBaseline:PatchBaseline example pb-12345678
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(approvalRules: Output<List<PatchBaselineApprovalRuleArgs>>? = null, approvedPatches: Output<List<String>>? = null, approvedPatchesComplianceLevel: Output<String>? = null, approvedPatchesEnableNonSecurity: Output<Boolean>? = null, description: Output<String>? = null, globalFilters: Output<List<PatchBaselineGlobalFilterArgs>>? = null, name: Output<String>? = null, operatingSystem: Output<String>? = null, rejectedPatches: Output<List<String>>? = null, rejectedPatchesAction: Output<String>? = null, sources: Output<List<PatchBaselineSourceArgs>>? = null, tags: Output<Map<String, String>>? = null)

Properties

Link copied to clipboard
val approvalRules: Output<List<PatchBaselineApprovalRuleArgs>>? = null

A set of rules used to include patches in the baseline. Up to 10 approval rules can be specified. See approval_rule below.

Link copied to clipboard
val approvedPatches: Output<List<String>>? = null

A list of explicitly approved patches for the baseline. Cannot be specified with approval_rule.

Link copied to clipboard
val approvedPatchesComplianceLevel: Output<String>? = null

The compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid values are CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED.

Link copied to clipboard
val approvedPatchesEnableNonSecurity: Output<Boolean>? = null

Indicates whether the list of approved patches includes non-security updates that should be applied to the instances. Applies to Linux instances only.

Link copied to clipboard
val description: Output<String>? = null

The description of the patch baseline.

Link copied to clipboard
val globalFilters: Output<List<PatchBaselineGlobalFilterArgs>>? = null

A set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are PRODUCT, CLASSIFICATION, MSRC_SEVERITY, and PATCH_ID.

Link copied to clipboard
val name: Output<String>? = null

The name of the patch baseline.

Link copied to clipboard
val operatingSystem: Output<String>? = null

The operating system the patch baseline applies to. Valid values are AMAZON_LINUX, AMAZON_LINUX_2, AMAZON_LINUX_2022, CENTOS, DEBIAN, MACOS, ORACLE_LINUX, RASPBIAN, REDHAT_ENTERPRISE_LINUX, ROCKY_LINUX, SUSE, UBUNTU, and WINDOWS. The default value is WINDOWS.

Link copied to clipboard
val rejectedPatches: Output<List<String>>? = null

A list of rejected patches.

Link copied to clipboard
val rejectedPatchesAction: Output<String>? = null

The action for Patch Manager to take on patches included in the rejected_patches list. Valid values are ALLOW_AS_DEPENDENCY and BLOCK.

Link copied to clipboard
val sources: Output<List<PatchBaselineSourceArgs>>? = null

Configuration block with alternate sources for patches. Applies to Linux instances only. See source below.

Link copied to clipboard
val tags: Output<Map<String, String>>? = null

A map of tags to assign to the resource. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Functions

Link copied to clipboard
open override fun toJava(): PatchBaselineArgs