pulumi-aws-kotlin/com.pulumi.aws.ssm.kotlin/PatchBaseline

PatchBaseline

class PatchBaseline : KotlinCustomResource

Provides an SSM Patch Baseline resource.

NOTE on Patch Baselines: The approved_patches and approval_rule are both marked as optional fields, but the Patch Baseline requires that at least one of them is specified.

Example Usage

Basic Usage

Using approved_patches only.

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssm.PatchBaseline;
import com.pulumi.aws.ssm.PatchBaselineArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var production = new PatchBaseline("production", PatchBaselineArgs.builder()
            .approvedPatches("KB123456")
            .build());
    }
}
Content copied to clipboard

Advanced Usage, specifying patch filters

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssm.PatchBaseline;
import com.pulumi.aws.ssm.PatchBaselineArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineApprovalRuleArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineGlobalFilterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var production = new PatchBaseline("production", PatchBaselineArgs.builder()
            .approvalRules(
                PatchBaselineApprovalRuleArgs.builder()
                    .approveAfterDays(7)
                    .complianceLevel("HIGH")
                    .patchFilters(
                        PatchBaselineApprovalRulePatchFilterArgs.builder()
                            .key("PRODUCT")
                            .values("WindowsServer2016")
                            .build(),
                        PatchBaselineApprovalRulePatchFilterArgs.builder()
                            .key("CLASSIFICATION")
                            .values(
                                "CriticalUpdates",
                                "SecurityUpdates",
                                "Updates")
                            .build(),
                        PatchBaselineApprovalRulePatchFilterArgs.builder()
                            .key("MSRC_SEVERITY")
                            .values(
                                "Critical",
                                "Important",
                                "Moderate")
                            .build())
                    .build(),
                PatchBaselineApprovalRuleArgs.builder()
                    .approveAfterDays(7)
                    .patchFilters(PatchBaselineApprovalRulePatchFilterArgs.builder()
                        .key("PRODUCT")
                        .values("WindowsServer2012")
                        .build())
                    .build())
            .approvedPatches(
                "KB123456",
                "KB456789")
            .description("Patch Baseline Description")
            .globalFilters(
                PatchBaselineGlobalFilterArgs.builder()
                    .key("PRODUCT")
                    .values("WindowsServer2008")
                    .build(),
                PatchBaselineGlobalFilterArgs.builder()
                    .key("CLASSIFICATION")
                    .values("ServicePacks")
                    .build(),
                PatchBaselineGlobalFilterArgs.builder()
                    .key("MSRC_SEVERITY")
                    .values("Low")
                    .build())
            .rejectedPatches("KB987654")
            .build());
    }
}
Content copied to clipboard

Advanced usage, specifying Microsoft application and Windows patch rules

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssm.PatchBaseline;
import com.pulumi.aws.ssm.PatchBaselineArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineApprovalRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var windowsOsApps = new PatchBaseline("windowsOsApps", PatchBaselineArgs.builder()
            .approvalRules(
                PatchBaselineApprovalRuleArgs.builder()
                    .approveAfterDays(7)
                    .patchFilters(
                        PatchBaselineApprovalRulePatchFilterArgs.builder()
                            .key("CLASSIFICATION")
                            .values(
                                "CriticalUpdates",
                                "SecurityUpdates")
                            .build(),
                        PatchBaselineApprovalRulePatchFilterArgs.builder()
                            .key("MSRC_SEVERITY")
                            .values(
                                "Critical",
                                "Important")
                            .build())
                    .build(),
                PatchBaselineApprovalRuleArgs.builder()
                    .approveAfterDays(7)
                    .patchFilters(
                        PatchBaselineApprovalRulePatchFilterArgs.builder()
                            .key("PATCH_SET")
                            .values("APPLICATION")
                            .build(),
                        PatchBaselineApprovalRulePatchFilterArgs.builder()
                            .key("PRODUCT")
                            .values(
                                "Office 2013",
                                "Office 2016")
                            .build())
                    .build())
            .description("Patch both Windows and Microsoft apps")
            .operatingSystem("WINDOWS")
            .build());
    }
}
Content copied to clipboard

Advanced usage, specifying alternate patch source repository

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssm.PatchBaseline;
import com.pulumi.aws.ssm.PatchBaselineArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineApprovalRuleArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var al201709 = new PatchBaseline("al201709", PatchBaselineArgs.builder()
            .approvalRules()
            .description("My patch repository for Amazon Linux 2017.09")
            .operatingSystem("AMAZON_LINUX")
            .sources(PatchBaselineSourceArgs.builder()
                .configuration("""
[amzn-main]
name=amzn-main-Base
mirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list
mirrorlist_expire=300
metadata_expire=300
priority=10
failovermethod=priority
fastestmirror_enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga
enabled=1
retries=3
timeout=5
report_instanceid=yes
                """)
                .name("My-AL2017.09")
                .products("AmazonLinux2017.09")
                .build())
            .build());
    }
}
Content copied to clipboard

Import

SSM Patch Baselines can be imported by their baseline ID, e.g.,

$ pulumi import aws:ssm/patchBaseline:PatchBaseline example pb-12345678
Content copied to clipboard

Properties

Link copied to clipboard
val approvalRules: Output<List<PatchBaselineApprovalRule>>?

A set of rules used to include patches in the baseline. Up to 10 approval rules can be specified. See approval_rule below.

Link copied to clipboard
val approvedPatches: Output<List<String>>?

A list of explicitly approved patches for the baseline. Cannot be specified with approval_rule.

Link copied to clipboard
val approvedPatchesComplianceLevel: Output<String>?

The compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid values are CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED.

Link copied to clipboard
val approvedPatchesEnableNonSecurity: Output<Boolean>?

Indicates whether the list of approved patches includes non-security updates that should be applied to the instances. Applies to Linux instances only.

Link copied to clipboard
val arn: Output<String>

The ARN of the patch baseline.

Link copied to clipboard
val description: Output<String>?

The description of the patch baseline.

Link copied to clipboard
val globalFilters: Output<List<PatchBaselineGlobalFilter>>?

A set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are PRODUCT, CLASSIFICATION, MSRC_SEVERITY, and PATCH_ID.

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val name: Output<String>

The name of the patch baseline.

Link copied to clipboard
val operatingSystem: Output<String>?

The operating system the patch baseline applies to. Valid values are AMAZON_LINUX, AMAZON_LINUX_2, AMAZON_LINUX_2022, CENTOS, DEBIAN, MACOS, ORACLE_LINUX, RASPBIAN, REDHAT_ENTERPRISE_LINUX, ROCKY_LINUX, SUSE, UBUNTU, and WINDOWS. The default value is WINDOWS.

Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val rejectedPatches: Output<List<String>>?

A list of rejected patches.

Link copied to clipboard
val rejectedPatchesAction: Output<String>

The action for Patch Manager to take on patches included in the rejected_patches list. Valid values are ALLOW_AS_DEPENDENCY and BLOCK.

Link copied to clipboard
val sources: Output<List<PatchBaselineSource>>?

Configuration block with alternate sources for patches. Applies to Linux instances only. See source below.

Link copied to clipboard
val tags: Output<Map<String, String>>?

A map of tags to assign to the resource. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Link copied to clipboard
val tagsAll: Output<Map<String, String>>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Link copied to clipboard
val urn: Output<String>