This terraform module set up Systems Manager Patch Manager in AWS.
The following resources will be created:
- CloudWatch Log Groups
- IAM roles
- Document for Session Manager configuration
- Fleet Manager configuration
- Patch Baseline
- Inventory configuration
- Patch Manager configuration
In addition you have the option to create or not :
- Patch Manager Install approval
- Step Function
- Event Bridge scheduler
- SNS Topic
- Lambda function
module "patch_manager" {
source = "git::https://github.com/DNXLabs/terraform-aws-patch-manager.git?ref=0.8.0"
enabled = true
name = "windows-patching"
target_value = ["windows-server"]
session_encryption = true
scan_schedule = "cron(0 23 ? * SAT *)" # Every Saturday at 11pm
scan_duration = 5
install_schedule = "cron(0 23 ? * SUN *)" # Every Sunday at 11pm
install_duration = 5
approval_process_schedule = "cron(0 8 ? * TUE *)" # Every Tuesday at 8am
approval_process_timeout = 345600 # 4 days
}| Name | Version |
|---|---|
| terraform | >= 1.5 |
| archive | >= 2.0.0 |
| aws | >= 4.0.0 |
| template | >= 2.0.0 |
| Name | Version |
|---|---|
| archive | >= 2.0.0 |
| aws | >= 4.0.0 |
| template | >= 2.0.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| approval_process_schedule | The schedule for the approval process | string |
"" |
no |
| approval_process_timeout | The timeout in seconds for the approval process | number |
86400 |
no |
| approval_process_timezone | The schedule timezone for the approval process | string |
"Australia/Melbourne" |
no |
| approved_patches | The list of approved patches | list(string) |
[] |
no |
| classification | The list of patch classifications | list(string) |
[ |
no |
| enabled | Enable or disable the module | bool |
true |
no |
| install_cutoff | The cutoff for the patch baseline scan | number |
1 |
no |
| install_duration | The duration for the patch baseline scan | number |
5 |
no |
| install_max_concurrency | The max concurrency for the patch baseline scan | string |
"10%" |
no |
| install_max_errors | The max errors for the patch baseline scan | string |
"10%" |
no |
| install_reboot_option | The reboot option for the patch baseline scan | string |
"NoReboot" |
no |
| install_schedule | The schedule for the patch baseline scan | string |
"" |
no |
| install_timezone | The schedule timezone for the patch baseline scan | string |
"Australia/Melbourne" |
no |
| name | The name of the patch baseline | string |
n/a | yes |
| notification_arn | The SNS topic ARN for notifications | string |
"" |
no |
| notification_events | The list of notification events | list(string) |
[] |
no |
| operating_system | The operating system for the patch baseline | string |
"WINDOWS" |
no |
| rejected_patches | The list of rejected patches | list(string) |
[] |
no |
| scan_cutoff | The cutoff for the patch baseline scan | number |
1 |
no |
| scan_duration | The duration for the patch baseline scan | number |
5 |
no |
| scan_max_concurrency | The max concurrency for the patch baseline scan | string |
"20%" |
no |
| scan_max_errors | The max errors for the patch baseline scan | string |
"20%" |
no |
| scan_schedule | The schedule for the patch baseline scan | string |
"" |
no |
| scan_timezone | The schedule timezone for the patch baseline scan | string |
"Australia/Melbourne" |
no |
| session_encryption | Enable or disable session encryption | bool |
true |
no |
| severity | The list of patch severities | list(string) |
[ |
no |
| target | The target for the patch baseline | string |
"tag:PatchGroup" |
no |
| target_value | The target value for the patch baseline | list(string) |
[] |
no |
No output.
Module managed by DNX Solutions.
Apache 2 Licensed. See LICENSE for full details.