patch_baselines

Creates, updates, deletes or gets a patch_baseline resource or lists patch_baselines in a region

Overview

Name	patch_baselines
Type	Resource
Description	Resource Type definition for AWS::SSM::PatchBaseline
Id	aws.ssm.patch_baselines

Fields

Name	Datatype	Description
id	string	The ID of the patch baseline.
default_baseline	boolean	Set the baseline as default baseline. Only registering to default patch baseline is allowed.
operating_system	string	Defines the operating system the patch baseline applies to. The Default value is WINDOWS.
description	string	The description of the patch baseline.
approval_rules	object	A set of rules defining the approval rules for a patch baseline.
sources	array	Information about the patches to use to update the instances, including target operating systems and source repository. Applies to Linux instances only.
name	string	The name of the patch baseline.
rejected_patches	array	A list of explicitly rejected patches for the baseline.
approved_patches	array	A list of explicitly approved patches for the baseline.
rejected_patches_action	string	The action for Patch Manager to take on patches included in the RejectedPackages list.
patch_groups	array	PatchGroups is used to associate instances with a specific patch baseline
approved_patches_compliance_level	string	Defines the compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. The default value is UNSPECIFIED.
approved_patches_enable_non_security	boolean	Indicates whether the list of approved patches includes non-security updates that should be applied to the instances. The default value is 'false'. Applies to Linux instances only.
global_filters	object	A set of global filters used to include patches in the baseline.
tags	array	Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways.
region	string	AWS region.

Methods

Name	Accessible by	Required Params
create_resource	INSERT	Name, region
delete_resource	DELETE	data__Identifier, region
update_resource	UPDATE	data__Identifier, data__PatchDocument, region
list_resources	SELECT	region
get_resource	SELECT	data__Identifier, region

SELECT examples

Gets all patch_baselines in a region.

SELECT
region,
id,
default_baseline,
operating_system,
description,
approval_rules,
sources,
name,
rejected_patches,
approved_patches,
rejected_patches_action,
patch_groups,
approved_patches_compliance_level,
approved_patches_enable_non_security,
global_filters,
tags
FROM aws.ssm.patch_baselines
WHERE region = 'us-east-1';

Gets all properties from an individual patch_baseline.

SELECT
region,
id,
default_baseline,
operating_system,
description,
approval_rules,
sources,
name,
rejected_patches,
approved_patches,
rejected_patches_action,
patch_groups,
approved_patches_compliance_level,
approved_patches_enable_non_security,
global_filters,
tags
FROM aws.ssm.patch_baselines
WHERE region = 'us-east-1' AND data__Identifier = '<Id>';

INSERT example

Use the following StackQL query and manifest file to create a new patch_baseline resource, using stack-deploy.

Required Properties

/*+ create */
INSERT INTO aws.ssm.patch_baselines (
 Name,
 region
)
SELECT 
'{{ Name }}',
'{{ region }}';

All Properties

/*+ create */
INSERT INTO aws.ssm.patch_baselines (
 DefaultBaseline,
 OperatingSystem,
 Description,
 ApprovalRules,
 Sources,
 Name,
 RejectedPatches,
 ApprovedPatches,
 RejectedPatchesAction,
 PatchGroups,
 ApprovedPatchesComplianceLevel,
 ApprovedPatchesEnableNonSecurity,
 GlobalFilters,
 Tags,
 region
)
SELECT 
 '{{ DefaultBaseline }}',
 '{{ OperatingSystem }}',
 '{{ Description }}',
 '{{ ApprovalRules }}',
 '{{ Sources }}',
 '{{ Name }}',
 '{{ RejectedPatches }}',
 '{{ ApprovedPatches }}',
 '{{ RejectedPatchesAction }}',
 '{{ PatchGroups }}',
 '{{ ApprovedPatchesComplianceLevel }}',
 '{{ ApprovedPatchesEnableNonSecurity }}',
 '{{ GlobalFilters }}',
 '{{ Tags }}',
 '{{ region }}';

Manifest

version: 1
name: stack name
description: stack description
providers:
  - aws
globals:
  - name: region
    value: '{{ vars.AWS_REGION }}'
resources:
  - name: patch_baseline
    props:
      - name: DefaultBaseline
        value: '{{ DefaultBaseline }}'
      - name: OperatingSystem
        value: '{{ OperatingSystem }}'
      - name: Description
        value: '{{ Description }}'
      - name: ApprovalRules
        value:
          PatchRules:
            - ApproveUntilDate: '{{ ApproveUntilDate }}'
              EnableNonSecurity: '{{ EnableNonSecurity }}'
              PatchFilterGroup:
                PatchFilters:
                  - Values:
                      - '{{ Values[0] }}'
                    Key: '{{ Key }}'
              ApproveAfterDays: '{{ ApproveAfterDays }}'
              ComplianceLevel: '{{ ComplianceLevel }}'
      - name: Sources
        value:
          - Products:
              - '{{ Products[0] }}'
            Configuration: '{{ Configuration }}'
            Name: '{{ Name }}'
      - name: Name
        value: '{{ Name }}'
      - name: RejectedPatches
        value:
          - '{{ RejectedPatches[0] }}'
      - name: ApprovedPatches
        value:
          - '{{ ApprovedPatches[0] }}'
      - name: RejectedPatchesAction
        value: '{{ RejectedPatchesAction }}'
      - name: PatchGroups
        value:
          - '{{ PatchGroups[0] }}'
      - name: ApprovedPatchesComplianceLevel
        value: '{{ ApprovedPatchesComplianceLevel }}'
      - name: ApprovedPatchesEnableNonSecurity
        value: '{{ ApprovedPatchesEnableNonSecurity }}'
      - name: GlobalFilters
        value: null
      - name: Tags
        value:
          - Key: '{{ Key }}'
            Value: '{{ Value }}'

DELETE example

/*+ delete */
DELETE FROM aws.ssm.patch_baselines
WHERE data__Identifier = '<Id>'
AND region = 'us-east-1';

Permissions

To operate on the patch_baselines resource, the following permissions are required:

Create

ssm:CreatePatchBaseline,
ssm:RegisterPatchBaselineForPatchGroup,
ssm:AddTagsToResource,
ssm:RemoveTagsFromResource,
ssm:ListTagsForResource,
ssm:GetDefaultPatchBaseline,
ssm:RegisterDefaultPatchBaseline

Delete

ssm:DeletePatchBaseline,
ssm:GetPatchBaseline,
ssm:DeregisterPatchBaselineForPatchGroup

List

ssm:DescribePatchBaselines,
ssm:GetDefaultPatchBaseline,
ssm:GetPatchBaseline,
ssm:ListTagsForResource

Read

ssm:GetDefaultPatchBaseline,
ssm:GetPatchBaseline,
ssm:ListTagsForResource

Update

ssm:UpdatePatchBaseline,
ssm:DeregisterPatchBaselineForPatchGroup,
ssm:AddTagsToResource,
ssm:RemoveTagsFromResource,
ssm:ListTagsForResource,
ssm:GetDefaultPatchBaseline,
ssm:RegisterDefaultPatchBaseline