aws civil-service iam modernisation-platform moj-security ssm terraform-module

Modernisation Platform Terraform SSM Patching

Usage

To use this module, you must have instances with the SSM agent installed (Comes as default with many AMIS), as well as have a tag of "Patching: Yes"

We're looking to add more functionality with tagging, so these requirements may change in further releases.

module "ssm-auto-patching" {
  source = "github.com/ministryofjustice/modernisation-platform-terraform-ssm-patching.git?ref="
  count  = local.environment == "development" ? 1 : 0
  providers = {
    aws.bucket-replication = aws
  }

  account_number             = local.environment_management.account_ids[terraform.workspace]
  application_name           = local.application_name
  tags = merge(
    local.tags,
    {
      Name = "ssm-patching"
    },
  )
}

Looking for issues?

If you're looking to raise an issue with this module, please create a new issue in the Modernisation Platform repository.

Requirements

Name	Version
terraform	>= 1.0.1
aws	~> 4.0

Providers

Name	Version
aws	~> 4.0

Modules

Name	Source	Version
s3-bucket	github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket	v6.2.0

Resources

Name	Type
aws_iam_policy.ssm-patching-iam-policy	resource
aws_iam_role.ssm-patching-iam-role	resource
aws_iam_role_policy_attachment.ssm-admin-automation	resource
aws_resourcegroups_group.patch-resource-group	resource
aws_ssm_maintenance_window.ssm-maintenance-window	resource
aws_ssm_maintenance_window_target.ssm-maintenance-window-target	resource
aws_ssm_maintenance_window_task.ssm-maintenance-window-automation-task	resource
aws_ssm_patch_baseline.patch-baseline-poc	resource
aws_elb_service_account.default	data source
aws_iam_policy_document.bucket_policy	data source
aws_iam_policy_document.ssm-admin-policy-doc	data source

Inputs

Name	Description	Type	Default	Required
account_number	Account number of current environment	`string`	n/a	yes
application_name	Name of application	`string`	n/a	yes
approval_days	Number of days before the package is approved, used by the approval rule only, and is not required for the automation script	`string`	`"7"`	no
compliance_level	Select the level of compliance, used by the approval rule only, and is not required for the automation script. By default it's CRITICAL	`string`	`"CRITICAL"`	no
existing_bucket_name	The name of the existing bucket name. If no bucket is provided one will be created for them.	`string`	`""`	no
force_destroy_bucket	A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable.	`bool`	`false`	no
operating_system	Operating system on the ec2 instance, used by the approval rule only, and is not required for the automation script	`string`	`"CENTOS"`	no
patch_classification	Operating system on the ec2 instance	`list(string)`	[ "Security" ]	no
patch_key	Defaults as tag:Patching, but can be customised if pre existing tags and values want to be used	`string`	`"Patching"`	no
patch_schedule	Crontab on when to run the automation script.	`string`	`"cron(00 22 ? * MON *)"`	no
patch_tag	Defaults as yes, but can be customised if pre existing tags and values want to be used	`string`	`"Yes"`	no
tags	Common tags to be used by all resources	`map(string)`	n/a	yes

Outputs

Name	Description
iam-policy-arn	The policy arn for the IAM policy used by the automation script
maintenance-window-id	The maintenance window id
maintenance-window-target-id	The target id for the maintenance window
patch-resource-group-arn	The resource group arn for patching

About

Module to automate the patching of ec2 instances in each account • This repository is defined and managed in Terraform

aws civil-service iam modernisation-platform moj-security ssm terraform-module

MIT License

Languages

Language:HCL 94.5%Language:Go 5.5%