Module: ssm_patch_baseline & ssm_patch_groups

Overview

ssm_patch_baseline: Defines approval and compliance logic per OS. Supports multiple approval rules per baseline via a map.
ssm_patch_groups: Associates a baseline key with a Patch Group name (value of the EC2 tag Patch_Group).

Data Model

ssm_patch_baseline (map)

Field	Type	Required	Notes
name	string	optional	Override baseline display name
operating_system	string	required	`WINDOWS`, `REDHAT_ENTERPRISE_LINUX`, `AMAZON_LINUX_2`, etc.
approval_rules	map(object)	recommended	Map of approval rules — see structure below
approved_patches	list(string)	optional	Explicit allowlist (overrides approval rules)
approved_patches_compliance_level	string	optional	Compliance level for explicitly approved patches
approved_patches_enable_non_security	bool	optional	Include non-security patches in approved list
rejected_patches	list(string)	optional	Denylist
rejected_patches_action	string	optional	`AllowAsDependency` or `Block`
description	string	optional	Baseline description
tags	map(string)	optional	Extra tags

approval_rules (map)

Each key is a logical name for the rule (e.g., os, application, security). Map keys are stable identifiers used by Terraform state — changing a key causes Terraform to destroy and recreate that rule.

Field	Type	Required	Notes
approve_after_days	number	optional	Days after release before auto-approval
compliance_level	string	optional	`CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`, `UNSPECIFIED`
enable_non_security	bool	optional	Include non-security updates; defaults to `false`
patch_filter	map(list(string))	optional	Filter criteria — see structure below

patch_filter (map(list(string)))

A map where each key is a AWS patch filter key name and each value is a list of strings. Multiple filters within a rule are AND'd together; multiple values within one filter are OR'd.

Valid keys:

Key	Notes
`patch_set`	`OS` or `APPLICATION` — only one value allowed by AWS
`product_family`	Product family (Windows only, e.g., `["*"]`)
`product`	Specific product (e.g., `["WindowsServer2022"]`, `["*"]`)
`classification`	Patch classification (OS-specific — see AWS docs)
`severity`	Patch severity (Linux only)
`msrc_severity`	Microsoft Security Response Center severity (Windows only)
`arch`	Architecture
`advisory_id`	Advisory ID (Linux only)
`bugzilla_id`	Bugzilla ID (Linux only)
`cve_id`	CVE ID
`epoch`	Epoch (Linux only)
`name`	Patch name
`patch_id`	Patch ID
`section`	Section (Debian only)
`priority`	Priority (Debian only)
`repository`	Repository (Linux only)
`release`	Release (Linux only)
`security`	Security (Linux only)
`version`	Version (Linux only)

PATCH_SET accepts only one value

The AWS SSM API enforces a maximum of one value for the patch_set filter key. Use separate approval_rules map entries when you need to target both OS and APPLICATION patch sets with different filter criteria.

ssm_patch_groups (map)

Field	Type	Required	Notes
baseline_id	string	required	Key of an entry in `ssm_patch_baseline`

The map key is the value used in the EC2 instance tag Patch_Group.

Example

ssm_patch_baseline = {
  windows_baseline = {
    name             = "windows-patch-baseline"
    operating_system = "WINDOWS"
    approval_rules = {
      os = {
        approve_after_days = 7
        compliance_level   = "CRITICAL"
        patch_filter = {
          patch_set = ["OS"]
          product   = ["*"]
          classification = [
            "CriticalUpdates",
            "SecurityUpdates",
            "Updates"
          ]
        }
      }
      application = {
        approve_after_days = 7
        compliance_level   = "UNSPECIFIED"
        patch_filter = {
          patch_set      = ["APPLICATION"]
          product_family = ["*"]
          product        = ["*"]
          classification = ["*"]
        }
      }
    }
  }
  rhel_baseline = {
    name             = "rhel-patch-baseline"
    operating_system = "REDHAT_ENTERPRISE_LINUX"
    approval_rules = {
      security = {
        approve_after_days = 7
        compliance_level   = "CRITICAL"
        patch_filter = {
          product = ["*"]
          classification = [
            "Security",
            "Bugfix",
            "Enhancement",
            "Recommended"
          ]
          severity = ["Critical"]
        }
      }
    }
  }
}

ssm_patch_groups = {
  epicIREwss = { baseline_id = "windows_baseline" }
  epicIREodb = { baseline_id = "rhel_baseline" }
}

Notes

A single baseline can be referenced by multiple ssm_patch_groups entries when different logical patch cohorts share identical approval logic.
Instance targeting is entirely tag-driven; each ssm_patch_groups map key must exactly match the Patch_Group tag value on target instances.
Use approval_rules as a map, not a list. Map keys are stable — Terraform tracks rules by key, so reordering entries does not cause destroy/recreate cycles.
PATCH_SET must be either OS or APPLICATION — not both in the same filter. Use separate rules in the map to apply different filter criteria per patch set.
enable_non_security defaults to false. Set to true on Linux baselines when non-security updates (e.g., bugfixes) should be included.
Use explicit approved_patches only when you must pin specific KBs or packages; rely on approval_rules for standard patch management.