Skip to content

Module: ssm_patch_baselines & ssm_patch_groups

Overview

  • ssm_patch_baselines: Defines approval and compliance logic per OS.
  • ssm_patch_groups: Associates a baseline key with a Patch Group name (value of the EC2 tag Patch_Group).

Data Model

ssm_patch_baselines (map)

Field Type Required Notes
name string optional Override baseline display name
operating_system string required WINDOWS, REDHAT_ENTERPRISE_LINUX, AMAZON_LINUX_2, etc.
approval_rule object recommended Primary dynamic approval (see structure below)
approved_patches list(string) optional Explicit allowlist (overrides approvals)
approved_patches_compliance_level string optional Compliance level for approved patches
rejected_patches list(string) optional Denylist
rejected_patches_action string optional AllowAsDependency or Block
description string optional Baseline description
tags map(string) optional Extra tags

ssm_patch_groups (map)

Field Type Required Notes
baseline_id string required Key of an entry in ssm_patch_baselines

Key = value used in the EC2 instance tag Patch_Group.

Example

ssm_patch_baselines = {
  windows_baseline = {
    name             = "windows-patch-baseline"
    operating_system = "WINDOWS"
    approval_rule = {
      approve_after_days = 7
      compliance_level   = "CRITICAL"
      patch_filter = {
        product        = ["WindowsServer2022"]
        classification = ["CriticalUpdates","SecurityUpdates","Updates"]
      }
    }
  }
  rhel_baseline = {
    name             = "rhel-patch-baseline"
    operating_system = "REDHAT_ENTERPRISE_LINUX"
    approval_rule = {
      approve_after_days = 7
      compliance_level   = "CRITICAL"
      patch_filter = {
        product        = ["RedhatEnterpriseLinux9.3"]
        classification = ["Security","Bugfix","Enhancement","Recommended"]
        severity       = ["Critical","Important","Medium"]
      }
    }
  }
}

ssm_patch_groups = {
  epicIREwss = { baseline_id = "windows_baseline" }
  epicIREodb = { baseline_id = "rhel_baseline" }
}

Notes

  • A single baseline can be referenced by multiple group entries if you need different logical patch cohorts sharing identical approval logic.
  • Instance targeting is entirely tag-driven; ensure each map key exactly matches the Patch_Group tag value on target instances.
  • Use explicit approved_patches only when you must pin specific KBs/packages; rely on dynamic approval_rule for most cases.