Patch management (#85)

* new: add code to schedule EC2 patching It doesn't work yet because the user deploying maintenance schedule needs IAM permissions; but this should bethe basic configuration * fix: can only use tags for target selection via a maint window target * update: eks service definition with maintenance.tf Co-authored-by: Nicholas Kumia <[email protected]>
GSA-TTS · Mar 24, 2022 · cb233ca · cb233ca
1 parent c49627d
commit cb233ca
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 0 deletions.
diff --git a/eks-service-definition.yml b/eks-service-definition.yml
@@ -131,6 +131,7 @@ provision:
     variables:          terraform/modules/provision-aws/variables.tf
     versions:           terraform/modules/provision-aws/versions.tf
     vpc:                terraform/modules/provision-aws/vpc.tf
+    maintenance:        terraform/modules/provision-aws/maintenance.tf
 
     # Since these modules are being used as a root module in the brokerpak,
     # these files add the necessary provider configuration.

diff --git a/terraform/modules/provision-aws/maintenance.tf b/terraform/modules/provision-aws/maintenance.tf
@@ -0,0 +1,45 @@
+
+resource "aws_ssm_maintenance_window" "window" {
+  name     = "maintenance-window-webapp"
+  schedule = "cron(0 16 ? * * *)"
+  duration = 3
+  cutoff   = 1
+}
+
+resource "aws_ssm_maintenance_window_target" "owned-instances" {
+  window_id     = aws_ssm_maintenance_window.window.id
+  name          = "${local.cluster_name}-instances"
+  description   = "The set of EC2 instances owned by ${local.cluster_name}"
+  resource_type = "INSTANCE"
+
+  targets {
+    key    = "tag:kubernetes.io/cluster/${local.cluster_name}"
+    values = ["owned"]
+  }
+}
+
+resource "aws_ssm_maintenance_window_task" "patch-vulnerabilities" {
+  name            = "${local.cluster_name}-patching"
+  max_concurrency = 2
+  max_errors      = 1
+  priority        = 1
+  task_arn        = "AWS-RunPatchBaseline"
+  task_type       = "RUN_COMMAND"
+  window_id       = aws_ssm_maintenance_window.window.id
+
+  targets {
+    key    = "WindowTargetIds"
+    values = [aws_ssm_maintenance_window_target.owned-instances.id]
+  }
+
+  task_invocation_parameters {
+    run_command_parameters {
+      timeout_seconds      = 600
+
+      parameter {
+        name   = "Operation"
+        values = ["Install"]
+      }
+    }
+  }
+}