diff --git a/eks-service-definition.yml b/eks-service-definition.yml index 348da6d1..c5737ae7 100644 --- a/eks-service-definition.yml +++ b/eks-service-definition.yml @@ -131,6 +131,7 @@ provision: variables: terraform/modules/provision-aws/variables.tf versions: terraform/modules/provision-aws/versions.tf vpc: terraform/modules/provision-aws/vpc.tf + maintenance: terraform/modules/provision-aws/maintenance.tf # Since these modules are being used as a root module in the brokerpak, # these files add the necessary provider configuration. diff --git a/terraform/modules/provision-aws/maintenance.tf b/terraform/modules/provision-aws/maintenance.tf new file mode 100644 index 00000000..01fbaceb --- /dev/null +++ b/terraform/modules/provision-aws/maintenance.tf @@ -0,0 +1,45 @@ + +resource "aws_ssm_maintenance_window" "window" { + name = "maintenance-window-webapp" + schedule = "cron(0 16 ? * * *)" + duration = 3 + cutoff = 1 +} + +resource "aws_ssm_maintenance_window_target" "owned-instances" { + window_id = aws_ssm_maintenance_window.window.id + name = "${local.cluster_name}-instances" + description = "The set of EC2 instances owned by ${local.cluster_name}" + resource_type = "INSTANCE" + + targets { + key = "tag:kubernetes.io/cluster/${local.cluster_name}" + values = ["owned"] + } +} + +resource "aws_ssm_maintenance_window_task" "patch-vulnerabilities" { + name = "${local.cluster_name}-patching" + max_concurrency = 2 + max_errors = 1 + priority = 1 + task_arn = "AWS-RunPatchBaseline" + task_type = "RUN_COMMAND" + window_id = aws_ssm_maintenance_window.window.id + + targets { + key = "WindowTargetIds" + values = [aws_ssm_maintenance_window_target.owned-instances.id] + } + + task_invocation_parameters { + run_command_parameters { + timeout_seconds = 600 + + parameter { + name = "Operation" + values = ["Install"] + } + } + } +}