From 3b94ebbc296dd73a484cb8011ab1def1d52406c1 Mon Sep 17 00:00:00 2001 From: Nicholas Kumia Date: Wed, 23 Mar 2022 15:35:03 -0400 Subject: [PATCH 1/3] new: add code to schedule EC2 patching It doesn't work yet because the user deploying maintenance schedule needs IAM permissions; but this should bethe basic configuration --- .../modules/provision-aws/maintenance.tf | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 terraform/modules/provision-aws/maintenance.tf diff --git a/terraform/modules/provision-aws/maintenance.tf b/terraform/modules/provision-aws/maintenance.tf new file mode 100644 index 00000000..0518ca1e --- /dev/null +++ b/terraform/modules/provision-aws/maintenance.tf @@ -0,0 +1,33 @@ + +resource "aws_ssm_maintenance_window" "window" { + name = "maintenance-window-webapp" + schedule = "cron(0 16 ? * * *)" + duration = 3 + cutoff = 1 +} + +resource "aws_ssm_maintenance_window_task" "patch-vulnerabilities" { + name = "${local.cluster_name}-patching" + max_concurrency = 2 + max_errors = 1 + priority = 1 + task_arn = "AWS-RunPatchBaseline" + task_type = "RUN_COMMAND" + window_id = aws_ssm_maintenance_window.window.id + + targets { + key = "tag:eks:cluster-name" + values = [local.cluster_name] + } + + task_invocation_parameters { + run_command_parameters { + timeout_seconds = 600 + + parameter { + name = "Operation" + values = ["Install"] + } + } + } +} From 42d76acfe6e94cdd9e5519365f2fc44a771cbc43 Mon Sep 17 00:00:00 2001 From: Bret Mogilefsky Date: Thu, 24 Mar 2022 00:31:55 -0700 Subject: [PATCH 2/3] fix: can only use tags for target selection via a maint window target --- terraform/modules/provision-aws/maintenance.tf | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/terraform/modules/provision-aws/maintenance.tf b/terraform/modules/provision-aws/maintenance.tf index 0518ca1e..01fbaceb 100644 --- a/terraform/modules/provision-aws/maintenance.tf +++ b/terraform/modules/provision-aws/maintenance.tf @@ -6,6 +6,18 @@ resource "aws_ssm_maintenance_window" "window" { cutoff = 1 } +resource "aws_ssm_maintenance_window_target" "owned-instances" { + window_id = aws_ssm_maintenance_window.window.id + name = "${local.cluster_name}-instances" + description = "The set of EC2 instances owned by ${local.cluster_name}" + resource_type = "INSTANCE" + + targets { + key = "tag:kubernetes.io/cluster/${local.cluster_name}" + values = ["owned"] + } +} + resource "aws_ssm_maintenance_window_task" "patch-vulnerabilities" { name = "${local.cluster_name}-patching" max_concurrency = 2 @@ -16,8 +28,8 @@ resource "aws_ssm_maintenance_window_task" "patch-vulnerabilities" { window_id = aws_ssm_maintenance_window.window.id targets { - key = "tag:eks:cluster-name" - values = [local.cluster_name] + key = "WindowTargetIds" + values = [aws_ssm_maintenance_window_target.owned-instances.id] } task_invocation_parameters { From 683253c001b52563030596af2a70140c3df5cdde Mon Sep 17 00:00:00 2001 From: Nicholas Kumia Date: Thu, 24 Mar 2022 10:40:54 -0400 Subject: [PATCH 3/3] update: eks service definition with maintenance.tf --- eks-service-definition.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/eks-service-definition.yml b/eks-service-definition.yml index 348da6d1..c5737ae7 100644 --- a/eks-service-definition.yml +++ b/eks-service-definition.yml @@ -131,6 +131,7 @@ provision: variables: terraform/modules/provision-aws/variables.tf versions: terraform/modules/provision-aws/versions.tf vpc: terraform/modules/provision-aws/vpc.tf + maintenance: terraform/modules/provision-aws/maintenance.tf # Since these modules are being used as a root module in the brokerpak, # these files add the necessary provider configuration.