initial commit

README.md

@@ -0,0 +1,16 @@
+# tf-module-aws-patching
+
+Simple scanning and patching for EC2 instances using AWS System Manager
+
+## Change Log
+
+### 0.1.0
+- Initial release
+
+## Using the Module
+
+```
+module "scanning_patching" {
+  source      = "[email protected]:CU-CommunityApps/tf-module-aws-patching.git?ref=v0.1.0"
+}
+```

main.tf

@@ -0,0 +1,157 @@
+data "aws_iam_role" "ssm_service_role" {
+  name = "AWSServiceRoleForAmazonSSM"
+}
+
+###############################################################################
+# PATCHING
+###############################################################################
+
+resource "aws_ssm_maintenance_window" "patching" {
+  name        = "patching"
+  description = "patching window"
+
+  schedule          = var.patching_cron
+  schedule_timezone = var.maintenance_window_timezone
+
+  duration = var.maintenance_window_duration
+  cutoff   = var.maintenance_window_cutoff
+  enabled  = var.patching_enabled
+
+  allow_unassociated_targets = true
+}
+
+resource "aws_ssm_maintenance_window_target" "patching" {
+  window_id     = aws_ssm_maintenance_window.patching.id
+  name          = "ssm-patching-target"
+  description   = "Targets for SSM patching"
+  resource_type = "INSTANCE"
+
+  targets {
+    key    = "tag:${var.patching_target_group_tag_key}"
+    values = var.patching_target_group_tag_values
+  }
+}
+
+resource "aws_cloudwatch_log_group" "patching" {
+  count = var.patching_log_group_create ? 1 : 0
+
+  name = var.patching_log_group_name
+
+  retention_in_days = var.patching_log_retention_days
+}
+
+resource "aws_ssm_maintenance_window_task" "patching" {
+  window_id        = aws_ssm_maintenance_window.patching.id
+  name             = "patching"
+  description      = "patching"
+  max_concurrency  = 999
+  max_errors       = 999
+  priority         = 1
+  task_arn         = "AWS-RunPatchBaseline"
+  task_type        = "RUN_COMMAND"
+  service_role_arn = data.aws_iam_role.ssm_service_role.arn
+
+  targets {
+    key    = "WindowTargetIds"
+    values = [aws_ssm_maintenance_window_target.patching.id]
+  }
+
+  task_invocation_parameters {
+    run_command_parameters {
+      document_version = "$LATEST"
+
+      parameter {
+        name   = "Operation"
+        values = ["Install"]
+      }
+
+      parameter {
+        name   = "RebootOption"
+        values = [
+            var.patching_allow_reboot ? "RebootIfNeeded" : "NoReboot"
+        ]
+      }
+
+      cloudwatch_config {
+        cloudwatch_log_group_name = var.patching_log_group_name
+        cloudwatch_output_enabled = true
+      }
+    }
+  }
+}
+
+###############################################################################
+# SCANNING
+###############################################################################
+
+resource "aws_ssm_maintenance_window" "scanning" {
+  name        = "scanning"
+  description = "scanning window"
+
+  schedule          = var.scanning_cron
+  schedule_timezone = var.maintenance_window_timezone
+
+  duration = var.maintenance_window_duration
+  cutoff   = var.maintenance_window_cutoff
+  enabled  = var.patching_enabled
+
+  allow_unassociated_targets = true
+}
+
+resource "aws_ssm_maintenance_window_target" "scanning" {
+  window_id     = aws_ssm_maintenance_window.scanning.id
+  name          = "ssm-scanning-target"
+  description   = "Targets for SSM scanning"
+  resource_type = "INSTANCE"
+
+  targets {
+    key    = "tag:${var.scanning_target_group_tag_key}"
+    values = var.scanning_target_group_tag_values
+  }
+}
+
+resource "aws_cloudwatch_log_group" "scanning" {
+  count = var.scanning_log_group_create ? 1 : 0
+
+  name = var.scanning_log_group_name
+
+  retention_in_days = var.scanning_log_retention_days
+}
+
+resource "aws_ssm_maintenance_window_task" "scanning" {
+  window_id        = aws_ssm_maintenance_window.scanning.id
+  name             = "scanning"
+  description      = "scanning"
+  max_concurrency  = 999
+  max_errors       = 999
+  priority         = 1
+  task_arn         = "AWS-RunPatchBaseline"
+  task_type        = "RUN_COMMAND"
+  service_role_arn = data.aws_iam_role.ssm_service_role.arn
+
+  targets {
+    key    = "WindowTargetIds"
+    values = [aws_ssm_maintenance_window_target.scanning.id]
+  }
+
+  task_invocation_parameters {
+    run_command_parameters {
+      document_version = "$LATEST"
+
+      parameter {
+        name   = "Operation"
+        values = ["Scan"]
+      }
+
+      parameter {
+        name   = "RebootOption"
+        values = ["NoReboot"]
+      }
+
+      cloudwatch_config {
+        cloudwatch_log_group_name = var.scanning_log_group_name
+        cloudwatch_output_enabled = true
+      }
+    }
+  }
+}

vars.tf

@@ -0,0 +1,73 @@
+variable "patching_cron" {
+  default = "cron(0 7 ? * TUE *)"
+}
+
+variable "patching_enabled" {
+  default = true
+}
+
+variable "patching_log_group_create" {
+  default = true
+}
+
+variable "patching_log_group_name" {
+  default = "/ssm/patching"
+}
+
+variable "patching_log_retention_days" {
+  default = 90
+}
+
+variable "patching_allow_reboot" {
+  default = true
+}
+
+variable "patching_target_group_tag_key" {
+  default = "Patch Group"
+}
+
+variable "patching_target_group_tag_values" {
+  type    = list(string)
+  default = ["default"]
+}
+
+variable "scanning_cron" {
+  default = "cron(0 8 ? * * *)"
+}
+
+variable "scanning_enabled" {
+  default = true
+}
+
+variable "scanning_target_group_tag_key" {
+  default = "Patch Group"
+}
+
+variable "scanning_target_group_tag_values" {
+  type    = list(string)
+  default = ["default"]
+}
+
+variable "scanning_log_group_create" {
+  default = true
+}
+
+variable "scanning_log_group_name" {
+  default = "/ssm/scanning"
+}
+
+variable "scanning_log_retention_days" {
+  default = 60
+}
+
+variable "maintenance_window_timezone" {
+  default = "America/New_York"
+}
+
+variable "maintenance_window_duration" {
+  default = 2
+}
+
+variable "maintenance_window_cutoff" {
+  default = 1
+}

versions.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}