Feature Request: Systems Manager Patch Baseline Data Source

[ericwestfall]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

A patch baseline defines which patches are approved for installation on your instances. This data source will provide a mechanism to search for and retrieve details about a patch baseline. Search filters to include OS, Owner and a boolean flag to indicate whether the query should return default patch baselines or not.

New or Affected Resource(s)

• data.aws_ssm_patch_baseline

Potential Terraform Configuration

data "aws_ssm_patch_baseline" "baseline" {
  owner = "aws"
}

References

• Add support for setting default SSM patch baseline #3342

[jfharden]

I had a look at adding this data source and it seems the api for searching for patch baselines (DescribePatchBaselines) isn't so friendly. It only allows searching on NAME_PREFIX and OWNERS, but names of patch baselines are not unique, I think this will mean a similar approach to how ami lookups are done with filtering inside the provider on top of the limited filtering provided by the api.

[jdheyburn]

Did this develop any further @jfharden ? I wanted to take a look at implementing this so looked to see what difficulties you came across.

An additional use case for this would be to retrieve back the default baselines provided by AWS in order to apply them to a patch group, etc.

Edit: Thinking about this more:

• User cannot create a baseline name that starts with "AWS-" or "AWS:"
• However user can create a baseline name that start with "AWS"

Based on what @jfharden said about looking at the data source for AMIs for inspiration, there could be arguments of:

• owners - (Required) List of Baselines owners to limit search. At least 1 value must be specified. Valid values: an AWS account ID, self (the current account), or an AWS owner alias (e.g. amazon).
• name_regex - (Optional) A regex string to apply to the Baseline list returned by AWS.
• filter - (Optional) One or more name/value pairs to filter off of.
  • The fields we could filter on include:
    • DefaultBaseline - bool
    • OperatingSystem - enum:OperatingSystem

While only one of the arguments above is required, one or more other arguments will be required in order to ensure only one Baseline is retrieved. If the filtered list of baselines contains more than one element, then an error is thrown.

Let me know your thoughts, I'm happy to implement this based on feedback.

[bflad]

Support for a new aws_ssm_patch_baseline data source has been merged and will release with version 2.48.0 of the Terraform AWS Provider, later next week. Thanks to @jdheyburn for the implementation. 👍

[ghost]

This has been released in version 2.48.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!