PatchBaseline

Provides an SSM Patch Baseline resource

NOTE on Patch Baselines: The approved_patches and approval_rule are both marked as optional fields, but the Patch Baseline requires that at least one of them is specified.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var production = new Aws.Ssm.PatchBaseline("production", new Aws.Ssm.PatchBaselineArgs
        {
            ApprovedPatches = 
            {
                "KB123456",
            },
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/ssm"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := ssm.NewPatchBaseline(ctx, "production", &ssm.PatchBaselineArgs{
            ApprovedPatches: pulumi.StringArray{
                pulumi.String("KB123456"),
            },
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

production = aws.ssm.PatchBaseline("production", approved_patches=["KB123456"])

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const production = new aws.ssm.PatchBaseline("production", {
    approvedPatches: ["KB123456"],
});

Create a PatchBaseline Resource

new PatchBaseline(name: string, args?: PatchBaselineArgs, opts?: CustomResourceOptions);

def PatchBaseline(resource_name, opts=None, approval_rules=None, approved_patches=None, approved_patches_compliance_level=None, description=None, global_filters=None, name=None, operating_system=None, rejected_patches=None, tags=None, __props__=None);

func NewPatchBaseline(ctx *Context, name string, args *PatchBaselineArgs, opts ...ResourceOption) (*PatchBaseline, error)

public PatchBaseline(string name, PatchBaselineArgs? args = null, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args PatchBaselineArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args PatchBaselineArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args PatchBaselineArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

PatchBaseline Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The PatchBaseline resource accepts the following input properties:

ApprovalRules List<PatchBaselineApprovalRuleArgs>: A set of rules used to include patches in the baseline. up to 10 approval rules can be specified. Each approval_rule block requires the fields documented below.
ApprovedPatches List<string>: A list of explicitly approved patches for the baseline.
ApprovedPatchesComplianceLevel string: Defines the compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED.
Description string: The description of the patch baseline.
GlobalFilters List<PatchBaselineGlobalFilterArgs>: A set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID.
Name string: The name of the patch baseline.
OperatingSystem string: Defines the operating system the patch baseline applies to. Supported operating systems include WINDOWS, AMAZON_LINUX, AMAZON_LINUX_2, SUSE, UBUNTU, CENTOS, and REDHAT_ENTERPRISE_LINUX. The Default value is WINDOWS.
RejectedPatches List<string>: A list of rejected patches.
Tags Dictionary<string, string>: A map of tags to assign to the resource.

ApprovalRules []PatchBaselineApprovalRule: A set of rules used to include patches in the baseline. up to 10 approval rules can be specified. Each approval_rule block requires the fields documented below.
ApprovedPatches []string: A list of explicitly approved patches for the baseline.
ApprovedPatchesComplianceLevel string: Defines the compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED.
Description string: The description of the patch baseline.
GlobalFilters []PatchBaselineGlobalFilter: A set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID.
Name string: The name of the patch baseline.
OperatingSystem string: Defines the operating system the patch baseline applies to. Supported operating systems include WINDOWS, AMAZON_LINUX, AMAZON_LINUX_2, SUSE, UBUNTU, CENTOS, and REDHAT_ENTERPRISE_LINUX. The Default value is WINDOWS.
RejectedPatches []string: A list of rejected patches.
Tags map[string]string: A map of tags to assign to the resource.

approvalRules PatchBaselineApprovalRule[]: A set of rules used to include patches in the baseline. up to 10 approval rules can be specified. Each approval_rule block requires the fields documented below.
approvedPatches string[]: A list of explicitly approved patches for the baseline.
approvedPatchesComplianceLevel string: Defines the compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED.
description string: The description of the patch baseline.
globalFilters PatchBaselineGlobalFilter[]: A set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID.
name string: The name of the patch baseline.
operatingSystem string: Defines the operating system the patch baseline applies to. Supported operating systems include WINDOWS, AMAZON_LINUX, AMAZON_LINUX_2, SUSE, UBUNTU, CENTOS, and REDHAT_ENTERPRISE_LINUX. The Default value is WINDOWS.
rejectedPatches string[]: A list of rejected patches.
tags {[key: string]: string}: A map of tags to assign to the resource.

approval_rules List[PatchBaselineApprovalRule]: A set of rules used to include patches in the baseline. up to 10 approval rules can be specified. Each approval_rule block requires the fields documented below.
approved_patches List[str]: A list of explicitly approved patches for the baseline.
approved_patches_compliance_level str: Defines the compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED.
description str: The description of the patch baseline.
global_filters List[PatchBaselineGlobalFilter]: A set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID.
name str: The name of the patch baseline.
operating_system str: Defines the operating system the patch baseline applies to. Supported operating systems include WINDOWS, AMAZON_LINUX, AMAZON_LINUX_2, SUSE, UBUNTU, CENTOS, and REDHAT_ENTERPRISE_LINUX. The Default value is WINDOWS.
rejected_patches List[str]: A list of rejected patches.
tags Dict[str, str]: A map of tags to assign to the resource.

Outputs

All input properties are implicitly available as output properties. Additionally, the PatchBaseline resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

Look up an Existing PatchBaseline Resource

Get an existing PatchBaseline resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: PatchBaselineState, opts?: CustomResourceOptions): PatchBaseline

static get(resource_name, id, opts=None, approval_rules=None, approved_patches=None, approved_patches_compliance_level=None, description=None, global_filters=None, name=None, operating_system=None, rejected_patches=None, tags=None, __props__=None);

func GetPatchBaseline(ctx *Context, name string, id IDInput, state *PatchBaselineState, opts ...ResourceOption) (*PatchBaseline, error)

public static PatchBaseline Get(string name, Input<string> id, PatchBaselineState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

ApprovalRules List<PatchBaselineApprovalRuleArgs>: A set of rules used to include patches in the baseline. up to 10 approval rules can be specified. Each approval_rule block requires the fields documented below.
ApprovedPatches List<string>: A list of explicitly approved patches for the baseline.
ApprovedPatchesComplianceLevel string: Defines the compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED.
Description string: The description of the patch baseline.
GlobalFilters List<PatchBaselineGlobalFilterArgs>: A set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID.
Name string: The name of the patch baseline.
OperatingSystem string: Defines the operating system the patch baseline applies to. Supported operating systems include WINDOWS, AMAZON_LINUX, AMAZON_LINUX_2, SUSE, UBUNTU, CENTOS, and REDHAT_ENTERPRISE_LINUX. The Default value is WINDOWS.
RejectedPatches List<string>: A list of rejected patches.
Tags Dictionary<string, string>: A map of tags to assign to the resource.

ApprovalRules []PatchBaselineApprovalRule: A set of rules used to include patches in the baseline. up to 10 approval rules can be specified. Each approval_rule block requires the fields documented below.
ApprovedPatches []string: A list of explicitly approved patches for the baseline.
ApprovedPatchesComplianceLevel string: Defines the compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED.
Description string: The description of the patch baseline.
GlobalFilters []PatchBaselineGlobalFilter: A set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID.
Name string: The name of the patch baseline.
OperatingSystem string: Defines the operating system the patch baseline applies to. Supported operating systems include WINDOWS, AMAZON_LINUX, AMAZON_LINUX_2, SUSE, UBUNTU, CENTOS, and REDHAT_ENTERPRISE_LINUX. The Default value is WINDOWS.
RejectedPatches []string: A list of rejected patches.
Tags map[string]string: A map of tags to assign to the resource.

approvalRules PatchBaselineApprovalRule[]: A set of rules used to include patches in the baseline. up to 10 approval rules can be specified. Each approval_rule block requires the fields documented below.
approvedPatches string[]: A list of explicitly approved patches for the baseline.
approvedPatchesComplianceLevel string: Defines the compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED.
description string: The description of the patch baseline.
globalFilters PatchBaselineGlobalFilter[]: A set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID.
name string: The name of the patch baseline.
operatingSystem string: Defines the operating system the patch baseline applies to. Supported operating systems include WINDOWS, AMAZON_LINUX, AMAZON_LINUX_2, SUSE, UBUNTU, CENTOS, and REDHAT_ENTERPRISE_LINUX. The Default value is WINDOWS.
rejectedPatches string[]: A list of rejected patches.
tags {[key: string]: string}: A map of tags to assign to the resource.

approval_rules List[PatchBaselineApprovalRule]: A set of rules used to include patches in the baseline. up to 10 approval rules can be specified. Each approval_rule block requires the fields documented below.
approved_patches List[str]: A list of explicitly approved patches for the baseline.
approved_patches_compliance_level str: Defines the compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED.
description str: The description of the patch baseline.
global_filters List[PatchBaselineGlobalFilter]: A set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID.
name str: The name of the patch baseline.
operating_system str: Defines the operating system the patch baseline applies to. Supported operating systems include WINDOWS, AMAZON_LINUX, AMAZON_LINUX_2, SUSE, UBUNTU, CENTOS, and REDHAT_ENTERPRISE_LINUX. The Default value is WINDOWS.
rejected_patches List[str]: A list of rejected patches.
tags Dict[str, str]: A map of tags to assign to the resource.

Supporting Types

PatchBaselineApprovalRule

See the input and output API doc for this type.

ApproveAfterDays int: The number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 100.
PatchFilters List<PatchBaselineApprovalRulePatchFilterArgs>: The patch filter group that defines the criteria for the rule. Up to 5 patch filters can be specified per approval rule using Key/Value pairs. Valid Keys are PATCH_SET | PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID.
ComplianceLevel string: Defines the compliance level for patches approved by this rule. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED.
EnableNonSecurity bool: Boolean enabling the application of non-security updates. The default value is ‘false’. Valid for Linux instances only.

ApproveAfterDays int: The number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 100.
PatchFilters []PatchBaselineApprovalRulePatchFilter: The patch filter group that defines the criteria for the rule. Up to 5 patch filters can be specified per approval rule using Key/Value pairs. Valid Keys are PATCH_SET | PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID.
ComplianceLevel string: Defines the compliance level for patches approved by this rule. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED.
EnableNonSecurity bool: Boolean enabling the application of non-security updates. The default value is ‘false’. Valid for Linux instances only.

approveAfterDays number: The number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 100.
patchFilters PatchBaselineApprovalRulePatchFilter[]: The patch filter group that defines the criteria for the rule. Up to 5 patch filters can be specified per approval rule using Key/Value pairs. Valid Keys are PATCH_SET | PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID.
complianceLevel string: Defines the compliance level for patches approved by this rule. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED.
enableNonSecurity boolean: Boolean enabling the application of non-security updates. The default value is ‘false’. Valid for Linux instances only.

approveAfterDays float: The number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 100.
patchFilters List[PatchBaselineApprovalRulePatchFilter]: The patch filter group that defines the criteria for the rule. Up to 5 patch filters can be specified per approval rule using Key/Value pairs. Valid Keys are PATCH_SET | PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID.
complianceLevel str: Defines the compliance level for patches approved by this rule. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED.
enableNonSecurity bool: Boolean enabling the application of non-security updates. The default value is ‘false’. Valid for Linux instances only.