patch_baselines
Creates, updates, deletes or gets a patch_baseline resource or lists patch_baselines in a region
Overview
| Name | patch_baselines |
| Type | Resource |
| Description | Resource Type definition for AWS::SSM::PatchBaseline |
| Id | awscc.ssm.patch_baselines |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
id | string | The ID of the patch baseline. |
default_baseline | boolean | Set the baseline as default baseline. Only registering to default patch baseline is allowed. |
operating_system | string | Defines the operating system the patch baseline applies to. The Default value is WINDOWS. |
description | string | The description of the patch baseline. |
approval_rules | object | A set of rules defining the approval rules for a patch baseline. |
sources | array | Information about the patches to use to update the instances, including target operating systems and source repository. Applies to Linux instances only. |
name | string | The name of the patch baseline. |
rejected_patches | array | A list of explicitly rejected patches for the baseline. |
approved_patches | array | A list of explicitly approved patches for the baseline. |
rejected_patches_action | string | The action for Patch Manager to take on patches included in the RejectedPackages list. |
patch_groups | array | PatchGroups is used to associate instances with a specific patch baseline |
approved_patches_compliance_level | string | Defines the compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. The default value is UNSPECIFIED. |
approved_patches_enable_non_security | boolean | Indicates whether the list of approved patches includes non-security updates that should be applied to the instances. The default value is 'false'. Applies to Linux instances only. |
global_filters | object | A set of global filters used to include patches in the baseline. |
available_security_updates_compliance_status | string | The compliance status for vendor recommended security updates that are not approved by this patch baseline. |
tags | array | Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
id | string | The ID of the patch baseline. |
region | string | AWS region. |
For more information, see AWS::SSM::PatchBaseline.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | patch_baselines | INSERT | Name, region |
delete_resource | patch_baselines | DELETE | Identifier, region |
update_resource | patch_baselines | UPDATE | Identifier, PatchDocument, region |
list_resources | patch_baselines_list_only | SELECT | region |
get_resource | patch_baselines | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual patch_baseline.
SELECT
region,
id,
default_baseline,
operating_system,
description,
approval_rules,
sources,
name,
rejected_patches,
approved_patches,
rejected_patches_action,
patch_groups,
approved_patches_compliance_level,
approved_patches_enable_non_security,
global_filters,
available_security_updates_compliance_status,
tags
FROM awscc.ssm.patch_baselines
WHERE
region = 'us-east-1' AND
Identifier = '{{ id }}';
Lists all patch_baselines in a region.
SELECT
region,
id
FROM awscc.ssm.patch_baselines_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new patch_baseline resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.ssm.patch_baselines (
Name,
region
)
SELECT
'{{ name }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.ssm.patch_baselines (
DefaultBaseline,
OperatingSystem,
Description,
ApprovalRules,
Sources,
Name,
RejectedPatches,
ApprovedPatches,
RejectedPatchesAction,
PatchGroups,
ApprovedPatchesComplianceLevel,
ApprovedPatchesEnableNonSecurity,
GlobalFilters,
AvailableSecurityUpdatesComplianceStatus,
Tags,
region
)
SELECT
'{{ default_baseline }}',
'{{ operating_system }}',
'{{ description }}',
'{{ approval_rules }}',
'{{ sources }}',
'{{ name }}',
'{{ rejected_patches }}',
'{{ approved_patches }}',
'{{ rejected_patches_action }}',
'{{ patch_groups }}',
'{{ approved_patches_compliance_level }}',
'{{ approved_patches_enable_non_security }}',
'{{ global_filters }}',
'{{ available_security_updates_compliance_status }}',
'{{ tags }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: patch_baseline
props:
- name: default_baseline
value: '{{ default_baseline }}'
- name: operating_system
value: '{{ operating_system }}'
- name: description
value: '{{ description }}'
- name: approval_rules
value:
patch_rules:
- approve_until_date: '{{ approve_until_date }}'
enable_non_security: '{{ enable_non_security }}'
patch_filter_group:
patch_filters:
- values:
- '{{ values[0] }}'
key: '{{ key }}'
approve_after_days: '{{ approve_after_days }}'
compliance_level: '{{ compliance_level }}'
- name: sources
value:
- products:
- '{{ products[0] }}'
configuration: '{{ configuration }}'
name: '{{ name }}'
- name: name
value: '{{ name }}'
- name: rejected_patches
value:
- '{{ rejected_patches[0] }}'
- name: approved_patches
value:
- '{{ approved_patches[0] }}'
- name: rejected_patches_action
value: '{{ rejected_patches_action }}'
- name: patch_groups
value:
- '{{ patch_groups[0] }}'
- name: approved_patches_compliance_level
value: '{{ approved_patches_compliance_level }}'
- name: approved_patches_enable_non_security
value: '{{ approved_patches_enable_non_security }}'
- name: global_filters
value: null
- name: available_security_updates_compliance_status
value: '{{ available_security_updates_compliance_status }}'
- name: tags
value:
- key: '{{ key }}'
value: '{{ value }}'
UPDATE example
Use the following StackQL query and manifest file to update a patch_baseline resource, using stack-deploy.
/*+ update */
UPDATE awscc.ssm.patch_baselines
SET PatchDocument = string('{{ {
"DefaultBaseline": default_baseline,
"Description": description,
"ApprovalRules": approval_rules,
"Sources": sources,
"Name": name,
"RejectedPatches": rejected_patches,
"ApprovedPatches": approved_patches,
"RejectedPatchesAction": rejected_patches_action,
"PatchGroups": patch_groups,
"ApprovedPatchesComplianceLevel": approved_patches_compliance_level,
"ApprovedPatchesEnableNonSecurity": approved_patches_enable_non_security,
"GlobalFilters": global_filters,
"AvailableSecurityUpdatesComplianceStatus": available_security_updates_compliance_status,
"Tags": tags
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ id }}';
DELETE example
/*+ delete */
DELETE FROM awscc.ssm.patch_baselines
WHERE
Identifier = '{{ id }}' AND
region = 'us-east-1';
Permissions
To operate on the patch_baselines resource, the following permissions are required:
- Create
- Delete
- List
- Read
- Update
ssm:CreatePatchBaseline,
ssm:RegisterPatchBaselineForPatchGroup,
ssm:AddTagsToResource,
ssm:RemoveTagsFromResource,
ssm:ListTagsForResource,
ssm:GetDefaultPatchBaseline,
ssm:RegisterDefaultPatchBaseline
ssm:DeletePatchBaseline,
ssm:GetPatchBaseline,
ssm:DeregisterPatchBaselineForPatchGroup
ssm:DescribePatchBaselines,
ssm:GetDefaultPatchBaseline,
ssm:GetPatchBaseline,
ssm:ListTagsForResource
ssm:GetDefaultPatchBaseline,
ssm:GetPatchBaseline,
ssm:ListTagsForResource
ssm:UpdatePatchBaseline,
ssm:DeregisterPatchBaselineForPatchGroup,
ssm:AddTagsToResource,
ssm:RemoveTagsFromResource,
ssm:ListTagsForResource,
ssm:GetDefaultPatchBaseline,
ssm:RegisterDefaultPatchBaseline