AWS Systems Manager for Ubuntu Server

Hey all,

I wanted to implement automated security patching of my ec2 instances with ubuntu as os.
My code looks acutally like this:

resource “aws_ssm_patch_baseline” “ubuntu-patchbaseline” {

name = “ubuntu-patchbaseline”
description = “Patch Baseline for Ubuntu EC2 Instances”
operating_system = “UBUNTU”
}

resource “aws_ssm_patch_group” “ubuntu-patchgroup” {
baseline_id = “${aws_ssm_patch_baseline.ubuntu-patchbaseline.id}”
patch_group = “patch-group-name”
}

resource “aws_ssm_maintenance_window” “ubuntu-maintenancewindow” {
name = “ubuntu-maintenance-window-application”
schedule = “cron(0 0 6 ? * MON-FRI *)”
duration = 3
cutoff = 1
}

The Idea is to use these resources to schedule that my ec2 instances become automatic the security updates but this Code doesn’t work and I saw some other examples but unfortunately only with Windows Server as a example. Can anyone can help me please?

I am a bit desperated at the moment …

Friendly regards

Hey there,

I think you miss a aws_ssm_maintenance_window_target with

targets {
key = “tag:Patch Group”
values = [“patch-group-name”]
}

1 Like

Hello @laradji,

thanks for your response. Actually my code looks like this:

resource “aws_ssm_maintenance_window” “mw” {
name = “ubuntu-maintenance-window-application”
schedule = “cron(0 37 14 1/1 * ? *)”
duration = 3
cutoff = 1
}

resource “aws_ssm_maintenance_window_target” “target” {
window_id = aws_ssm_maintenance_window.mw.id
name = “maintenance-window-target”
resource_type = “INSTANCE”

targets {
key = “tag:Patch Group”
values = [“Patch”]
}
}

resource “aws_ssm_maintenance_window_task” “patching” {
window_id = aws_ssm_maintenance_window.mw.id
task_type = “RUN_COMMAND”
task_arn = “AWS-RunPatchBaseline”
priority = 1
service_role_arn = aws_iam_role.ssm_maintenance_window.arn
max_concurrency = 3
max_errors = 3

targets {
key = “WindowTargetIds”
values = [aws_ssm_maintenance_window_target.target.id]
}

task_parameters {
name = “Operation”
values = [“Install”]
}
}

I want to use the AWS-UbuntuDefaultPatchBaseline. But I don’t find any way to assign this to my resource. Do you or someone else have an Idea how I can complete this code?

It seems wrong for me to declare a aws_ssm_patch_baseline block because I think it is only used if I want to filter between approved patches und rejected… anyway I didn’t found the patches for Ubuntu so… Any suggestions?

Friendly regards,

1 Like

You need to map your ec2 instance to the patch group

Add the tag Patch Group : patch-group-name to the ec2.

Did you ever figure this out? I also am confused as to how we get from aws_ssm_patch_baseline to specific patch baseline documents, like the AWS-UbuntuDefaultPatchBaseline