Package com.pulumi.aws.ssm

Class PatchBaseline

  • public class PatchBaseline
extends com.pulumi.resources.CustomResource
    Provides an SSM Patch Baseline resource. > **NOTE on Patch Baselines:** The `approved_patches` and `approval_rule` are both marked as optional fields, but the Patch Baseline requires that at least one of them is specified. ## Example Usage ### Basic Usage Using `approved_patches` only. <!--Start PulumiCodeChooser --> 
     
 package generated_program;
 
 import com.pulumi.Context;
 import com.pulumi.Pulumi;
 import com.pulumi.core.Output;
 import com.pulumi.aws.ssm.PatchBaseline;
 import com.pulumi.aws.ssm.PatchBaselineArgs;
 import java.util.List;
 import java.util.ArrayList;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 
 public class App {
     public static void main(String[] args) {
         Pulumi.run(App::stack);
     }
 
     public static void stack(Context ctx) {
         var production = new PatchBaseline("production", PatchBaselineArgs.builder()        
             .name("patch-baseline")
             .approvedPatches("KB123456")
             .build());
 
     }
 }
    <!--End PulumiCodeChooser --> ### Advanced Usage, specifying patch filters <!--Start PulumiCodeChooser --> 
     
 package generated_program;
 
 import com.pulumi.Context;
 import com.pulumi.Pulumi;
 import com.pulumi.core.Output;
 import com.pulumi.aws.ssm.PatchBaseline;
 import com.pulumi.aws.ssm.PatchBaselineArgs;
 import com.pulumi.aws.ssm.inputs.PatchBaselineGlobalFilterArgs;
 import com.pulumi.aws.ssm.inputs.PatchBaselineApprovalRuleArgs;
 import java.util.List;
 import java.util.ArrayList;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 
 public class App {
     public static void main(String[] args) {
         Pulumi.run(App::stack);
     }
 
     public static void stack(Context ctx) {
         var production = new PatchBaseline("production", PatchBaselineArgs.builder()        
             .name("patch-baseline")
             .description("Patch Baseline Description")
             .approvedPatches(            
                 "KB123456",
                 "KB456789")
             .rejectedPatches("KB987654")
             .globalFilters(            
                 PatchBaselineGlobalFilterArgs.builder()
                     .key("PRODUCT")
                     .values("WindowsServer2008")
                     .build(),
                 PatchBaselineGlobalFilterArgs.builder()
                     .key("CLASSIFICATION")
                     .values("ServicePacks")
                     .build(),
                 PatchBaselineGlobalFilterArgs.builder()
                     .key("MSRC_SEVERITY")
                     .values("Low")
                     .build())
             .approvalRules(            
                 PatchBaselineApprovalRuleArgs.builder()
                     .approveAfterDays(7)
                     .complianceLevel("HIGH")
                     .patchFilters(                    
                         PatchBaselineApprovalRulePatchFilterArgs.builder()
                             .key("PRODUCT")
                             .values("WindowsServer2016")
                             .build(),
                         PatchBaselineApprovalRulePatchFilterArgs.builder()
                             .key("CLASSIFICATION")
                             .values(                            
                                 "CriticalUpdates",
                                 "SecurityUpdates",
                                 "Updates")
                             .build(),
                         PatchBaselineApprovalRulePatchFilterArgs.builder()
                             .key("MSRC_SEVERITY")
                             .values(                            
                                 "Critical",
                                 "Important",
                                 "Moderate")
                             .build())
                     .build(),
                 PatchBaselineApprovalRuleArgs.builder()
                     .approveAfterDays(7)
                     .patchFilters(PatchBaselineApprovalRulePatchFilterArgs.builder()
                         .key("PRODUCT")
                         .values("WindowsServer2012")
                         .build())
                     .build())
             .build());
 
     }
 }
    <!--End PulumiCodeChooser --> ### Advanced usage, specifying Microsoft application and Windows patch rules <!--Start PulumiCodeChooser --> 
     
 package generated_program;
 
 import com.pulumi.Context;
 import com.pulumi.Pulumi;
 import com.pulumi.core.Output;
 import com.pulumi.aws.ssm.PatchBaseline;
 import com.pulumi.aws.ssm.PatchBaselineArgs;
 import com.pulumi.aws.ssm.inputs.PatchBaselineApprovalRuleArgs;
 import java.util.List;
 import java.util.ArrayList;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 
 public class App {
     public static void main(String[] args) {
         Pulumi.run(App::stack);
     }
 
     public static void stack(Context ctx) {
         var windowsOsApps = new PatchBaseline("windowsOsApps", PatchBaselineArgs.builder()        
             .name("WindowsOSAndMicrosoftApps")
             .description("Patch both Windows and Microsoft apps")
             .operatingSystem("WINDOWS")
             .approvalRules(            
                 PatchBaselineApprovalRuleArgs.builder()
                     .approveAfterDays(7)
                     .patchFilters(                    
                         PatchBaselineApprovalRulePatchFilterArgs.builder()
                             .key("CLASSIFICATION")
                             .values(                            
                                 "CriticalUpdates",
                                 "SecurityUpdates")
                             .build(),
                         PatchBaselineApprovalRulePatchFilterArgs.builder()
                             .key("MSRC_SEVERITY")
                             .values(                            
                                 "Critical",
                                 "Important")
                             .build())
                     .build(),
                 PatchBaselineApprovalRuleArgs.builder()
                     .approveAfterDays(7)
                     .patchFilters(                    
                         PatchBaselineApprovalRulePatchFilterArgs.builder()
                             .key("PATCH_SET")
                             .values("APPLICATION")
                             .build(),
                         PatchBaselineApprovalRulePatchFilterArgs.builder()
                             .key("PRODUCT")
                             .values(                            
                                 "Office 2013",
                                 "Office 2016")
                             .build())
                     .build())
             .build());
 
     }
 }
    <!--End PulumiCodeChooser --> ### Advanced usage, specifying alternate patch source repository <!--Start PulumiCodeChooser --> 
     
 package generated_program;
 
 import com.pulumi.Context;
 import com.pulumi.Pulumi;
 import com.pulumi.core.Output;
 import com.pulumi.aws.ssm.PatchBaseline;
 import com.pulumi.aws.ssm.PatchBaselineArgs;
 import com.pulumi.aws.ssm.inputs.PatchBaselineApprovalRuleArgs;
 import com.pulumi.aws.ssm.inputs.PatchBaselineSourceArgs;
 import java.util.List;
 import java.util.ArrayList;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 
 public class App {
     public static void main(String[] args) {
         Pulumi.run(App::stack);
     }
 
     public static void stack(Context ctx) {
         var al201709 = new PatchBaseline("al201709", PatchBaselineArgs.builder()        
             .approvalRules()
             .name("Amazon-Linux-2017.09")
             .description("My patch repository for Amazon Linux 2017.09")
             .operatingSystem("AMAZON_LINUX")
             .sources(PatchBaselineSourceArgs.builder()
                 .name("My-AL2017.09")
                 .products("AmazonLinux2017.09")
                 .configuration("""
 [amzn-main]
 name=amzn-main-Base
 mirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list
 mirrorlist_expire=300
 metadata_expire=300
 priority=10
 failovermethod=priority
 fastestmirror_enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga
 enabled=1
 retries=3
 timeout=5
 report_instanceid=yes
                 """)
                 .build())
             .build());
 
     }
 }
    <!--End PulumiCodeChooser --> ## Import Using `pulumi import`, import SSM Patch Baselines using their baseline ID. For example: ```sh $ pulumi import aws:ssm/patchBaseline:PatchBaseline example pb-12345678 ```

    • Nested Class Summary

      • Nested classes/interfaces inherited from class com.pulumi.resources.CustomResource

        com.pulumi.resources.CustomResource.CustomResourceInternal

      • Nested classes/interfaces inherited from class com.pulumi.resources.Resource

        com.pulumi.resources.Resource.LazyField<T extends java.lang.Object>, com.pulumi.resources.Resource.LazyFields, com.pulumi.resources.Resource.ResourceInternal

    • Field Summary

      • Fields inherited from class com.pulumi.resources.Resource

        childResources, remote

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      com.pulumi.core.Output<java.util.Optional<java.util.List<PatchBaselineApprovalRule>>> approvalRules()  
      com.pulumi.core.Output<java.util.Optional<java.util.List<java.lang.String>>> approvedPatches()  
      com.pulumi.core.Output<java.util.Optional<java.lang.String>> approvedPatchesComplianceLevel()  
      com.pulumi.core.Output<java.util.Optional<java.lang.Boolean>> approvedPatchesEnableNonSecurity()  
      com.pulumi.core.Output<java.lang.String> arn()  
      com.pulumi.core.Output<java.util.Optional<java.lang.String>> description()  
      static PatchBaseline get​(java.lang.String name, com.pulumi.core.Output<java.lang.String> id, PatchBaselineState state, com.pulumi.resources.CustomResourceOptions options)
      Get an existing Host resource's state with the given name, ID, and optional extra properties used to qualify the lookup.
      com.pulumi.core.Output<java.util.Optional<java.util.List<PatchBaselineGlobalFilter>>> globalFilters()  
      com.pulumi.core.Output<java.lang.String> json()  
      com.pulumi.core.Output<java.lang.String> name()  
      com.pulumi.core.Output<java.util.Optional<java.lang.String>> operatingSystem()  
      com.pulumi.core.Output<java.util.Optional<java.util.List<java.lang.String>>> rejectedPatches()  
      com.pulumi.core.Output<java.lang.String> rejectedPatchesAction()  
      com.pulumi.core.Output<java.util.Optional<java.util.List<PatchBaselineSource>>> sources()  
      com.pulumi.core.Output<java.util.Optional<java.util.Map<java.lang.String,​java.lang.String>>> tags()  
      com.pulumi.core.Output<java.util.Map<java.lang.String,​java.lang.String>> tagsAll()  

      • Methods inherited from class com.pulumi.resources.CustomResource

        getId, id, idFuture

      • Methods inherited from class com.pulumi.resources.Resource

        getChildResources, getResourceName, getResourceType, getUrn, pulumiChildResources, pulumiResourceName, pulumiResourceType, urn

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • PatchBaseline

        public PatchBaseline​(java.lang.String name)
        Parameters:
        name - The _unique_ name of the resulting resource.

      • PatchBaseline

        public PatchBaseline​(java.lang.String name,
                     @Nullable
                     PatchBaselineArgs args)
        Parameters:
        name - The _unique_ name of the resulting resource.
        args - The arguments to use to populate this resource's properties.

      • PatchBaseline

        public PatchBaseline​(java.lang.String name,
                     @Nullable
                     PatchBaselineArgs args,
                     @Nullable
                     com.pulumi.resources.CustomResourceOptions options)
        Parameters:
        name - The _unique_ name of the resulting resource.
        args - The arguments to use to populate this resource's properties.
        options - A bag of options that control this resource's behavior.

    • Method Detail

      • approvalRules

        public com.pulumi.core.Output<java.util.Optional<java.util.List<PatchBaselineApprovalRule>>> approvalRules()
        Returns:
        Set of rules used to include patches in the baseline. Up to 10 approval rules can be specified. See `approval_rule` below.

      • approvedPatches

        public com.pulumi.core.Output<java.util.Optional<java.util.List<java.lang.String>>> approvedPatches()
        Returns:
        List of explicitly approved patches for the baseline. Cannot be specified with `approval_rule`.

      • approvedPatchesComplianceLevel

        public com.pulumi.core.Output<java.util.Optional<java.lang.String>> approvedPatchesComplianceLevel()
        Returns:
        Compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid values are `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`, `UNSPECIFIED`. The default value is `UNSPECIFIED`.

      • approvedPatchesEnableNonSecurity

        public com.pulumi.core.Output<java.util.Optional<java.lang.Boolean>> approvedPatchesEnableNonSecurity()
        Returns:
        Whether the list of approved patches includes non-security updates that should be applied to the instances. Applies to Linux instances only.

      • arn

        public com.pulumi.core.Output<java.lang.String> arn()
        Returns:
        ARN of the baseline.

      • description

        public com.pulumi.core.Output<java.util.Optional<java.lang.String>> description()
        Returns:
        Description of the patch baseline.

      • globalFilters

        public com.pulumi.core.Output<java.util.Optional<java.util.List<PatchBaselineGlobalFilter>>> globalFilters()
        Returns:
        Set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are `PRODUCT`, `CLASSIFICATION`, `MSRC_SEVERITY`, and `PATCH_ID`.

      • json

        public com.pulumi.core.Output<java.lang.String> json()
        Returns:
        JSON definition of the baseline.

      • name

        public com.pulumi.core.Output<java.lang.String> name()
        Returns:
        Name of the patch baseline. The following arguments are optional:

      • operatingSystem

        public com.pulumi.core.Output<java.util.Optional<java.lang.String>> operatingSystem()
        Returns:
        Operating system the patch baseline applies to. Valid values are `ALMA_LINUX`, `AMAZON_LINUX`, `AMAZON_LINUX_2`, `AMAZON_LINUX_2022`, `AMAZON_LINUX_2023`, `CENTOS`, `DEBIAN`, `MACOS`, `ORACLE_LINUX`, `RASPBIAN`, `REDHAT_ENTERPRISE_LINUX`, `ROCKY_LINUX`, `SUSE`, `UBUNTU`, and `WINDOWS`. The default value is `WINDOWS`.

      • rejectedPatches

        public com.pulumi.core.Output<java.util.Optional<java.util.List<java.lang.String>>> rejectedPatches()
        Returns:
        List of rejected patches.

      • rejectedPatchesAction

        public com.pulumi.core.Output<java.lang.String> rejectedPatchesAction()
        Returns:
        Action for Patch Manager to take on patches included in the `rejected_patches` list. Valid values are `ALLOW_AS_DEPENDENCY` and `BLOCK`.

      • sources

        public com.pulumi.core.Output<java.util.Optional<java.util.List<PatchBaselineSource>>> sources()
        Returns:
        Configuration block with alternate sources for patches. Applies to Linux instances only. See `source` below.

      • tags

        public com.pulumi.core.Output<java.util.Optional<java.util.Map<java.lang.String,​java.lang.String>>> tags()
        Returns:
        Map of tags to assign to the resource. If configured with a provider `default_tags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.

      • tagsAll

        public com.pulumi.core.Output<java.util.Map<java.lang.String,​java.lang.String>> tagsAll()
        Returns:
        Map of tags assigned to the resource, including those inherited from the provider `default_tags` configuration block.

      • get

        public static PatchBaseline get​(java.lang.String name,
                                com.pulumi.core.Output<java.lang.String> id,
                                @Nullable
                                PatchBaselineState state,
                                @Nullable
                                com.pulumi.resources.CustomResourceOptions options)
        Get an existing Host resource's state with the given name, ID, and optional extra properties used to qualify the lookup.
        Parameters:
        name - The _unique_ name of the resulting resource.
        id - The _unique_ provider ID of the resource to lookup.
        state -
        options - Optional settings to control the behavior of the CustomResource.