@pulumi/aws/ssm/patchBaseline.d.ts

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources.

import * as pulumi from "@pulumi/pulumi";
import * as inputs from "../types/input";
import * as outputs from "../types/output";
/**
 * Provides an SSM Patch Baseline resource.
 *
 * > **NOTE on Patch Baselines:** The `approvedPatches` and `approvalRule` are
 * both marked as optional fields, but the Patch Baseline requires that at least one
 * of them is specified.
 *
 * ## Example Usage
 *
 * ### Basic Usage
 *
 * Using `approvedPatches` only.
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as aws from "@pulumi/aws";
 *
 * const production = new aws.ssm.PatchBaseline("production", {
 *     name: "patch-baseline",
 *     approvedPatches: ["KB123456"],
 * });
 * ```
 *
 * ### Advanced Usage, specifying patch filters
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as aws from "@pulumi/aws";
 *
 * const production = new aws.ssm.PatchBaseline("production", {
 *     name: "patch-baseline",
 *     description: "Patch Baseline Description",
 *     approvedPatches: [
 *         "KB123456",
 *         "KB456789",
 *     ],
 *     rejectedPatches: ["KB987654"],
 *     globalFilters: [
 *         {
 *             key: "PRODUCT",
 *             values: ["WindowsServer2008"],
 *         },
 *         {
 *             key: "CLASSIFICATION",
 *             values: ["ServicePacks"],
 *         },
 *         {
 *             key: "MSRC_SEVERITY",
 *             values: ["Low"],
 *         },
 *     ],
 *     approvalRules: [
 *         {
 *             approveAfterDays: 7,
 *             complianceLevel: "HIGH",
 *             patchFilters: [
 *                 {
 *                     key: "PRODUCT",
 *                     values: ["WindowsServer2016"],
 *                 },
 *                 {
 *                     key: "CLASSIFICATION",
 *                     values: [
 *                         "CriticalUpdates",
 *                         "SecurityUpdates",
 *                         "Updates",
 *                     ],
 *                 },
 *                 {
 *                     key: "MSRC_SEVERITY",
 *                     values: [
 *                         "Critical",
 *                         "Important",
 *                         "Moderate",
 *                     ],
 *                 },
 *             ],
 *         },
 *         {
 *             approveAfterDays: 7,
 *             patchFilters: [{
 *                 key: "PRODUCT",
 *                 values: ["WindowsServer2012"],
 *             }],
 *         },
 *     ],
 * });
 * ```
 *
 * ### Advanced usage, specifying Microsoft application and Windows patch rules
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as aws from "@pulumi/aws";
 *
 * const windowsOsApps = new aws.ssm.PatchBaseline("windows_os_apps", {
 *     name: "WindowsOSAndMicrosoftApps",
 *     description: "Patch both Windows and Microsoft apps",
 *     operatingSystem: "WINDOWS",
 *     approvalRules: [
 *         {
 *             approveAfterDays: 7,
 *             patchFilters: [
 *                 {
 *                     key: "CLASSIFICATION",
 *                     values: [
 *                         "CriticalUpdates",
 *                         "SecurityUpdates",
 *                     ],
 *                 },
 *                 {
 *                     key: "MSRC_SEVERITY",
 *                     values: [
 *                         "Critical",
 *                         "Important",
 *                     ],
 *                 },
 *             ],
 *         },
 *         {
 *             approveAfterDays: 7,
 *             patchFilters: [
 *                 {
 *                     key: "PATCH_SET",
 *                     values: ["APPLICATION"],
 *                 },
 *                 {
 *                     key: "PRODUCT",
 *                     values: [
 *                         "Office 2013",
 *                         "Office 2016",
 *                     ],
 *                 },
 *             ],
 *         },
 *     ],
 * });
 * ```
 *
 * ### Advanced usage, specifying alternate patch source repository
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as aws from "@pulumi/aws";
 *
 * const al201709 = new aws.ssm.PatchBaseline("al_2017_09", {
 *     approvalRules: [{}],
 *     name: "Amazon-Linux-2017.09",
 *     description: "My patch repository for Amazon Linux 2017.09",
 *     operatingSystem: "AMAZON_LINUX",
 *     sources: [{
 *         name: "My-AL2017.09",
 *         products: ["AmazonLinux2017.09"],
 *         configuration: `[amzn-main]
 * name=amzn-main-Base
 * mirrorlist=http://repo./awsregion./awsdomain//releasever/main/mirror.list
 * mirrorlist_expire=300
 * metadata_expire=300
 * priority=10
 * failovermethod=priority
 * fastestmirror_enabled=0
 * gpgcheck=1
 * gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga
 * enabled=1
 * retries=3
 * timeout=5
 * report_instanceid=yes
 * `,
 *     }],
 * });
 * ```
 *
 * ## Import
 *
 * ### Identity Schema
 *
 * #### Required
 *
 * * `id` - (String) ID of the patch baseline.
 *
 * #### Optional
 *
 * * `account_id` (String) AWS Account where this resource is managed.
 *
 * * `region` (String) Region where this resource is managed.
 *
 * Using `pulumi import`, import SSM Patch Baselines using their baseline ID. For example:
 *
 * console
 *
 * % pulumi import aws_ssm_patch_baseline.example pb-12345678
 */
export declare class PatchBaseline extends pulumi.CustomResource {
    /**
     * Get an existing PatchBaseline resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PatchBaselineState, opts?: pulumi.CustomResourceOptions): PatchBaseline;
    /**
     * Returns true if the given object is an instance of PatchBaseline.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is PatchBaseline;
    /**
     * Set of rules used to include patches in the baseline. Up to 10 approval rules can be specified. See `approvalRule` below.
     */
    readonly approvalRules: pulumi.Output<outputs.ssm.PatchBaselineApprovalRule[] | undefined>;
    /**
     * List of explicitly approved patches for the baseline. Cannot be specified with `approvalRule`.
     */
    readonly approvedPatches: pulumi.Output<string[] | undefined>;
    /**
     * Compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid values are `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`, `UNSPECIFIED`. The default value is `UNSPECIFIED`.
     */
    readonly approvedPatchesComplianceLevel: pulumi.Output<string | undefined>;
    /**
     * Whether the list of approved patches includes non-security updates that should be applied to the instances. Applies to Linux instances only.
     */
    readonly approvedPatchesEnableNonSecurity: pulumi.Output<boolean | undefined>;
    /**
     * ARN of the baseline.
     */
    readonly arn: pulumi.Output<string>;
    /**
     * Indicates the compliance status of managed nodes for which security-related patches are available but were not approved. Supported for Windows Server managed nodes only. Valid values are `COMPLIANT`, `NON_COMPLIANT`.
     */
    readonly availableSecurityUpdatesComplianceStatus: pulumi.Output<string>;
    /**
     * Description of the patch baseline.
     */
    readonly description: pulumi.Output<string | undefined>;
    /**
     * Set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are `PRODUCT`, `CLASSIFICATION`, `MSRC_SEVERITY`, and `PATCH_ID`.
     */
    readonly globalFilters: pulumi.Output<outputs.ssm.PatchBaselineGlobalFilter[] | undefined>;
    /**
     * JSON definition of the baseline.
     */
    readonly json: pulumi.Output<string>;
    /**
     * Name of the patch baseline.
     *
     * The following arguments are optional:
     */
    readonly name: pulumi.Output<string>;
    /**
     * Operating system the patch baseline applies to. Valid values are `ALMA_LINUX`, `AMAZON_LINUX`, `AMAZON_LINUX_2`, `AMAZON_LINUX_2022`, `AMAZON_LINUX_2023`, `CENTOS`, `DEBIAN`, `MACOS`, `ORACLE_LINUX`, `RASPBIAN`, `REDHAT_ENTERPRISE_LINUX`, `ROCKY_LINUX`, `SUSE`, `UBUNTU`, and `WINDOWS`. The default value is `WINDOWS`.
     */
    readonly operatingSystem: pulumi.Output<string | undefined>;
    /**
     * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
     */
    readonly region: pulumi.Output<string>;
    /**
     * List of rejected patches.
     */
    readonly rejectedPatches: pulumi.Output<string[] | undefined>;
    /**
     * Action for Patch Manager to take on patches included in the `rejectedPatches` list. Valid values are `ALLOW_AS_DEPENDENCY` and `BLOCK`.
     */
    readonly rejectedPatchesAction: pulumi.Output<string>;
    /**
     * Configuration block with alternate sources for patches. Applies to Linux instances only. See `source` below.
     */
    readonly sources: pulumi.Output<outputs.ssm.PatchBaselineSource[] | undefined>;
    /**
     * Map of tags to assign to the resource. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
     */
    readonly tags: pulumi.Output<{
        [key: string]: string;
    } | undefined>;
    /**
     * Map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
     */
    readonly tagsAll: pulumi.Output<{
        [key: string]: string;
    }>;
    /**
     * Create a PatchBaseline resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args?: PatchBaselineArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering PatchBaseline resources.
 */
export interface PatchBaselineState {
    /**
     * Set of rules used to include patches in the baseline. Up to 10 approval rules can be specified. See `approvalRule` below.
     */
    approvalRules?: pulumi.Input<pulumi.Input<inputs.ssm.PatchBaselineApprovalRule>[]>;
    /**
     * List of explicitly approved patches for the baseline. Cannot be specified with `approvalRule`.
     */
    approvedPatches?: pulumi.Input<pulumi.Input<string>[]>;
    /**
     * Compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid values are `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`, `UNSPECIFIED`. The default value is `UNSPECIFIED`.
     */
    approvedPatchesComplianceLevel?: pulumi.Input<string>;
    /**
     * Whether the list of approved patches includes non-security updates that should be applied to the instances. Applies to Linux instances only.
     */
    approvedPatchesEnableNonSecurity?: pulumi.Input<boolean>;
    /**
     * ARN of the baseline.
     */
    arn?: pulumi.Input<string>;
    /**
     * Indicates the compliance status of managed nodes for which security-related patches are available but were not approved. Supported for Windows Server managed nodes only. Valid values are `COMPLIANT`, `NON_COMPLIANT`.
     */
    availableSecurityUpdatesComplianceStatus?: pulumi.Input<string>;
    /**
     * Description of the patch baseline.
     */
    description?: pulumi.Input<string>;
    /**
     * Set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are `PRODUCT`, `CLASSIFICATION`, `MSRC_SEVERITY`, and `PATCH_ID`.
     */
    globalFilters?: pulumi.Input<pulumi.Input<inputs.ssm.PatchBaselineGlobalFilter>[]>;
    /**
     * JSON definition of the baseline.
     */
    json?: pulumi.Input<string>;
    /**
     * Name of the patch baseline.
     *
     * The following arguments are optional:
     */
    name?: pulumi.Input<string>;
    /**
     * Operating system the patch baseline applies to. Valid values are `ALMA_LINUX`, `AMAZON_LINUX`, `AMAZON_LINUX_2`, `AMAZON_LINUX_2022`, `AMAZON_LINUX_2023`, `CENTOS`, `DEBIAN`, `MACOS`, `ORACLE_LINUX`, `RASPBIAN`, `REDHAT_ENTERPRISE_LINUX`, `ROCKY_LINUX`, `SUSE`, `UBUNTU`, and `WINDOWS`. The default value is `WINDOWS`.
     */
    operatingSystem?: pulumi.Input<string>;
    /**
     * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
     */
    region?: pulumi.Input<string>;
    /**
     * List of rejected patches.
     */
    rejectedPatches?: pulumi.Input<pulumi.Input<string>[]>;
    /**
     * Action for Patch Manager to take on patches included in the `rejectedPatches` list. Valid values are `ALLOW_AS_DEPENDENCY` and `BLOCK`.
     */
    rejectedPatchesAction?: pulumi.Input<string>;
    /**
     * Configuration block with alternate sources for patches. Applies to Linux instances only. See `source` below.
     */
    sources?: pulumi.Input<pulumi.Input<inputs.ssm.PatchBaselineSource>[]>;
    /**
     * Map of tags to assign to the resource. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
     */
    tags?: pulumi.Input<{
        [key: string]: pulumi.Input<string>;
    }>;
    /**
     * Map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
     */
    tagsAll?: pulumi.Input<{
        [key: string]: pulumi.Input<string>;
    }>;
}
/**
 * The set of arguments for constructing a PatchBaseline resource.
 */
export interface PatchBaselineArgs {
    /**
     * Set of rules used to include patches in the baseline. Up to 10 approval rules can be specified. See `approvalRule` below.
     */
    approvalRules?: pulumi.Input<pulumi.Input<inputs.ssm.PatchBaselineApprovalRule>[]>;
    /**
     * List of explicitly approved patches for the baseline. Cannot be specified with `approvalRule`.
     */
    approvedPatches?: pulumi.Input<pulumi.Input<string>[]>;
    /**
     * Compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid values are `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`, `UNSPECIFIED`. The default value is `UNSPECIFIED`.
     */
    approvedPatchesComplianceLevel?: pulumi.Input<string>;
    /**
     * Whether the list of approved patches includes non-security updates that should be applied to the instances. Applies to Linux instances only.
     */
    approvedPatchesEnableNonSecurity?: pulumi.Input<boolean>;
    /**
     * Indicates the compliance status of managed nodes for which security-related patches are available but were not approved. Supported for Windows Server managed nodes only. Valid values are `COMPLIANT`, `NON_COMPLIANT`.
     */
    availableSecurityUpdatesComplianceStatus?: pulumi.Input<string>;
    /**
     * Description of the patch baseline.
     */
    description?: pulumi.Input<string>;
    /**
     * Set of global filters used to exclude patches from the baseline. Up to 4 global filters can be specified using Key/Value pairs. Valid Keys are `PRODUCT`, `CLASSIFICATION`, `MSRC_SEVERITY`, and `PATCH_ID`.
     */
    globalFilters?: pulumi.Input<pulumi.Input<inputs.ssm.PatchBaselineGlobalFilter>[]>;
    /**
     * Name of the patch baseline.
     *
     * The following arguments are optional:
     */
    name?: pulumi.Input<string>;
    /**
     * Operating system the patch baseline applies to. Valid values are `ALMA_LINUX`, `AMAZON_LINUX`, `AMAZON_LINUX_2`, `AMAZON_LINUX_2022`, `AMAZON_LINUX_2023`, `CENTOS`, `DEBIAN`, `MACOS`, `ORACLE_LINUX`, `RASPBIAN`, `REDHAT_ENTERPRISE_LINUX`, `ROCKY_LINUX`, `SUSE`, `UBUNTU`, and `WINDOWS`. The default value is `WINDOWS`.
     */
    operatingSystem?: pulumi.Input<string>;
    /**
     * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
     */
    region?: pulumi.Input<string>;
    /**
     * List of rejected patches.
     */
    rejectedPatches?: pulumi.Input<pulumi.Input<string>[]>;
    /**
     * Action for Patch Manager to take on patches included in the `rejectedPatches` list. Valid values are `ALLOW_AS_DEPENDENCY` and `BLOCK`.
     */
    rejectedPatchesAction?: pulumi.Input<string>;
    /**
     * Configuration block with alternate sources for patches. Applies to Linux instances only. See `source` below.
     */
    sources?: pulumi.Input<pulumi.Input<inputs.ssm.PatchBaselineSource>[]>;
    /**
     * Map of tags to assign to the resource. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
     */
    tags?: pulumi.Input<{
        [key: string]: pulumi.Input<string>;
    }>;
}