Skip to content

dan-farmer/ssm-patching-setup

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

46 Commits

baselines

baselines

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

helpers.py

helpers.py

 
 

pylintrc

pylintrc

 
 

ssm_patching_cleanup.py

ssm_patching_cleanup.py

 
 

ssm_patching_setup.py

ssm_patching_setup.py

 
 

Repository files navigation

ssm-patching-setup

Automated creation of AWS SSM Patch Manager resources for simple automated patching

Usage

export AWS_ACCESS_KEY_ID=foo
export AWS_SECRET_ACCESS_KEY=bar
export AWS_SESSION_TOKEN=baz
./ssm_patching_setup.py -b BASELINE_FILE

The defaults will create 8 Maintenance Windows. In human terms, these are:

  • 03:00, first Tuesday of the month
  • 04:00, first Tuesday of the month
  • 03:00, first Wednesday of the month
  • 04:00, first Wednesday of the month
  • 03:00, second Tuesday of the month
  • 04:00, second Tuesday of the month
  • 03:00, second Wednesday of the month
  • 04:00, second Wednesday of the month

Optional parameters to control the Maintenance Window schedules and other options:

Short Option Long Option Default Notes
-w --week 1 2 See note below
-d --days 2 3 Tue, Wed
-t --hours 3 4 03:00, 04:00
-z --timezone Use tzdata zones
-r --region See note below Short region alias (e.g. 'us-east-1')
-b --baseline-file REQUIRED; See note below
-h --help
-l --loglevel DEBUG, INFO, WARNING, ERROR, CRITICAL

Authentication

By design, these scripts do not handle authentication. Use one of the following methods for authentication with the AWS APIs:

  1. AWS Environment variables
  2. AWS Credentials file
  3. AWS Config file
  4. Wrap around or customise the scripts

Region

If region is not specified, the script will attempt to proceed with the user's default region configured for the AWS SDK:

  1. AWS Environment variables
  2. AWS Credentials file
  3. AWS Config file

Baseline File

A JSON-formatted file containing the properties of the baseline to create is required. See the baselines directory for samples/examples.

Week

It's important to note that the week is specified as (for example) 'the second week of the month' and not 'the second full week'; That is to say, the Maintenance Window schedule is specified as 'the second Tuesday of the month' and not 'the Tuesday of the second full week of the month'.

The practical implications of this are that Maintenance Windows for 'week 1' will always occur before 'week 2', but 'Tuesday, week 1' might occur after 'Wednesday, week 1'.

Cleanup

ssm_patching_cleanup.py will destroy all SSM Patch Manager resources in the region:

  • All Maintenance Window Tasks for AWS-ApplyPatchBaseline or AWS-RunPatchBaseline
  • All Maintenance Windows with no tasks or only patching tasks as above
  • All Patch Baseline registrations for Patch Groups
  • All custom Patch Baselines

FAQ

  1. Why not implement this idempotently, so that the script can be run repeatedly and will always converge to the same configuration?
    • Doing this reliably would require tracking some state - essentially, recording the physical ID of the resources we create, and using this to ensure we update the same resources every time
    • Practically, this would mean implementing with an IaC (Infrastructure as Code) tool, e.g. CloudFormation or Terraform
  2. Why not implement this as IaC (Infrastructure as Code)?
    • This project was developed to meet a requirement for implementing patching outside of IaC management
    • Example CloudFormation templates or Terraform modules may be added in future

About

Automated creation of AWS SSM Patch Manager resources for simple automated patching

Topics

aws amazon-ec2 aws-ec2 amazon-web-services patch-management aws-ssm patching

Resources

Readme

License

GPL-3.0 license
Activity

Stars

6 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages