The sample code here supports the Software patching with AWS Systems Manager blog post. See the post for instructions and a detailed walkthrough.
In order to run this template you will need an user with the permission to the following services:
- codepipeline
- codebuild
- s3
- ssm
- ec2
- sns
For the templates used on this scenario, Terraform version 0.11.4 was used.
Note: If you want to use version 0.12 please check this guide for the upgrade instructions.
Here are the steps to install it on Linux. For other platforms, please check the official installing terraform.
wget https://releases.hashicorp.com/terraform/0.11.14/terraform_0.11.14_linux_amd64.zip
unzip terraform_0.11.14_linux_amd64.zip
sudo mv terraform /usr/local/bin/
terraform --version
Terraform v0.11.14
Once terraform is configured it is time to download the templates and apply the code
git clone [email protected]:aws-samples/aws-cicd-patch-management-terraform.git
SSM agent is needed in-order to run remote commands on instances. Hence all EC2 Instance must have SSM agent installed with the proper role configured. For more info about SSM required permissions check here. Please refer to this link for the SSM installation guide.
Identify the instances you want to test the code and add the tags according to the instructions below.
For multiple instances you can use the Tag Editor to tag several instances at once.
Note: SSM Agent is installed, by default, on Amazon Linux base AMIs dated 2017.09 and later. SSM Agent is also installed, by default, on Amazon Linux 2 AMIs.
This solution uses AWS SSM service to trigger remote commands to target EC2 instances. In order to filter out the environment, proper tags needs to be used. Currently, instances are identified using environment name.
Tag Key = application-environment
Value = EnvironmentName (dev, qa, stage or prod)
Tag Key = automated-patching
Value = True
The json patch file determines the patches to be deployed on EC2 instances. This file is located under /terraform/patch/templates/patch/patch.json
-
ApplyAllPatches: Allowed options are
true of false
. If all patches needs to be applied then this option needs to be true otherwise it can be false -
deploy_from: If ApplyAllPatches option is set to false then user can specify the patch number they want to deploy patch from.
-
Patch: This represents the all patches. User can add their patches in an increment order here.
That will download all terraform prerequisites modules
cd terraform
terraform init
You should see the following output
Terraform has been successfully initialized!
Terraform plan is a dry run that simulates the execution
terraform plan
After selecting the region it should output
Plan: 26 to add, 0 to change, 0 to destroy.
That means you are ready to apply the plan
terraform apply
Apply complete! Resources: 26 added, 0 changed, 0 destroyed
Go to the AWS Console and check the CodePipeline. The default Pipeline name for this sample is patch-pipeline.
You will need to approve the changes so it can get propagated.
Verify CodeBuild execution logs to see the output of the execution.
That is also available on Systems Manager Run Command History
This library is licensed under the MIT-0 License. See the LICENSE file.