Automated creation of AWS SSM Patch Manager resources for simple automated patching
export AWS_ACCESS_KEY_ID=foo
export AWS_SECRET_ACCESS_KEY=bar
export AWS_SESSION_TOKEN=baz
./ssm_patching_setup.py -b BASELINE_FILE
The defaults will create 8 Maintenance Windows. In human terms, these are:
- 03:00, first Tuesday of the month
- 04:00, first Tuesday of the month
- 03:00, first Wednesday of the month
- 04:00, first Wednesday of the month
- 03:00, second Tuesday of the month
- 04:00, second Tuesday of the month
- 03:00, second Wednesday of the month
- 04:00, second Wednesday of the month
Optional parameters to control the Maintenance Window schedules and other options:
| Short Option | Long Option | Default | Notes |
|---|---|---|---|
| -w | --week | 1 2 | See note below |
| -d | --days | 2 3 | Tue, Wed |
| -t | --hours | 3 4 | 03:00, 04:00 |
| -z | --timezone | Use tzdata zones | |
| -r | --region | See note below | Short region alias (e.g. 'us-east-1') |
| -b | --baseline-file | REQUIRED; See note below | |
| -h | --help | ||
| -l | --loglevel | DEBUG, INFO, WARNING, ERROR, CRITICAL |
By design, these scripts do not handle authentication. Use one of the following methods for authentication with the AWS APIs:
- AWS Environment variables
- AWS Credentials file
- AWS Config file
- Wrap around or customise the scripts
If region is not specified, the script will attempt to proceed with the user's default region configured for the AWS SDK:
A JSON-formatted file containing the properties of the baseline to create is required. See the baselines directory for samples/examples.
It's important to note that the week is specified as (for example) 'the second week of the month' and not 'the second full week'; That is to say, the Maintenance Window schedule is specified as 'the second Tuesday of the month' and not 'the Tuesday of the second full week of the month'.
The practical implications of this are that Maintenance Windows for 'week 1' will always occur before 'week 2', but 'Tuesday, week 1' might occur after 'Wednesday, week 1'.
ssm_patching_cleanup.py will destroy all SSM Patch Manager resources in the region:
- All Maintenance Window Tasks for
AWS-ApplyPatchBaselineorAWS-RunPatchBaseline - All Maintenance Windows with no tasks or only patching tasks as above
- All Patch Baseline registrations for Patch Groups
- All custom Patch Baselines
- Why not implement this idempotently, so that the script can be run repeatedly and will always converge to the same configuration?
- Doing this reliably would require tracking some state - essentially, recording the physical ID of the resources we create, and using this to ensure we update the same resources every time
- Practically, this would mean implementing with an IaC (Infrastructure as Code) tool, e.g. CloudFormation or Terraform
- Why not implement this as IaC (Infrastructure as Code)?
- This project was developed to meet a requirement for implementing patching outside of IaC management
- Example CloudFormation templates or Terraform modules may be added in future