docs/resource/aws_ssm_patch_baseline: Add docs for application patch …

…baseline rules (#11388)
hashicorp · Jan 24, 2020 · 42d63b3 · 42d63b3
1 parent c7e2f6c
commit 42d63b3
Showing 1 changed file with 40 additions and 1 deletion.
diff --git a/website/docs/r/ssm_patch_baseline.html.markdown b/website/docs/r/ssm_patch_baseline.html.markdown
@@ -80,6 +80,44 @@ resource "aws_ssm_patch_baseline" "production" {
 }
 ```
 
+Advanced usage, specifying Microsoft application and Windows patch rules
+```hcl
+resource "aws_ssm_patch_baseline" "windows_os_apps" {
+  name             = "WindowsOSAndMicrosoftApps"
+  description      = "Patch both Windows and Microsoft apps"
+  operating_system = "WINDOWS"
+
+  approval_rule {
+    approve_after_days = 7
+
+    patch_filter {
+      key = "CLASSIFICATION"
+      values = ["CriticalUpdates", "SecurityUpdates"]
+    }
+
+    patch_filter {
+      key = "MSRC_SEVERITY"
+      values = ["Critical", "Important"]
+    }
+  }
+
+  approval_rule {
+    approve_after_days = 7
+
+    patch_filter {
+      key = "PATCH_SET"
+      values = ["APPLICATION"]
+    }
+
+    # Filter on Microsoft product if necessary 
+    patch_filter {
+      key = "PRODUCT"
+      values = ["Office 2013", "Office 2016"]
+    }
+  }
+}
+```
+
 
 ## Argument Reference
 
@@ -97,7 +135,8 @@ The following arguments are supported:
 The `approval_rule` block supports:
 
 * `approve_after_days` - (Required) The number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 100.
-* `patch_filter` - (Required) The patch filter group that defines the criteria for the rule. Up to 4 patch filters can be specified per approval rule using Key/Value pairs. Valid Keys are `PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID`.
+* `patch_filter` - (Required) The patch filter group that defines the criteria for the rule. Up to 5 patch filters can be specified per approval rule using Key/Value pairs. Valid Keys are `PATCH_SET | PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID`.
+  * `PATCH_SET` defaults to `OS` if unspecified
 * `compliance_level` - (Optional) Defines the compliance level for patches approved by this rule. Valid compliance levels include the following: `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`, `UNSPECIFIED`. The default value is `UNSPECIFIED`.
 * `enable_non_security` - (Optional) Boolean enabling the application of non-security updates. The default value is 'false'. Valid for Linux instances only.
 * `tags` - (Optional) A mapping of tags to assign to the resource.