hashicorp · bflad · Feb 12, 2021 · Jun 25, 2020 · Jun 25, 2020 · Jun 25, 2020
@@ -76,10 +76,16 @@ func resourceAwsSsmPatchBaseline() *schema.Resource {
 					Schema: map[string]*schema.Schema{
 						"approve_after_days": {
 							Type:         schema.TypeInt,
-							Required:     true,
+							Optional:     true,
 							ValidateFunc: validation.IntBetween(0, 100),
 						},
 
+						"approve_until_date": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: validation.StringMatch(regexp.MustCompile(`([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))`), "must be formatted YYYY-MM-DD"),
+						},
+
 						"compliance_level": {
 							Type:         schema.TypeString,
 							Optional:     true,
@@ -235,7 +241,11 @@ func resourceAwsSsmPatchBaselineCreate(d *schema.ResourceData, meta interface{})
 	}
 
 	if _, ok := d.GetOk("approval_rule"); ok {
-		params.ApprovalRules = expandAwsSsmPatchRuleGroup(d)
+		rules, err := expandAwsSsmPatchRuleGroup(d)
+		if err != nil {
+			return err
+		}
+		params.ApprovalRules = rules
 	}
 
 	if _, ok := d.GetOk("source"); ok {
@@ -288,7 +298,11 @@ func resourceAwsSsmPatchBaselineUpdate(d *schema.ResourceData, meta interface{})
 	}
 
 	if d.HasChange("approval_rule") {
-		params.ApprovalRules = expandAwsSsmPatchRuleGroup(d)
+		rules, err := expandAwsSsmPatchRuleGroup(d)
+		if err != nil {
+			return err
+		}
+		params.ApprovalRules = rules
 	}
 
 	if d.HasChange("global_filter") {
@@ -441,7 +455,7 @@ func flattenAwsSsmPatchFilterGroup(group *ssm.PatchFilterGroup) []map[string]int
 	return result
 }
 
-func expandAwsSsmPatchRuleGroup(d *schema.ResourceData) *ssm.PatchRuleGroup {
+func expandAwsSsmPatchRuleGroup(d *schema.ResourceData) (*ssm.PatchRuleGroup, error) {
 	var rules []*ssm.PatchRule
 
 	ruleConfig := d.Get("approval_rule").([]interface{})
@@ -468,18 +482,31 @@ func expandAwsSsmPatchRuleGroup(d *schema.ResourceData) *ssm.PatchRuleGroup {
 		}
 
 		rule := &ssm.PatchRule{
-			ApproveAfterDays:  aws.Int64(int64(rCfg["approve_after_days"].(int))),
 			PatchFilterGroup:  filterGroup,
 			ComplianceLevel:   aws.String(rCfg["compliance_level"].(string)),
 			EnableNonSecurity: aws.Bool(rCfg["enable_non_security"].(bool)),
 		}
 
+		// Verify that at least one of approve_after_days or approve_until_date is set
+		approveAfterDays, _ := rCfg["approve_after_days"].(int)
+		approveUntilDate, _ := rCfg["approve_until_date"].(string)
+
+		if approveAfterDays > 0 && len(approveUntilDate) > 0 {
+			return nil, fmt.Errorf("Only one of approve_after_days or approve_until_date must be configured")
+		}
+
+		if len(approveUntilDate) > 0 {
+			rule.ApproveUntilDate = aws.String(approveUntilDate)
+		} else {
+			rule.ApproveAfterDays = aws.Int64(int64(approveAfterDays))
+		}
+
 		rules = append(rules, rule)
 	}
 
 	return &ssm.PatchRuleGroup{
 		PatchRules: rules,
-	}
+	}, nil
 }
 
 func flattenAwsSsmPatchRuleGroup(group *ssm.PatchRuleGroup) []map[string]interface{} {
@@ -491,10 +518,18 @@ func flattenAwsSsmPatchRuleGroup(group *ssm.PatchRuleGroup) []map[string]interfa
 
 	for _, rule := range group.PatchRules {
 		r := make(map[string]interface{})
-		r["approve_after_days"] = aws.Int64Value(rule.ApproveAfterDays)
 		r["compliance_level"] = aws.StringValue(rule.ComplianceLevel)
 		r["enable_non_security"] = aws.BoolValue(rule.EnableNonSecurity)
 		r["patch_filter"] = flattenAwsSsmPatchFilterGroup(rule.PatchFilterGroup)
+
+		if rule.ApproveAfterDays != nil {
+      r["approve_after_days"] = aws.Int64Value(rule.ApproveAfterDays)
+		}
+
+		if rule.ApproveUntilDate != nil {
+      r["approve_until_date"] = aws.StringValue(rule.ApproveUntilDate)
+		}
+
 		result = append(result, r)
 	}
 

@@ -171,6 +171,54 @@ func TestAccAWSSSMPatchBaseline_OperatingSystem(t *testing.T) {
 	})
 }
 
+func TestAccAWSSSMPatchBaseline_ApproveUntilDateParam(t *testing.T) {
+	var before, after ssm.PatchBaselineIdentity
+	name := acctest.RandString(10)
+	resourceName := "aws_ssm_patch_baseline.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSSSMPatchBaselineDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSSSMPatchBaselineConfigWithApproveUntilDate(name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSSMPatchBaselineExists(resourceName, &before),
+					resource.TestCheckResourceAttr(resourceName, "approval_rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "approval_rule.0.approve_until_date", "2020-01-01"),
+					resource.TestCheckResourceAttr(resourceName, "approval_rule.0.patch_filter.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "approval_rule.0.compliance_level", ssm.PatchComplianceLevelCritical),
+					resource.TestCheckResourceAttr(resourceName, "approval_rule.0.enable_non_security", "true"),
+					resource.TestCheckResourceAttr(resourceName, "operating_system", "AMAZON_LINUX"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccAWSSSMPatchBaselineConfigWithApproveUntilDateUpdated(name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSSMPatchBaselineExists(resourceName, &after),
+					resource.TestCheckResourceAttr(resourceName, "approval_rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "approval_rule.0.approve_until_date", "2020-02-02"),
+					resource.TestCheckResourceAttr(resourceName, "approval_rule.0.patch_filter.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "approval_rule.0.compliance_level", ssm.PatchComplianceLevelCritical),
+					resource.TestCheckResourceAttr(resourceName, "operating_system", "AMAZON_LINUX"),
+					func(*terraform.State) error {
+						if aws.StringValue(before.BaselineId) != aws.StringValue(after.BaselineId) {
+							t.Fatal("Baseline IDs changed unexpectedly")
+						}
+						return nil
+					},
+				),
+			},
+		},
+	})
+}
+
 func TestAccAWSSSMPatchBaseline_Sources(t *testing.T) {
 	var before, after ssm.PatchBaselineIdentity
 	name := acctest.RandString(10)
@@ -252,6 +300,7 @@ func TestAccAWSSSMPatchBaseline_RejectPatchesAction(t *testing.T) {
 	var ssmPatch ssm.PatchBaselineIdentity
 	name := acctest.RandString(10)
 	resourceName := "aws_ssm_patch_baseline.test"
+
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
 		Providers:    testAccProviders,
@@ -462,6 +511,66 @@ resource "aws_ssm_patch_baseline" "test" {
 `, rName)
 }
 
+func testAccAWSSSMPatchBaselineConfigWithApproveUntilDate(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_ssm_patch_baseline" "test" {
+  name             = %[1]q
+  operating_system = "AMAZON_LINUX"
+  description      = "Baseline containing all updates approved for production systems"
+
+  tags = {
+    Name = "My Patch Baseline"
+  }
+
+  approval_rule {
+    approve_until_date  = "2020-01-01"
+    enable_non_security = true
+    compliance_level    = "CRITICAL"
+
+    patch_filter {
+      key    = "PRODUCT"
+      values = ["AmazonLinux2016.03", "AmazonLinux2016.09", "AmazonLinux2017.03", "AmazonLinux2017.09"]
+    }
+
+    patch_filter {
+      key    = "SEVERITY"
+      values = ["Critical", "Important"]
+    }
+  }
+}
+`, rName)
+}
+
+func testAccAWSSSMPatchBaselineConfigWithApproveUntilDateUpdated(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_ssm_patch_baseline" "test" {
+  name             = %[1]q
+  operating_system = "AMAZON_LINUX"
+  description      = "Baseline containing all updates approved for production systems"
+
+  tags = {
+    Name = "My Patch Baseline"
+  }
+
+  approval_rule {
+    approve_until_date  = "2020-02-02"
+    enable_non_security = true
+    compliance_level    = "CRITICAL"
+
+    patch_filter {
+      key    = "PRODUCT"
+      values = ["AmazonLinux2016.03", "AmazonLinux2016.09", "AmazonLinux2017.03", "AmazonLinux2017.09"]
+    }
+
+    patch_filter {
+      key    = "SEVERITY"
+      values = ["Critical", "Important"]
+    }
+  }
+}
+`, rName)
+}
+
 func testAccAWSSSMPatchBaselineConfigWithSource(rName string) string {
 	return fmt.Sprintf(`
 resource "aws_ssm_patch_baseline" "test" {

@@ -172,7 +172,8 @@ The following arguments are supported:
 
 The `approval_rule` block supports:
 
-* `approve_after_days` - (Required) The number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 100.
+* `approve_after_days` - (Optional) The number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 100. Conflicts with `approve_until_date`
+* `approve_until_date` - (Optional) The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Date is formatted as `YYYY-MM-DD`. Conflicts with `approve_after_days`
 * `patch_filter` - (Required) The patch filter group that defines the criteria for the rule. Up to 5 patch filters can be specified per approval rule using Key/Value pairs. Valid Keys are `PATCH_SET | PRODUCT | CLASSIFICATION | MSRC_SEVERITY | PATCH_ID`. Valid combinations of these Keys and the `operating_system` value can be found in the [SSM DescribePatchProperties API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribePatchProperties.html). Valid Values are exact values for the patch property given as the key, or a wildcard `*`, which matches all values.
     * `PATCH_SET` defaults to `OS` if unspecified
 * `compliance_level` - (Optional) Defines the compliance level for patches approved by this rule. Valid compliance levels include the following: `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`, `UNSPECIFIED`. The default value is `UNSPECIFIED`.