Simple scanning and patching for EC2 instances using AWS System Manager
- Moved repository from https://github.com/CU-CommunityApps/tf-module-aws-patching to https://github.com/cu-cit-cloud-team/tf-module-aws-patching as part of Cornell Github Organization restructuring.
- Add
base_name
variable to use in naming resources to avoid name clashes. - Create maintenance window resources only if the task they implement is enabled.
- Fix bug where scanning maintenance window was incorrectly enabled if patching was enabled.
- Add optional maintenance window to run patching cleanup commands. By default this is not enabled. By default, this runs
apt-get --yes autoremove
the the set of commands can be customized. - add auto-release Github workflow
- add CloudWatch Log Insights query definitions for errors in stdout and stderr, for both patching and scanning
- Initial release
module "scanning_patching" {
source = "git@github.com:cu-cit-cloud-team/tf-module-aws-patching.git?ref=v0.1.0"
}
Using the module defaults:
- patching and scanning will be targeted to EC2 instances tagged with
"Patch Group" = "default"
- patching will occur on Tuesdays at 7am in the
America/New_York
time zone - patching allows reboot, if needed. To change this behavior, set
patching_allow_reboot
tofalse
. - scanning will occur daily at 8am in the
America/New_York
time zone
This repository is configured with a Github workflow to automatically created releases.
$ git add .
$ git commit -m "blah, blah"
$ git tag -a v1.0.0 -m "v1.0.0"
$ git push origin --follow-tags
# OR, if you have set the global push.followTags settings to true
$ git push origin
This module uses the default AWS patch baseline for all operating systems.