Terraform-provider-aws: Resource aws_ssm_patch_group cannot handle multiple baselines of differing OS in a single patch group

Created on 2 Aug 2019  路  8Comments  路  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

$ terraform -v
Terraform v0.12.6
+ provider.aws v2.22.0

Affected Resource(s)

  • aws_ssm_patch_group

Terraform Configuration Files

resource "aws_ssm_patch_baseline" "centos" {
  name             = "centos-patch-baseline"
  description      = "Patch baseline for centos"
  operating_system = "CENTOS"

  approval_rule {
    approve_after_days = "0"

    patch_filter {
      key    = "CLASSIFICATION"
      values = ["*"]
    }
  }
}

resource "aws_ssm_patch_baseline" "amazon_linux_2" {
  name             = "amazon_linux_2-patch-baseline"
  description      = "Patch baseline for amazon_linux_2"
  operating_system = "AMAZON_LINUX_2"

  approval_rule {
    approve_after_days = "0"

    patch_filter {
      key    = "CLASSIFICATION"
      values = ["*"]
    }
  }
}

resource "aws_ssm_patch_baseline" "amazon_linux" {
  name             = "amazon_linux-patch-baseline"
  description      = "Patch baseline for amazon_linux"
  operating_system = "AMAZON_LINUX"

  approval_rule {
    approve_after_days = "0"

    patch_filter {
      key    = "CLASSIFICATION"
      values = ["*"]
    }
  }
}

resource "aws_ssm_patch_group" "centos" {
    patch_group = "patch_group"
    baseline_id = "${aws_ssm_patch_baseline.centos.id}"
}

resource "aws_ssm_patch_group" "amazon_linux_2" {
    patch_group = "patch_group"
    baseline_id = "${aws_ssm_patch_baseline.amazon_linux_2.id}"
}

resource "aws_ssm_patch_group" "amazon_linux" {
    patch_group = "patch_group"
    baseline_id = "${aws_ssm_patch_baseline.amazon_linux.id}"
}

Debug Output

Apply output: https://gist.github.com/jdheyburn/e8298fa7b182f39948c98b34909fe2eb

Panic Output

N/A

Expected Behavior

  • Patch group should be unaltered, keeping all baselines

Actual Behavior

  • A baseline is removed from patch group

Output of the apply

Terraform will perform the following actions:

  # aws_ssm_patch_group.amazon_linux must be replaced
-/+ resource "aws_ssm_patch_group" "amazon_linux" {
      ~ baseline_id = "pb-01ad30a5a012192ed" -> "pb-0a38d8d0f7b2d56ce" # forces replacement
      ~ id          = "patch_group" -> (known after apply)
        patch_group = "patch_group"
    }

  # aws_ssm_patch_group.amazon_linux_2 must be replaced
-/+ resource "aws_ssm_patch_group" "amazon_linux_2" {
      ~ baseline_id = "pb-01ad30a5a012192ed" -> "pb-00fb43e57d24e1b2c" # forces replacement
      ~ id          = "patch_group" -> (known after apply)
        patch_group = "patch_group"
    }

Plan: 2 to add, 0 to change, 2 to destroy.

Note the following baseline IDs for referencing the above plan outpuit:
amazon_linux_2 = pb-00fb43e57d24e1b2c
centos = pb-01ad30a5a012192ed
amazon_linux = pb-0a38d8d0f7b2d56ce

Steps to Reproduce

With the above HCL:

  1. Build out the scenario of 3 baselines added to 1 patch group: terraform apply
  2. View the results on the console, there are 3 baselines to the new patch group
  3. With no changes to the code, apply again: terraform apply
  4. See how the plan wants to alter the baseline
  5. After apply, view patch group in console, it removes a baseline
  6. This will then cycle forever

Important Factoids

N/A

References

Patch groups can be assigned many baselines, but only one baseline per OS - this is the how it functions in AWS console. Terraform here is assuming that a patch group can only have one baseline - or that it is only reading the first patch group entry retrieved from describe-patch-groups and then making changes from there.

needs-triage servicssm
Source
picture jdheyburn
👍141

Most helpful comment

Your comments don't follow with AWS own documentation:

https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-patch-patchgroups.html

Note
_A patch group can only be registered with one patch baseline._

Therefore the Terraform behaviour is correct, no?

This is actually not correct as the docs are somewhat misleading. You can have a single patch group registered with multiple patch baselines if they are for different operating systems. That line should really read "A patch group can only be registered with one patch baseline per operating system"

See below as an example where I've created an Internal Systems patch baseline for each OS (Windows, Amzn1 and Amzn2) and associated them with a single patch group:
Screen Shot 2020-05-11 at 12 24 02 PM

picture rentiak on 11 May 2020
👍2

All 8 comments

FWIW - Just reproduced this issue on version 0.12.18, on provider:

./plugins/darwin_amd64/terraform-provider-null_v2.1.2_x4
./plugins/darwin_amd64/terraform-provider-archive_v1.3.0_x4
./plugins/darwin_amd64/terraform-provider-aws_v2.44.0_x4
XDanny322 picture XDanny322 on 15 Jan 2020

Hope to take a look at this over the next coming weeks.

jdheyburn picture jdheyburn on 31 Jan 2020

Your comments don't follow with AWS own documentation:

https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-patch-patchgroups.html

Note
_A patch group can only be registered with one patch baseline._

Therefore the Terraform behaviour is correct, no?

andycohen picture andycohen on 24 Mar 2020

Correct, however a patch baseline can have multiple patch groups. This is what Terraform fails to pick up. On the Modify Patch Groups page in AWS Console:

Patch groups
You can create up to 25 tag values to define patch groups for this patch baseline. Tag keys are > automatically named Patch Group. Learn more

My original example should ideally have separate patch group names to highlight this.

jdheyburn picture jdheyburn on 30 Mar 2020
👍1

Your comments don't follow with AWS own documentation:

https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-patch-patchgroups.html

Note
_A patch group can only be registered with one patch baseline._

Therefore the Terraform behaviour is correct, no?

This is actually not correct as the docs are somewhat misleading. You can have a single patch group registered with multiple patch baselines if they are for different operating systems. That line should really read "A patch group can only be registered with one patch baseline per operating system"

See below as an example where I've created an Internal Systems patch baseline for each OS (Windows, Amzn1 and Amzn2) and associated them with a single patch group:
Screen Shot 2020-05-11 at 12 24 02 PM

rentiak picture rentiak on 11 May 2020
👍2

We are having the same problem. Even though it is written as above in the documentation, even aws-cli allows to register multiple patch baseline to one group. IMHO, the problem looks like, the id that is used as a resource reference within the terraform state is set to baseline_id which is making any sequential plan/apply operation confused.

eerkunt picture eerkunt on 15 May 2020

Terraform has aws_ssm_patch_group resource while there is no CreatePatchGroup in the AWS API. it is basically registering a patch baseline with a patch group. the workaround is probably using a null resource to run the register-patch-baseline-for-patch-group cli to do this task with a sha trigger based on the baseline resource and patch group input and obviously run deregister-patch-baseline-for-patch-group for a destroy operation to keep it clean - thanks @eerkunt for this steer.

varun1231 picture varun1231 on 15 May 2020

:+1:

meons picture meons on 31 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  路  3Comments
hashibot picture hashibot  路  3Comments
hashibot picture hashibot  路  3Comments
gothrek22 picture gothrek22  路  3Comments
hazmeister picture hazmeister  路  3Comments