Module to automate the patching of ec2 instances in each account • This repository is defined and managed in Terraform
License: MIT License
The patching offered in this module works, with cross account patching also working, however I have included cloudformation templates below as with cross account patching, I've had occasional errors where the permissions have been incorrect. Please see below if the templates are needed for reference.
AWS-SystemsManager-AutomationExecutionRole.json
"Parameters": {
"AdminAccountId": {
"Type": "String",
"Description": "AWS Account ID of the primary account (the account from which AWS Systems Manager Automation will be initiated).",
"MaxLength": 12,
"MinLength": 12
}
},
"Resources": {
"AWSSystemsManagerAutomationExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "AWS-SystemsManager-AutomationExecutionRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": [
"arn:aws:iam::${AdminAccountId}:role/AWS-SystemsManager-AutomationAdministrationRole",
{
"AdminAccountId": {
"Ref": "AdminAccountId"
}
}
]
}
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
],
"Path": "/",
"Policies": [
{
"PolicyName": "ExecutionPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"resource-groups:ListGroupResources",
"tag:GetResources",
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/AWS-SystemsManager-AutomationExecutionRole"
}
}
]
}
}
]
}
}
}
}
AWS-SystemsManager-AutomationAdministrationRole.json
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Configure the AWS-SystemsManager-AutomationAdministrationRole to enable use of AWS Systems Manager Cross Account/Region Automation execution.",
"Resources": {
"MasterAccountRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "AWS-SystemsManager-AutomationAdministrationRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "AssumeRole-AWSSystemsManagerAutomationExecutionRole",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:iam::*:role/AWS-SystemsManager-AutomationExecutionRole"
}
}
]
}
}
]
}
}
}
}
Currently in the single account patching you can select the patch_classification, going forward I will add the ability to select single patches, similarly to cross-account patching.
hashicorp/terraform-provider-aws#29549
Adding this to the module would enable teams to manage their own patching, if thats what they desire. It would pre populate patch manager, which is what I believe more people want. A general, patching strategy available to them.
Hi there
The user modernisation-platform-ci had Direct Member access to this repository and access via a team.
Access is now only via a team.
You may have less access it is dependant upon the teams access to the repo.
If you have any questions, please post in #ask-operations-engineering on Slack.
This issue can be closed.
Hi there
The user benmillar-cgi either had direct member access to the repository or had direct member access and access via a team.
Access is now only via a team.
If the user was already in a team, then their direct access to the repository has been removed.
If the user was not in a team, then the user will have been added to an automated generated team named repository-name-<read|write|maintain|admin>-team and their direct access to the repository has been removed.
The list of Org teams can be found at https://github.com/orgs/ministryofjustice/teams or https://github.com/orgs/moj-analytical-services/teams.
The user will have the same level of access to the repository via the team.
The first user added to a team is made a team maintainer, this enables that user to manage the users within the team.
Users with admin access are added to the admin team as a team maintainer.
If you have any questions, please contact us in #ask-operations-engineering on Slack.
This issue can be closed.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.