[IT-4287] Automate SSM patching for all instances in all accounts #1334
Conversation
Use SSM Quick Setup to create a Patch Policy that applies to all managed nodes in the Platform organitazional unit (Synapse accounts and Bridge accounts). https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-patch-manager.html https://aws.amazon.com/blogs/mt/deploy-aws-systems-manager-quick-setup-programmatically-across-your-aws-organization/ https://github.com/aws-samples/aws-management-and-governance-samples/blob/master/AWSSystemsManager/Quick-Setup-API/patch-policy-examples/patch-policy-cfn-template.yaml https://github.com/aws-samples/aws-management-and-governance-samples/blob/master/AWSSystemsManager/Quick-Setup-API/patch-policy-examples/default-patch-baselines.txt
| DefaultOrganizationBinding: | ||
| Account: !Ref accountId | ||
| Parameters: | ||
| TargetOrgUnits: !Ref PlatformOU |
There was a problem hiding this comment.
@zaro0508 can I !Ref the OU here like this?
There was a problem hiding this comment.
To answer your question, I'm not sure this example seems to indicate that it's possible however i'm not sure if it's only possible in context of an OrganizationBindings.
if it doesn't work you might want to think about converting the cloudformation template to a nunjucks template so that you can list each OU or account here.
Also I'm wondering if * works for this parameter?
There was a problem hiding this comment.
Unfortunately * isn't valid, but we can specify the organization root to target all accounts in the organization. I'll try doing it with a !Ref, but I might have to hard-code the value
| TargetOrgUnits: | ||
| Type: String | ||
| Description: >- | ||
| Comma separated list of AWS Organizational Units to target. | ||
| TargetRegions: | ||
| Type: String | ||
| Description: >- | ||
| Comma separated list of AWS Organizational Units to target. |
There was a problem hiding this comment.
it's probably better to change these to CommaDelimitedList types
There was a problem hiding this comment.
I don't think that's appropriate, that would unpack the input into a list of strings, but the parameters these are being passed to expect a comma-delimited string, not a list of strings, so I'm pretty sure I would have to repack the values into a single string with !Join if this were a CommaDelimitedList
org-formation/090-systems-manager/QuickSetup-PatchPolicy-Prod.yaml
Outdated
Show resolved
Hide resolved
| DefaultOrganizationBinding: | ||
| Account: !Ref accountId | ||
| Parameters: | ||
| TargetOrgUnits: !Ref PlatformOU |
There was a problem hiding this comment.
To answer your question, I'm not sure this example seems to indicate that it's possible however i'm not sure if it's only possible in context of an OrganizationBindings.
if it doesn't work you might want to think about converting the cloudformation template to a nunjucks template so that you can list each OU or account here.
Also I'm wondering if * works for this parameter?
ConsoleCatzirl
force-pushed
the
it-3940
branch
from
3b60c8c to
08f5e6d
Compare
ConsoleCatzirl
changed the title
ConsoleCatzirl
changed the title
Use SSM Quick Setup to create a Patch Policy that applies to all managed nodes in the Platform organizational unit (Synapse accounts and Bridge accounts).
User Guide:
https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-patch-manager.html
AWS Blog:
https://aws.amazon.com/blogs/mt/deploy-aws-systems-manager-quick-setup-programmatically-across-your-aws-organization/
Examples:
https://github.com/aws-samples/aws-management-and-governance-samples/blob/master/AWSSystemsManager/Quick-Setup-API/patch-policy-examples/patch-policy-cfn-template.yaml
https://github.com/aws-samples/aws-management-and-governance-samples/blob/master/AWSSystemsManager/Quick-Setup-API/patch-policy-examples/default-patch-baselines.txt