Class: AWSCDK::SSM::CfnPatchBaselineProps

Inherits:
Jsii::Struct
  • Object
show all
Defined in:
ssm/cfn_patch_baseline_props.rb

Overview

Properties for defining a CfnPatchBaseline.

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(name:, approval_rules: nil, approved_patches: nil, approved_patches_compliance_level: nil, approved_patches_enable_non_security: nil, available_security_updates_compliance_status: nil, default_baseline: nil, description: nil, global_filters: nil, operating_system: nil, patch_groups: nil, rejected_patches: nil, rejected_patches_action: nil, sources: nil, tags: nil) ⇒ CfnPatchBaselineProps

Returns a new instance of CfnPatchBaselineProps.

Parameters:

  • name (String)

    The name of the patch baseline.

  • approval_rules (AWSCDK::IResolvable, AWSCDK::SSM::CfnPatchBaseline::RuleGroupProperty, nil) (defaults to: nil)

    A set of rules used to include patches in the baseline.

  • approved_patches (Array<String>, nil) (defaults to: nil)

    A list of explicitly approved patches for the baseline.

  • approved_patches_compliance_level (String, nil) (defaults to: nil)

    Defines the compliance level for approved patches.

  • approved_patches_enable_non_security (Boolean, AWSCDK::IResolvable, nil) (defaults to: nil)

    Indicates whether the list of approved patches includes non-security updates that should be applied to the managed nodes.

  • available_security_updates_compliance_status (String, nil) (defaults to: nil)

    Indicates the status you want to assign to security patches that are available but not approved because they don't meet the installation criteria specified in the patch baseline.

  • default_baseline (Boolean, AWSCDK::IResolvable, nil) (defaults to: nil)

    Indicates whether this is the default baseline.

  • description (String, nil) (defaults to: nil)

    A description of the patch baseline.

  • global_filters (AWSCDK::IResolvable, AWSCDK::SSM::CfnPatchBaseline::PatchFilterGroupProperty, nil) (defaults to: nil)

    A set of global filters used to include patches in the baseline.

  • operating_system (String, nil) (defaults to: nil)

    Defines the operating system the patch baseline applies to.

  • patch_groups (Array<String>, nil) (defaults to: nil)

    The name of the patch group to be registered with the patch baseline.

  • rejected_patches (Array<String>, nil) (defaults to: nil)

    A list of explicitly rejected patches for the baseline.

  • rejected_patches_action (String, nil) (defaults to: nil)

    The action for Patch Manager to take on patches included in the RejectedPackages list.

  • sources (AWSCDK::IResolvable, Array<AWSCDK::IResolvable, AWSCDK::SSM::CfnPatchBaseline::PatchSourceProperty>, nil) (defaults to: nil)

    Information about the patches to use to update the managed nodes, including target operating systems and source repositories.

  • tags (Array<AWSCDK::CfnTag>, nil) (defaults to: nil)

    Optional metadata that you assign to a resource.



24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# File 'ssm/cfn_patch_baseline_props.rb', line 24

def initialize(name:, approval_rules: nil, approved_patches: nil, approved_patches_compliance_level: nil, approved_patches_enable_non_security: nil, available_security_updates_compliance_status: nil, default_baseline: nil, description: nil, global_filters: nil, operating_system: nil, patch_groups: nil, rejected_patches: nil, rejected_patches_action: nil, sources: nil, tags: nil)
  @name = name
  Jsii::Type.check_type(@name, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "name")
  @approval_rules = approval_rules.is_a?(Hash) ? ::AWSCDK::SSM::CfnPatchBaseline::RuleGroupProperty.new(**approval_rules.transform_keys(&:to_sym)) : approval_rules
  Jsii::Type.check_type(@approval_rules, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImZxbiI6ImF3cy1jZGstbGliLmF3c19zc20uQ2ZuUGF0Y2hCYXNlbGluZS5SdWxlR3JvdXBQcm9wZXJ0eSJ9XX19")), "approvalRules") unless @approval_rules.nil?
  @approved_patches = approved_patches
  Jsii::Type.check_type(@approved_patches, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6InN0cmluZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "approvedPatches") unless @approved_patches.nil?
  @approved_patches_compliance_level = approved_patches_compliance_level
  Jsii::Type.check_type(@approved_patches_compliance_level, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "approvedPatchesComplianceLevel") unless @approved_patches_compliance_level.nil?
  @approved_patches_enable_non_security = approved_patches_enable_non_security
  Jsii::Type.check_type(@approved_patches_enable_non_security, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3sicHJpbWl0aXZlIjoiYm9vbGVhbiJ9LHsiZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifV19fQ==")), "approvedPatchesEnableNonSecurity") unless @approved_patches_enable_non_security.nil?
  @available_security_updates_compliance_status = available_security_updates_compliance_status
  Jsii::Type.check_type(@available_security_updates_compliance_status, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "availableSecurityUpdatesComplianceStatus") unless @available_security_updates_compliance_status.nil?
  @default_baseline = default_baseline
  Jsii::Type.check_type(@default_baseline, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3sicHJpbWl0aXZlIjoiYm9vbGVhbiJ9LHsiZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifV19fQ==")), "defaultBaseline") unless @default_baseline.nil?
  @description = description
  Jsii::Type.check_type(@description, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "description") unless @description.nil?
  @global_filters = global_filters.is_a?(Hash) ? ::AWSCDK::SSM::CfnPatchBaseline::PatchFilterGroupProperty.new(**global_filters.transform_keys(&:to_sym)) : global_filters
  Jsii::Type.check_type(@global_filters, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImZxbiI6ImF3cy1jZGstbGliLmF3c19zc20uQ2ZuUGF0Y2hCYXNlbGluZS5QYXRjaEZpbHRlckdyb3VwUHJvcGVydHkifV19fQ==")), "globalFilters") unless @global_filters.nil?
  @operating_system = operating_system
  Jsii::Type.check_type(@operating_system, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "operatingSystem") unless @operating_system.nil?
  @patch_groups = patch_groups
  Jsii::Type.check_type(@patch_groups, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6InN0cmluZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "patchGroups") unless @patch_groups.nil?
  @rejected_patches = rejected_patches
  Jsii::Type.check_type(@rejected_patches, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6InN0cmluZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "rejectedPatches") unless @rejected_patches.nil?
  @rejected_patches_action = rejected_patches_action
  Jsii::Type.check_type(@rejected_patches_action, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "rejectedPatchesAction") unless @rejected_patches_action.nil?
  @sources = sources
  Jsii::Type.check_type(@sources, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3Nfc3NtLkNmblBhdGNoQmFzZWxpbmUuUGF0Y2hTb3VyY2VQcm9wZXJ0eSJ9XX19LCJraW5kIjoiYXJyYXkifX1dfX0=")), "sources") unless @sources.nil?
  @tags = tags.is_a?(Array) ? tags.map { |jsii_v0| jsii_v0.is_a?(Hash) ? ::AWSCDK::CfnTag.new(**jsii_v0.transform_keys(&:to_sym)) : jsii_v0 } : tags
  Jsii::Type.check_type(@tags, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7ImZxbiI6ImF3cy1jZGstbGliLkNmblRhZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "tags") unless @tags.nil?
end

Instance Attribute Details

#approval_rulesAWSCDK::IResolvable, ... (readonly)

A set of rules used to include patches in the baseline.



66
67
68
# File 'ssm/cfn_patch_baseline_props.rb', line 66

def approval_rules
  @approval_rules
end

#approved_patchesArray<String>? (readonly)

A list of explicitly approved patches for the baseline.

For information about accepted formats for lists of approved patches and rejected patches, see Package name formats for approved and rejected patch lists in the AWS Systems Manager User Guide .



73
74
75
# File 'ssm/cfn_patch_baseline_props.rb', line 73

def approved_patches
  @approved_patches
end

#approved_patches_compliance_levelString? (readonly)

Note:

Default: - "UNSPECIFIED"

Defines the compliance level for approved patches.

When an approved patch is reported as missing, this value describes the severity of the compliance violation. The default value is UNSPECIFIED .



81
82
83
# File 'ssm/cfn_patch_baseline_props.rb', line 81

def approved_patches_compliance_level
  @approved_patches_compliance_level
end

#approved_patches_enable_non_securityBoolean, ... (readonly)

Note:

Default: - false

Indicates whether the list of approved patches includes non-security updates that should be applied to the managed nodes.

The default value is false . Applies to Linux managed nodes only.



89
90
91
# File 'ssm/cfn_patch_baseline_props.rb', line 89

def approved_patches_enable_non_security
  @approved_patches_enable_non_security
end

#available_security_updates_compliance_statusString? (readonly)

Indicates the status you want to assign to security patches that are available but not approved because they don't meet the installation criteria specified in the patch baseline.

Example scenario: Security patches that you might want installed can be skipped if you have specified a long period to wait after a patch is released before installation. If an update to the patch is released during your specified waiting period, the waiting period for installing the patch starts over. If the waiting period is too long, multiple versions of the patch could be released but never installed.

Supported for Windows Server managed nodes only.



98
99
100
# File 'ssm/cfn_patch_baseline_props.rb', line 98

def available_security_updates_compliance_status
  @available_security_updates_compliance_status
end

#default_baselineBoolean, ... (readonly)

Note:

Default: - false

Indicates whether this is the default baseline.

AWS Systems Manager supports creating multiple default patch baselines. For example, you can create a default patch baseline for each operating system.



106
107
108
# File 'ssm/cfn_patch_baseline_props.rb', line 106

def default_baseline
  @default_baseline
end

#descriptionString? (readonly)

A description of the patch baseline.



111
112
113
# File 'ssm/cfn_patch_baseline_props.rb', line 111

def description
  @description
end

#global_filtersAWSCDK::IResolvable, ... (readonly)

A set of global filters used to include patches in the baseline.

The GlobalFilters parameter can be configured only by using the AWS CLI or an AWS SDK. It can't be configured from the Patch Manager console, and its value isn't displayed in the console.



118
119
120
# File 'ssm/cfn_patch_baseline_props.rb', line 118

def global_filters
  @global_filters
end

#nameString (readonly)

The name of the patch baseline.



61
62
63
# File 'ssm/cfn_patch_baseline_props.rb', line 61

def name
  @name
end

#operating_systemString? (readonly)

Note:

Default: - "WINDOWS"

Defines the operating system the patch baseline applies to.

The default value is WINDOWS .



126
127
128
# File 'ssm/cfn_patch_baseline_props.rb', line 126

def operating_system
  @operating_system
end

#patch_groupsArray<String>? (readonly)

The name of the patch group to be registered with the patch baseline.



131
132
133
# File 'ssm/cfn_patch_baseline_props.rb', line 131

def patch_groups
  @patch_groups
end

#rejected_patchesArray<String>? (readonly)

A list of explicitly rejected patches for the baseline.

For information about accepted formats for lists of approved patches and rejected patches, see Package name formats for approved and rejected patch lists in the AWS Systems Manager User Guide .



138
139
140
# File 'ssm/cfn_patch_baseline_props.rb', line 138

def rejected_patches
  @rejected_patches
end

#rejected_patches_actionString? (readonly)

Note:

Default: - "ALLOW_AS_DEPENDENCY"

The action for Patch Manager to take on patches included in the RejectedPackages list.

  • ALLOW_AS_DEPENDENCY - Linux and macOS : A package in the rejected patches list is installed only if it is a dependency of another package. It is considered compliant with the patch baseline, and its status is reported as INSTALLED_OTHER . This is the default action if no option is specified.

Windows Server : Windows Server doesn't support the concept of package dependencies. If a package in the rejected patches list and already installed on the node, its status is reported as INSTALLED_OTHER . Any package not already installed on the node is skipped. This is the default action if no option is specified.

  • BLOCK - All OSs : Packages in the rejected patches list, and packages that include them as dependencies, aren't installed by Patch Manager under any circumstances.

State value assignment for patch compliance:

  • If a package was installed before it was added to the rejected patches list, or is installed outside of Patch Manager afterward, it's considered noncompliant with the patch baseline and its status is reported as INSTALLED_REJECTED .
  • If an update attempts to install a dependency package that is now rejected by the baseline, when previous versions of the package were not rejected, the package being updated is reported as MISSING for SCAN operations and as FAILED for INSTALL operations.


155
156
157
# File 'ssm/cfn_patch_baseline_props.rb', line 155

def rejected_patches_action
  @rejected_patches_action
end

#sourcesAWSCDK::IResolvable, ... (readonly)

Information about the patches to use to update the managed nodes, including target operating systems and source repositories.

Applies to Linux managed nodes only.



162
163
164
# File 'ssm/cfn_patch_baseline_props.rb', line 162

def sources
  @sources
end

#tagsArray<AWSCDK::CfnTag>? (readonly)

Optional metadata that you assign to a resource.

Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a patch baseline to identify the severity level of patches it specifies and the operating system family it applies to.



169
170
171
# File 'ssm/cfn_patch_baseline_props.rb', line 169

def tags
  @tags
end

Class Method Details

.jsii_propertiesObject



171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
# File 'ssm/cfn_patch_baseline_props.rb', line 171

def self.jsii_properties
  {
    :name => "name",
    :approval_rules => "approvalRules",
    :approved_patches => "approvedPatches",
    :approved_patches_compliance_level => "approvedPatchesComplianceLevel",
    :approved_patches_enable_non_security => "approvedPatchesEnableNonSecurity",
    :available_security_updates_compliance_status => "availableSecurityUpdatesComplianceStatus",
    :default_baseline => "defaultBaseline",
    :description => "description",
    :global_filters => "globalFilters",
    :operating_system => "operatingSystem",
    :patch_groups => "patchGroups",
    :rejected_patches => "rejectedPatches",
    :rejected_patches_action => "rejectedPatchesAction",
    :sources => "sources",
    :tags => "tags",
  }
end

Instance Method Details

#to_jsiiObject



191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
# File 'ssm/cfn_patch_baseline_props.rb', line 191

def to_jsii
  result = {}
  result.merge!({
    "name" => @name,
    "approvalRules" => @approval_rules,
    "approvedPatches" => @approved_patches,
    "approvedPatchesComplianceLevel" => @approved_patches_compliance_level,
    "approvedPatchesEnableNonSecurity" => @approved_patches_enable_non_security,
    "availableSecurityUpdatesComplianceStatus" => @available_security_updates_compliance_status,
    "defaultBaseline" => @default_baseline,
    "description" => @description,
    "globalFilters" => @global_filters,
    "operatingSystem" => @operating_system,
    "patchGroups" => @patch_groups,
    "rejectedPatches" => @rejected_patches,
    "rejectedPatchesAction" => @rejected_patches_action,
    "sources" => @sources,
    "tags" => @tags,
  })
  result.compact
end