AI System Patch Management during Low-Traffic Windows with AWS SSM

Question

Pulumi · Accepted Answer

To set up system patch management during low-traffic windows using AWS Systems Manager (SSM), you'd typically follow these steps:

1. Create an SSM Maintenance Window to define when patching should occur (i.e., during your low-traffic windows).
2. Define the targets for the Maintenance Window, which can be a set of instances.
3. Create a Task for the Maintenance Window that applies patches.
4. Optionally, define a Patch Baseline to control which patches are approved for installation.
5. Optionally, set up notifications or use SSM contacts to alert or escalate in case of issues.

The following Pulumi program in Python sets up an SSM Maintenance Window to run during a defined low-traffic period and targets EC2 instances with a specific tag for patching. It applies a pre-defined Patch Baseline to these instances and logs the task output to an S3 bucket.

Let's walk through the program piece by piece.

### Step 1: Define the Maintenance Window

Firstly, we define a maintenance window, specifying the schedule for the low-traffic period during which you want patches to be applied. In this example, the maintenance window is set to occur weekly on Sundays at 2 AM.

### Step 2: Specify Targets for the Maintenance Window

Next, we specify the targets for the Maintenance Window. These are the instances that will be patched. In the example, we're targeting instances with a tag of `PatchGroup: "web-servers"`.

### Step 3: Define the Task to Apply Patches

After that, we define the task scheduled within the Maintenance Window to apply patches. We configure the task to run the `AWS-RunPatchBaseline` document, which is a pre-configured SSM document provided by AWS to apply patches.

### Step 4: Optional - Define and Use a Custom Patch Baseline

Optionally, you can create a custom patch baseline if you have specific patches you want to approve for installation. This step is not included in this program but can be easily added.

### Step 5: Set up Logging

Last but not least, we ensure all output from the patch application is sent to an S3 bucket for logging and audit trail purposes.

Below is the complete Pulumi program.

```python
import pulumi
import pulumi_aws as aws  # AWS Pulumi SDK, used for interacting with AWS

# Create an S3 bucket for logging patching results
patch_log_bucket = aws.s3.Bucket("patch-log-bucket")

# Step 1: Define the Maintenance Window
maintenance_window = aws.ssm.MaintenanceWindow(
    "low_traffic_window",
    schedule="cron(0 2 ? * SUN *)",  # Run every Sunday at 2 AM
    duration=4,  # Duration of 4 hours
    cutoff=1,  # Stop new tasks from starting 1 hour before the end of the window
    allow_unassociated_targets=False,  # Only specified targets can run this maintenance window task
    # For additional settings like time zone, consult the AWS and Pulumi documentation
)

# Step 2: Specify Targets for the Maintenance Window
maintenance_target = aws.ssm.MaintenanceWindowTarget(
    "web_servers_target",
    window_id=maintenance_window.id,
    resource_type="INSTANCE",
    targets=[
        aws.ssm.MaintenanceWindowTargetTarget(key="tag:PatchGroup", values=["web-servers"])
    ],
)

# Step 3: Define the Task to Apply Patches
maintenance_task = aws.ssm.MaintenanceWindowTask(
    "patch_task",
    window_id=maintenance_window.id,
    targets=[
        {"key": "WindowTargetIds", "values": [maintenance_target.id]}
    ],
    task_type="RUN_COMMAND",
    task_arn="AWS-RunPatchBaseline",
    service_role_arn=aws.iam.Role("ssm_service_role", assume_role_policy="...").arn,  # IAM role with permission to execute SSM commands
    max_concurrency="2",  # Define how many targets to run at the same time
    max_errors="1",  # The maximum number of errors allowed before stopping the task execution
    task_invocation_parameters=aws.ssm.MaintenanceWindowTaskTaskInvocationParametersArgs(
        run_command_parameters=aws.ssm.MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersArgs(
            output_s3_bucket_name=patch_log_bucket.id,
            output_s3_key_prefix="patch-logs/",  # Store task outputs in the S3 bucket created earlier
        ),
    ),
)

# Exports
pulumi.export("LogBucketName", patch_log_bucket.bucket)
pulumi.export("MaintenanceWindowId", maintenance_window.id)
pulumi.export("MaintenanceTargetId", maintenance_target.id)
pulumi.export("MaintenanceTaskId", maintenance_task.id)
```

In this program, replace the `ssm_service_role` role policy with an appropriate policy that grants the necessary permissions to perform SSM operations, and update the S3 bucket name if necessary.

We assumed that you've already set up the AWS CLI and Pulumi and configured IAM permissions. If you need help setting up your environment or understanding the above program, please let me know, and I can provide further assistance.