1. Answers
  2. OS Patch Management in GCP VM Manager with Pulumi

How do I manage OS patches in GCP VM Manager using Pulumi?

In this guide, we will demonstrate how to manage OS patches on Google Cloud Platform (GCP) using Pulumi. We will use the gcp.osconfig.PatchDeployment resource to schedule and manage patch deployments for VM instances. This ensures that patches are applied to VM instances on schedule, reducing vulnerabilities and maintaining the security of your infrastructure.

Below is a Pulumi program written in TypeScript that sets up a patch deployment in GCP:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

// Create a new OS Config Patch Deployment
const patchDeployment = new gcp.osconfig.PatchDeployment("examplePatchDeployment", {
    project: "your-gcp-project-id",
    patchDeploymentId: "example-patch-deployment",
    description: "Patch deployment for critical updates",
    instanceFilter: {
        all: true, // Apply to all instances
    },
    patchConfig: {
        rebootConfig: "ALWAYS", // Reboot instances after applying patches
        apt: {
            type: "DIST", // Apply distribution updates
        },
        yum: {
            security: true, // Apply security updates
        },
    },
    oneTimeSchedule: {
        executeTime: "2023-12-01T00:00:00Z", // Schedule the patch deployment
    },
    duration: "3600s", // Duration of the patch deployment
    rollout: {
        mode: "ZONE_BY_ZONE", // Rollout mode
        disruptionBudget: {
            fixed: 1, // Allow 1 instance to be disrupted at a time
        },
    },
});

// Export the patch deployment name
export const patchDeploymentName = patchDeployment.name;

Key Points:

  • Project ID: Replace "your-gcp-project-id" with your actual GCP project ID.
  • Patch Deployment ID: The patchDeploymentId is a unique identifier for the patch deployment.
  • Instance Filter: The instanceFilter is set to apply the patch to all instances.
  • Patch Configuration: The patchConfig specifies the type of updates to apply (e.g., security updates for YUM, distribution updates for APT).
  • Schedule: The oneTimeSchedule specifies when the patch deployment should be executed.
  • Duration: The duration specifies how long the patch deployment should run.
  • Rollout: The rollout configuration controls how the patches are rolled out across instances.

Summary:

In this example, we created a patch deployment in GCP using Pulumi. The deployment is configured to apply critical updates to all VM instances, with a specified schedule and duration. The rollout is managed to minimize disruption by allowing only one instance to be disrupted at a time. This setup ensures that your VM instances remain secure and up-to-date with the latest patches.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up