hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.82k stars 9.17k forks source link

[Bug]: aws_ssm_patch_baseline is more strict about approval rules than AWS is #39917

Closed drzewiec closed 22 minutes ago

drzewiec commented 2 days ago

Terraform Core Version

1.9.8

AWS Provider Version

5.73.0

Affected Resource(s)

aws_ssm_patch_baseline

Expected Behavior

When setting approve_after_days in the approval_rule block, it should accept all values AWS does (0-360 per https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PatchRule.html).

Actual Behavior

Values over 100 are rejected. I set this value to 180, but got an error.

Relevant Error/Panic Output Snippet

│ Error: expected approval_rule.3.approve_after_days to be in the range (0 - 100), got 180
│ 
│   with aws_ssm_patch_baseline.patch_baseline_rhel_prod,
│   on main.tf line 101, in resource "aws_ssm_patch_baseline" "patch_baseline_rhel_prod":
│  101:     approve_after_days = 180
│

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

locals {
  rhel_derivatives = ["ALMA_LINUX"]
}

resource "aws_ssm_patch_baseline" "patch_baseline_rhel_prod" {
  for_each = toset(local.rhel_derivatives)

  name = "prod_${lower(each.value)}"

  approval_rule {
    approve_after_days = 30
    compliance_level = "CRITICAL"
    enable_non_security = false

    patch_filter {
      key = "PRODUCT"
      values = ["*"]
    }

    patch_filter {
      key = "CLASSIFICATION"
      values = ["*"]
    }

    patch_filter {
      key = "SEVERITY"
      values = ["Critical"]
    }
  }

  approval_rule {
    approve_after_days = 60
    compliance_level = "HIGH"
    enable_non_security = false

    patch_filter {
      key = "PRODUCT"
      values = ["*"]
    }

    patch_filter {
      key = "CLASSIFICATION"
      values = ["*"]
    }

    patch_filter {
      key = "SEVERITY"
      values = ["Important"]
    }
  }

  approval_rule {
    approve_after_days = 90
    compliance_level = "MEDIUM"
    enable_non_security = false

    patch_filter {
      key = "PRODUCT"
      values = ["*"]
    }

    patch_filter {
      key = "CLASSIFICATION"
      values = ["*"]
    }

    patch_filter {
      key = "SEVERITY"
      values = ["Moderate"]
    }
  }

  approval_rule {
    approve_after_days = 180
    compliance_level = "LOW"
    enable_non_security = true

    patch_filter {
      key = "PRODUCT"
      values = ["*"]
    }

    patch_filter {
      key = "CLASSIFICATION"
      values = ["*"]
    }

    patch_filter {
      key = "SEVERITY"
      values = ["*"]
    }
  }

  operating_system = each.value
}

Steps to Reproduce

Add a patch baseline (such as in the config file above) to a terraform module, run terraform apply.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

github-actions[bot] commented 2 days ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

stefanfreitag commented 2 days ago

Hi @drzewiec, thanks for reporting! Let me have a look into this.

github-actions[bot] commented 21 minutes ago

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.