updating patching variables to allow for override

CMS-Enterprise · Jan 24, 2024 · e6b5352 · e6b5352
1 parent ac97cef
commit e6b5352
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 6 deletions.
diff --git a/iam.tf b/iam.tf
@@ -186,15 +186,14 @@ resource "aws_iam_policy" "ssm_managed_instance" {
 }
 
 data "aws_iam_policy" "ssm_patching_policy" {
-  count = var.enable_ssm_patching ? 1 : 0
   name  = var.ssm_iam_patching_policy
 }
 
 # ssm patching policy attachment
 resource "aws_iam_role_policy_attachment" "ssm_patching_policy_attachment" {
-  count      = var.enable_ssm_patching ? 1 : 0
+  count      = (var.enable_ssm_patching || var.enable_cms_cloud_ssm_policy) ? 1 : 0
   role       = aws_iam_role.eks_node.name
-  policy_arn = data.aws_iam_policy.ssm_patching_policy[0].arn
+  policy_arn = data.aws_iam_policy.ssm_patching_policy.arn
 }
 
 

diff --git a/main.tf b/main.tf
@@ -129,8 +129,13 @@ locals {
     ## https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#instance_refresh
     instance_refresh = lookup(v, "instance_refresh", {})
   } }
-  instance_policy_tags = var.enable_ssm_patching ? { "Patch Group" = var.ssm_tag_patch_group, "Patch Window" = var.ssm_tag_patch_window } : {}
-  instance_tags        = merge(local.instance_policy_tags, var.instance_tags)
+
+  # Applying necessary tags for SSM OS patching 
+  patch_group_tags  = (var.enable_ssm_patching || var.enable_cms_cloud_ssm_policy) ? { "Patch Group" = var.ssm_tag_patch_group} : {}
+  patch_window_tags = (var.ssm_override_patch_window == "" ? 
+    (var.environment == "prod" ? {"Patch Window" = var.ssm_prod_patch_window} : {"Patch Window" = var.ssm_DevTestImpl_patch_window}) : 
+    {"Patch Window" = var.ssm_override_patch_window})
+  instance_tags        = merge(local.patch_group_tags, local.patch_window_tags, var.instance_tags)
 
   # Allow ingress to the control plane from the delete_ebs_volumes lambda (if it exists)
   delete_ebs_volumes_lambda_sg_id = one(data.aws_security_groups.delete_ebs_volumes_lambda_security_group.ids)

diff --git a/outputs.tf b/outputs.tf
@@ -184,3 +184,7 @@ output "batcave_alb_shared_dns" {
   description = "DNS value of ALB created for proxying requests through an ALB in the shared subnet"
   value       = var.create_alb_shared ? aws_lb.batcave_alb_shared[0].dns_name : ""
 }
+
+output "instance_tags" {
+  value       = var.instance_tags
+}
diff --git a/variables.tf b/variables.tf
@@ -343,6 +343,12 @@ variable "enable_ssm_patching" {
   description = "Enables Systems Manager to patch nodes"
 }
 
+variable "enable_cms_cloud_ssm_policy" {
+  type        = bool
+  default     = false
+  description = "Enables SSM cloud policy for patching OS on instances"
+}
+
 variable "ssm_iam_patching_policy" {
   type        = string
   default     = "cms-cloud-ssm-iam-policy-v3"
@@ -355,8 +361,20 @@ variable "ssm_tag_patch_group" {
   description = "SSM Patching group for instances. For more information: https://cloud.cms.gov/patching-prerequisites"
 }
 
-variable "ssm_tag_patch_window" {
+variable "ssm_DevTestImpl_patch_window" {
   type        = string
   default     = "ITOPS-Wave1-Non-Mktplc-DevTestImpl-MW"
   description = "SSM Patching window for instances. For more information: https://cloud.cms.gov/patching-prerequisites"
 }
+
+variable "ssm_prod_patch_window" {
+  type        = string
+  default     = "ITOPS-Wave1-Non-Mktplc-Prod-MW"
+  description = "SSM Patching window for instances. For more information: https://cloud.cms.gov/patching-prerequisites"
+}
+
+variable "ssm_override_patch_window" {
+  type        = string
+  default     = ""
+  description = "Patching window override variable"
+}