hashicorp · ewbankkit · May 2, 2022 · Apr 17, 2022 · Apr 25, 2022 · Apr 30, 2022
@@ -0,0 +1,3 @@
+```release-note:enhancement
+data-source/aws_ssm_patch_baseline: Add the following attributes: `approved_patches`, `approved_patches_compliance_level`, `approval_rule`, `global_filter`, `rejected_patches`, `rejected_patches_action`, `source`
+```
@@ -15,34 +15,134 @@ func DataSourcePatchBaseline() *schema.Resource {
 	return &schema.Resource{
 		Read: dataPatchBaselineRead,
 		Schema: map[string]*schema.Schema{
-			"owner": {
-				Type:         schema.TypeString,
-				Required:     true,
-				ValidateFunc: validation.StringLenBetween(1, 255),
+			"approved_patches": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
 			},
-			"name_prefix": {
-				Type:         schema.TypeString,
-				Optional:     true,
-				ValidateFunc: validation.StringLenBetween(0, 255),
+			"approved_patches_compliance_level": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"approved_patches_enable_non_security": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+			"approval_rule": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"approve_after_days": {
+							Type:     schema.TypeInt,
+							Computed: true,
+						},
+						"approve_until_date": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"compliance_level": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"enable_non_security": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+						"patch_filter": {
+							Type:     schema.TypeList,
+							Computed: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"key": {
+										Type:     schema.TypeString,
+										Computed: true,
+									},
+									"values": {
+										Type:     schema.TypeList,
+										Computed: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+								},
+							},
+						},
+					},
+				},
 			},
 			"default_baseline": {
 				Type:     schema.TypeBool,
 				Optional: true,
 			},
+			"description": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"global_filter": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"key": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"values": {
+							Type:     schema.TypeList,
+							Computed: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+						},
+					},
+				},
+			},
+			"name": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"name_prefix": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.StringLenBetween(0, 255),
+			},
 			"operating_system": {
 				Type:         schema.TypeString,
 				Optional:     true,
 				ValidateFunc: validation.StringInSlice(ssm.OperatingSystem_Values(), false),
 			},
-			// Computed values
-			"description": {
-				Type:     schema.TypeString,
+			"owner": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: validation.StringLenBetween(1, 255),
+			},
+			"rejected_patches": {
+				Type:     schema.TypeList,
 				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
 			},
-			"name": {
+			"rejected_patches_action": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"source": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"configuration": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"products": {
+							Type:     schema.TypeList,
+							Computed: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -108,11 +208,29 @@ func dataPatchBaselineRead(d *schema.ResourceData, meta interface{}) error {
 
 	baseline := filteredBaselines[0]
 
+	input := &ssm.GetPatchBaselineInput{
+		BaselineId: baseline.BaselineId,
+	}
+
+	output, err := conn.GetPatchBaseline(input)
+
+	if err != nil {
+		return fmt.Errorf("Error getting SSM PatchBaseline: %w", err)
+	}
+
 	d.SetId(aws.StringValue(baseline.BaselineId))
-	d.Set("name", baseline.BaselineName)
-	d.Set("description", baseline.BaselineDescription)
+	d.Set("approved_patches", aws.StringValueSlice(output.ApprovedPatches))
+	d.Set("approved_patches_compliance_level", output.ApprovedPatchesComplianceLevel)
+	d.Set("approved_patches_enable_non_security", output.ApprovedPatchesEnableNonSecurity)
+	d.Set("approval_rule", flattenPatchRuleGroup(output.ApprovalRules))
 	d.Set("default_baseline", baseline.DefaultBaseline)
+	d.Set("description", baseline.BaselineDescription)
+	d.Set("global_filter", flattenPatchFilterGroup(output.GlobalFilters))
+	d.Set("name", baseline.BaselineName)
 	d.Set("operating_system", baseline.OperatingSystem)
+	d.Set("rejected_patches", aws.StringValueSlice(output.RejectedPatches))
+	d.Set("rejected_patches_action", output.RejectedPatchesAction)
+	d.Set("source", flattenPatchSource(output.Sources))
 
 	return nil
 }
@@ -11,7 +11,7 @@ import (
 )
 
 func TestAccSSMPatchBaselineDataSource_existingBaseline(t *testing.T) {
-	resourceName := "data.aws_ssm_patch_baseline.test_existing"
+	dataSourceName := "data.aws_ssm_patch_baseline.test"
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:   func() { acctest.PreCheck(t) },
@@ -21,16 +21,26 @@ func TestAccSSMPatchBaselineDataSource_existingBaseline(t *testing.T) {
 			{
 				Config: testAccCheckPatchBaselineDataSourceConfig_existingBaseline(),
 				Check: resource.ComposeAggregateTestCheckFunc(
-					resource.TestCheckResourceAttr(resourceName, "name", "AWS-CentOSDefaultPatchBaseline"),
-					resource.TestCheckResourceAttr(resourceName, "description", "Default Patch Baseline for CentOS Provided by AWS."),
+					resource.TestCheckResourceAttr(dataSourceName, "approved_patches.#", "0"),
+					resource.TestCheckResourceAttr(dataSourceName, "approved_patches_compliance_level", "UNSPECIFIED"),
+					resource.TestCheckResourceAttr(dataSourceName, "approved_patches_enable_non_security", "false"),
+					resource.TestCheckResourceAttr(dataSourceName, "approval_rule.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "default_baseline", "true"),
+					resource.TestCheckResourceAttr(dataSourceName, "description", "Default Patch Baseline for CentOS Provided by AWS."),
+					resource.TestCheckResourceAttr(dataSourceName, "global_filter.#", "0"),
+					resource.TestCheckResourceAttr(dataSourceName, "name", "AWS-CentOSDefaultPatchBaseline"),
+					resource.TestCheckResourceAttr(dataSourceName, "rejected_patches.#", "0"),
+					resource.TestCheckResourceAttr(dataSourceName, "rejected_patches_action", "ALLOW_AS_DEPENDENCY"),
+					resource.TestCheckResourceAttr(dataSourceName, "source.#", "0"),
 				),
 			},
 		},
 	})
 }
 
 func TestAccSSMPatchBaselineDataSource_newBaseline(t *testing.T) {
-	resourceName := "data.aws_ssm_patch_baseline.test_new"
+	dataSourceName := "data.aws_ssm_patch_baseline.test"
+	resourceName := "aws_ssm_patch_baseline.test"
 	rName := sdkacctest.RandomWithPrefix("tf-bl-test")
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -42,9 +52,17 @@ func TestAccSSMPatchBaselineDataSource_newBaseline(t *testing.T) {
 			{
 				Config: testAccCheckPatchBaselineDataSourceConfig_newBaseline(rName),
 				Check: resource.ComposeAggregateTestCheckFunc(
-					resource.TestCheckResourceAttrPair(resourceName, "name", "aws_ssm_patch_baseline.test_new", "name"),
-					resource.TestCheckResourceAttrPair(resourceName, "description", "aws_ssm_patch_baseline.test_new", "description"),
-					resource.TestCheckResourceAttrPair(resourceName, "operating_system", "aws_ssm_patch_baseline.test_new", "operating_system"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "approved_patches", resourceName, "approved_patches"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "approved_patches_compliance_level", resourceName, "approved_patches_compliance_level"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "approved_patches_enable_non_security", resourceName, "approved_patches_enable_non_security"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "approval_rule", resourceName, "approval_rule"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "description", resourceName, "description"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "global_filter.#", resourceName, "global_filter.#"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "name", resourceName, "name"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "operating_system", resourceName, "operating_system"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "rejected_patches", resourceName, "rejected_patches"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "rejected_patches_action", resourceName, "rejected_patches_action"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "source", resourceName, "source"),
 				),
 			},
 		},
@@ -54,7 +72,7 @@ func TestAccSSMPatchBaselineDataSource_newBaseline(t *testing.T) {
 // Test against one of the default baselines created by AWS
 func testAccCheckPatchBaselineDataSourceConfig_existingBaseline() string {
 	return `
-data "aws_ssm_patch_baseline" "test_existing" {
+data "aws_ssm_patch_baseline" "test" {
   owner            = "AWS"
   name_prefix      = "AWS-"
   operating_system = "CENTOS"
@@ -65,7 +83,7 @@ data "aws_ssm_patch_baseline" "test_existing" {
 // Create a new baseline and pull it back
 func testAccCheckPatchBaselineDataSourceConfig_newBaseline(name string) string {
 	return fmt.Sprintf(`
-resource "aws_ssm_patch_baseline" "test_new" {
+resource "aws_ssm_patch_baseline" "test" {
   name             = "%s"
   operating_system = "AMAZON_LINUX_2"
   description      = "Test"
@@ -79,9 +97,9 @@ resource "aws_ssm_patch_baseline" "test_new" {
   }
 }
 
-data "aws_ssm_patch_baseline" "test_new" {
+data "aws_ssm_patch_baseline" "test" {
   owner            = "Self"
-  name_prefix      = aws_ssm_patch_baseline.test_new.name
+  name_prefix      = aws_ssm_patch_baseline.test.name
   operating_system = "AMAZON_LINUX_2"
 }
 `, name)

@@ -38,17 +38,34 @@ data "aws_ssm_patch_baseline" "default_custom" {
 The following arguments are supported:
 
 * `owner` - (Required) The owner of the baseline. Valid values: `All`, `AWS`, `Self` (the current account).
-
 * `name_prefix` - (Optional) Filter results by the baseline name prefix.
-
 * `default_baseline` - (Optional) Filters the results against the baselines default_baseline field.
-
 * `operating_system` - (Optional) The specified OS for the baseline.
 
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:
 
+* `approved_patches` - A list of explicitly approved patches for the baseline.
+* `approved_patches_compliance_level` - The compliance level for approved patches.
+* `approved_patches_enable_non_security` - Indicates whether the list of approved patches includes non-security updates that should be applied to the instances.
+* `approval_rule` - A list of rules used to include patches in the baseline.
+    * `approve_after_days` - The number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline.
+    * `approve_until_date` - The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Date is formatted as `YYYY-MM-DD`. Conflicts with `approve_after_days`
+    * `compliance_level` - The compliance level for patches approved by this rule.
+    * `enable_non_security` - Boolean enabling the application of non-security updates.
+    * `patch_filter` - The patch filter group that defines the criteria for the rule.
+        * `key` - The key for the filter.
+        * `values` - The value for the filter.
+* `global_filter` - A set of global filters used to exclude patches from the baseline.
+    * `key` - The key for the filter.
+    * `values` - The value for the filter.
 * `id` - The id of the baseline.
 * `name` - The name of the baseline.
 * `description` - The description of the baseline.
+* `rejected_patches` - A list of rejected patches.
+* `rejected_patches_action` - The action specified to take on patches included in the `rejected_patches` list.
+* `source` - Information about the patches to use to update the managed nodes, including target operating systems and source repositories.
+    * `configuration` - The value of the yum repo configuration.
+    * `name` - The name specified to identify the patch source.
+    * `products` - The specific operating system versions a patch repository applies to.