Last active
March 18, 2025 09:22
-
-
Save jacky9813/e311dc61909fef1e480d06b587cdc3d1 to your computer and use it in GitHub Desktop.
Terraform Provider AWS - aws_ssm_patch_baseline issue
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Retrieving snapshot failed.failed to run commands: exit status 143 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /usr/bin/python2.7 | |
| /usr/bin/python2 | |
| /usr/bin/python | |
| /usr/bin/yum | |
| Using Yum version: 3.4.3 | |
| Using python binary: 'python2.7' | |
| Using Python Version: Python 2.7.5 | |
| 03/17/2025 16:00:14 root [INFO]: Downloading payload from https://s3.us-east-1.amazonaws.com/aws-ssm-us-east-1/patchbaselineoperations/linux/payloads/patch-baseline-operations-1.153.tar.gz | |
| 03/17/2025 16:00:17 root [INFO]: Attempting to import dependencies | |
| 03/17/2025 16:00:17 root [INFO]: Using botocore1.13 and urllib3.123 | |
| 03/17/2025 16:00:17 root [INFO]: Attempting to import entrance file os_selector | |
| 03/17/2025 16:00:18 root [INFO]: Running with snapshot id = REDACTED and operation = Scan | |
| 03/17/2025 16:00:18 root [INFO]: Downloading Baseline Override from s3://my-ssm-bucket/patch_baseline.json | |
| 03/17/2025 16:00:18 root [INFO]: reading creds from ssm identity config | |
| 03/17/2025 16:00:18 root [INFO]: reading creds from ssm share file config | |
| 03/17/2025 16:00:18 root [INFO]: No credentials found in ssm_identity_config | |
| 03/17/2025 16:00:18 root [INFO]: reading creds from metadata_v2 config | |
| 03/17/2025 16:00:18 root [INFO]: reading creds from ssm identity config | |
| 03/17/2025 16:00:18 root [INFO]: reading creds from ssm share file config | |
| 03/17/2025 16:00:18 root [INFO]: No credentials found in ssm_identity_config | |
| 03/17/2025 16:00:18 root [INFO]: reading creds from metadata_v2 config | |
| 03/17/2025 16:00:18 root [ERROR]: Error loading entrance module. | |
| Traceback (most recent call last): | |
| File "common_startup_entrance.py", line 233, in execute | |
| exit( entrance_module.execute(*argv)) | |
| File "/var/log/amazon/ssm/patch-baseline-operations/os_selector.py", line 48, in execute | |
| snapshot_id, override_list=override_list, baseline_override=baseline_override) | |
| File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 285, in fetch_snapshot | |
| snapshot_info = _get_snapshot_info(instance_id, snapshot_id, region, baseline_override_dict) | |
| File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 145, in _get_snapshot_info | |
| raise PatchManagerError("Get Snapshot failed", ExitCodes.SNAPSHOT_ERROR, e) | |
| PatchManagerError: ('Get Snapshot failed', 143) Caused By: Parameter validation failed: | |
| Invalid type for parameter BaselineOverride.RejectedPatches, value: None, type: <type 'NoneType'>, valid types: <type 'list'>, <type 'tuple'> | |
| Invalid type for parameter BaselineOverride.ApprovedPatches, value: None, type: <type 'NoneType'>, valid types: <type 'list'>, <type 'tuple'> | |
| Invalid type for parameter BaselineOverride.GlobalFilters, value: None, type: <type 'NoneType'>, valid types: <type 'dict'> | |
| 03/17/2025 16:00:18 root [ERROR]: ('Get Snapshot failed', 143) Caused By: Parameter validation failed: | |
| Invalid type for parameter BaselineOverride.RejectedPatches, value: None, type: <type 'NoneType'>, valid types: <type 'list'>, <type 'tuple'> | |
| Invalid type for parameter BaselineOverride.ApprovedPatches, value: None, type: <type 'NoneType'>, valid types: <type 'list'>, <type 'tuple'> | |
| Invalid type for parameter BaselineOverride.GlobalFilters, value: None, type: <type 'NoneType'>, valid types: <type 'dict'> | |
| Traceback (most recent call last): | |
| File "common_startup_entrance.py", line 233, in execute | |
| exit( entrance_module.execute(*argv)) | |
| File "/var/log/amazon/ssm/patch-baseline-operations/os_selector.py", line 48, in execute | |
| snapshot_id, override_list=override_list, baseline_override=baseline_override) | |
| File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 285, in fetch_snapshot | |
| snapshot_info = _get_snapshot_info(instance_id, snapshot_id, region, baseline_override_dict) | |
| File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 145, in _get_snapshot_info | |
| raise PatchManagerError("Get Snapshot failed", ExitCodes.SNAPSHOT_ERROR, e) | |
| PatchManagerError: ('Get Snapshot failed', 143) Caused By: Parameter validation failed: | |
| Invalid type for parameter BaselineOverride.RejectedPatches, value: None, type: <type 'NoneType'>, valid types: <type 'list'>, <type 'tuple'> | |
| Invalid type for parameter BaselineOverride.ApprovedPatches, value: None, type: <type 'NoneType'>, valid types: <type 'list'>, <type 'tuple'> | |
| Invalid type for parameter BaselineOverride.GlobalFilters, value: None, type: <type 'NoneType'>, valid types: <type 'dict'> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by command: terraform state show aws_ssm_patch_baseline.centos7 | |
| resource "aws_ssm_patch_baseline" "centos7" { | |
| approved_patches = [] | |
| approved_patches_compliance_level = "UNSPECIFIED" | |
| approved_patches_enable_non_security = false | |
| arn = "arn:aws:ssm:us-east-1:REDACTED:patchbaseline/REDACTED" | |
| description = "Patch baseline for CentOS with sources for CentOS 7 are replaced by Vault." | |
| id = "REDACTED" | |
| json = jsonencode( | |
| { | |
| ApprovalRules = { | |
| PatchRules = [ | |
| { | |
| ApproveAfterDays = 7 | |
| ComplianceLevel = "UNSPECIFIED" | |
| EnableNonSecurity = true | |
| PatchFilterGroup = { | |
| PatchFilters = [ | |
| { | |
| Key = "PRODUCT" | |
| Values = [ | |
| "*", | |
| ] | |
| }, | |
| ] | |
| } | |
| }, | |
| ] | |
| } | |
| ApprovedPatchesComplianceLevel = "UNSPECIFIED" | |
| ApprovedPatchesEnableNonSecurity = false | |
| BaselineId = "REDACTED" | |
| CreatedDate = "2025-02-25T07:19:23.488Z" | |
| Description = "Patch baseline for CentOS with sources for CentOS 7 are replaced by Vault." | |
| ModifiedDate = "2025-03-17T03:14:58.861Z" | |
| Name = "custom-centos7-baseline" | |
| OperatingSystem = "CENTOS" | |
| RejectedPatchesAction = "ALLOW_AS_DEPENDENCY" | |
| Sources = [ | |
| { | |
| Configuration = <<-EOT | |
| [base] | |
| name=CentOS-$releasever - Base | |
| baseurl=http://vault.centos.org/centos/$releasever/os/$basearch/ | |
| gpgcheck=1 | |
| gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 | |
| EOT | |
| Name = "base" | |
| Products = [ | |
| "CentOS7.0", | |
| "CentOS7.1", | |
| "CentOS7.2", | |
| "CentOS7.3", | |
| "CentOS7.4", | |
| "CentOS7.5", | |
| "CentOS7.6", | |
| "CentOS7.7", | |
| "CentOS7.8", | |
| "CentOS7.9", | |
| ] | |
| }, | |
| { | |
| Configuration = <<-EOT | |
| [extras] | |
| name=CentOS-$releasever - Extras | |
| baseurl=http://vault.centos.org/centos/$releasever/extras/$basearch/ | |
| gpgcheck=1 | |
| gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 | |
| EOT | |
| Name = "extras" | |
| Products = [ | |
| "CentOS7.0", | |
| "CentOS7.1", | |
| "CentOS7.2", | |
| "CentOS7.3", | |
| "CentOS7.4", | |
| "CentOS7.5", | |
| "CentOS7.6", | |
| "CentOS7.7", | |
| "CentOS7.8", | |
| "CentOS7.9", | |
| ] | |
| }, | |
| { | |
| Configuration = <<-EOT | |
| [updates] | |
| name=CentOS-$releasever - Updates | |
| baseurl=http://vault.centos.org/centos/$releasever/updates/$basearch/ | |
| gpgcheck=1 | |
| gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 | |
| EOT | |
| Name = "updates" | |
| Products = [ | |
| "CentOS7.0", | |
| "CentOS7.1", | |
| "CentOS7.2", | |
| "CentOS7.3", | |
| "CentOS7.4", | |
| "CentOS7.5", | |
| "CentOS7.6", | |
| "CentOS7.7", | |
| "CentOS7.8", | |
| "CentOS7.9", | |
| ] | |
| }, | |
| ] | |
| } | |
| ) | |
| name = "custom-centos7-baseline" | |
| operating_system = "CENTOS" | |
| rejected_patches = [] | |
| rejected_patches_action = "ALLOW_AS_DEPENDENCY" | |
| tags = {} | |
| tags_all = {} | |
| approval_rule { | |
| approve_after_days = 7 | |
| approve_until_date = null | |
| compliance_level = "UNSPECIFIED" | |
| enable_non_security = true | |
| patch_filter { | |
| key = "PRODUCT" | |
| values = [ | |
| "*", | |
| ] | |
| } | |
| source { | |
| configuration = <<-EOT | |
| [base] | |
| name=CentOS-$releasever - Base | |
| baseurl=http://vault.centos.org/centos/$releasever/os/$basearch/ | |
| gpgcheck=1 | |
| gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 | |
| EOT | |
| name = "base" | |
| products = [ | |
| "CentOS7.0", | |
| "CentOS7.1", | |
| "CentOS7.2", | |
| "CentOS7.3", | |
| "CentOS7.4", | |
| "CentOS7.5", | |
| "CentOS7.6", | |
| "CentOS7.7", | |
| "CentOS7.8", | |
| "CentOS7.9", | |
| ] | |
| } | |
| source { | |
| configuration = <<-EOT | |
| [extras] | |
| name=CentOS-$releasever - Extras | |
| baseurl=http://vault.centos.org/centos/$releasever/extras/$basearch/ | |
| gpgcheck=1 | |
| gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 | |
| EOT | |
| name = "extras" | |
| products = [ | |
| "CentOS7.0", | |
| "CentOS7.1", | |
| "CentOS7.2", | |
| "CentOS7.3", | |
| "CentOS7.4", | |
| "CentOS7.5", | |
| "CentOS7.6", | |
| "CentOS7.7", | |
| "CentOS7.8", | |
| "CentOS7.9", | |
| ] | |
| } | |
| source { | |
| configuration = <<-EOT | |
| [updates] | |
| name=CentOS-$releasever - Updates | |
| baseurl=http://vault.centos.org/centos/$releasever/updates/$basearch/ | |
| gpgcheck=1 | |
| gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 | |
| EOT | |
| name = "updates" | |
| products = [ | |
| "CentOS7.0", | |
| "CentOS7.1", | |
| "CentOS7.2", | |
| "CentOS7.3", | |
| "CentOS7.4", | |
| "CentOS7.5", | |
| "CentOS7.6", | |
| "CentOS7.7", | |
| "CentOS7.8", | |
| "CentOS7.9", | |
| ] | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "aws_ssm_patch_baseline" "centos7" { | |
| name = "custom-centos7-baseline" | |
| description = "Patch baseline for CentOS with sources for CentOS 7 are replaced by Vault." | |
| operating_system = "CENTOS" | |
| approval_rule { | |
| enable_non_security = true | |
| approve_after_days = 7 | |
| patch_filter { | |
| key = "PRODUCT" | |
| values = ["*"] | |
| } | |
| } | |
| dynamic "source" { | |
| for_each = { | |
| base = { | |
| name = "CentOS-$releasever - Base" | |
| baseurl = "http://vault.centos.org/centos/$releasever/os/$basearch/" | |
| } | |
| updates = { | |
| name = "CentOS-$releasever - Updates" | |
| baseurl = "http://vault.centos.org/centos/$releasever/updates/$basearch/" | |
| } | |
| extras = { | |
| name = "CentOS-$releasever - Extras" | |
| baseurl = "http://vault.centos.org/centos/$releasever/extras/$basearch/" | |
| } | |
| } | |
| content{ | |
| products = [ | |
| for i in range(10): | |
| "CentOS7.${i}" | |
| ] | |
| name = source.key | |
| configuration = <<-EOT | |
| [${source.key}] | |
| name=${source.value.name} | |
| baseurl=${source.value.baseurl} | |
| gpgcheck=1 | |
| gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 | |
| EOT | |
| } | |
| } | |
| } | |
| # Workaround: | |
| # data "external" "patch_baseline-centos7" { | |
| # depends_on = [ aws_ssm_patch_baseline.centos7 ] | |
| # program = [ | |
| # "aws", | |
| # "ssm", | |
| # "get-patch-baseline", | |
| # "--query", | |
| # "{result: to_string(@)}", | |
| # "--baseline-id", | |
| # aws_ssm_patch_baseline.centos7.id, | |
| # "--profile", | |
| # "profile-name", | |
| # "--region", | |
| # "us-east-1" | |
| # ] | |
| # } | |
| # And no, json from data "aws_ssm_patch_baseline" does not match what AWS CLI replied | |
| data "external" "patch_baseline_list-rocky" { | |
| program = [ | |
| "aws", | |
| "ssm", | |
| "describe-patch-baselines", | |
| "--profile", | |
| "profile-name", | |
| "--region", | |
| "us-east-1", | |
| "--query", | |
| "BaselineIdentities[0].{BaselineId: BaselineId}", | |
| "--filters", | |
| "Key=OPERATING_SYSTEM,Values=ROCKY_LINUX", | |
| "Key=OWNER,Values=AWS" | |
| ] | |
| } | |
| data "external" "patch_baseline-rocky" { | |
| program = [ | |
| "aws", | |
| "ssm", | |
| "get-patch-baseline", | |
| "--query", | |
| "{result: to_string(@)}", | |
| "--baseline-id", | |
| data.external.patch_baseline_list-rocky.result.BaselineId, | |
| "--profile", | |
| "profile-name", | |
| "--region", | |
| "us-east-1" | |
| ] | |
| } | |
| resource "aws_s3_bucket" "ssm" { | |
| bucket = "my-ssm-bucket" | |
| } | |
| resource "aws_s3_object" "patch_baseline" { | |
| bucket = aws_s3_bucket.ssm.bucket | |
| key = "patch_baseline.json" | |
| content = jsonencode([ | |
| jsondecode(aws_ssm_patch_baseline.centos7.json), | |
| # Workaround: | |
| # jsondecode(data.external.patch_baseline-centos7.result.result), | |
| jsondecode(data.external.patch_baseline-rocky.result.result) | |
| ]) | |
| content_type = "application/json" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment