Merge pull request #2 from ThisIsHowieDeWitt/feature/patch-mgmt

ThisIsHowieDeWitt · web-flow · commit 497fd62a4948 · 2024-05-29T10:36:08.000-04:00
Feature/patch mgmt
diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/README.md b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/README.md
@@ -18,7 +18,10 @@ The SRA Patch Manager solution will automate enabling Systems Manager - Patch ma
 
 **Key solution features:**
 - Assumes a role in each member account to enable/disable the Patch Manager Solution.
-- Creates 3 Maintenance Windows to Scan or Patch Windows or Linux Managed Instances
+- Creates 3 Maintenance Windows:
+   - One updates the SSM Agents on all Managed Instances.
+   - One scans for, or installs, missing patches on Managed Instances tagged as Windows.
+   - One scans for, or installs, missing patches on Managed Instances tagged as Linux.
 - Configures the [Default Host Configuration](https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-default-host-management-configuration.html) feature.
 - Ability to disable Patch Manager within all accounts and regions via a parameter and CloudFormation update event.
 
@@ -52,6 +55,7 @@ The Patch Manager solution requires:
 - The `Patch Management IAM Role` is assumed by the Lambda function in each of the member accounts to to configure Patch Manager.
 - The `SSM Automation Role` is used by the Maintenance Window to execute the task.
 - The `DefaultHostConfig Role` is used to enable the Default Host Configuration setting.
+- The `Patch Mgr EC2 Profile` is used if there are issue with the Default Host Configuration setting.
 
 #### 1.3 Maintenance Windows<!-- omit in toc -->
 
@@ -65,16 +69,16 @@ Three Maintenance Windows are created:
 ##### Maintenance Windows Tasks
 
 Three tasks are created and registered with each of the Maintenance Windows:
-- `Update SSMAgent On Managed Instances` Runs an SSM Agent update on all Managed Instances
-- `Scan For Patches On Managed Windows Instances` Runs a scan on all Managed Instances Tagged as Windows
-- `Scan For Patches On Managed Linux Instances` Runs a scan on all Managed Instances Tagged as Linux
+- `Update_SSM` Runs an SSM Agent update on all Managed Instances
+- `Windows_Scan` Runs a scan on all Managed Instances Tagged as Windows
+- `Linux_Scan` Runs a scan on all Managed Instances Tagged as Linux
 
 ##### Maintenance Window Targets
 
 Three target groups are created and registered with each of the Maintenance Windows:
-- `Targets To Update SSMAgent On Managed Instances` which includes all instances with the tag InstanceOS:Windows or InstanceOS:Linux
-- `Targets To Scan For Windows Updates On Managed Instances`  which includes all instances with the tag InstanceOS:Windows
-- `Targets To Scan For Linux Updates On Managed Instances`  which includes all instances with the tag InstanceOS:Linux
+- `Update_SSM` which includes all instances with the tag InstanceOS:Windows or InstanceOS:Linux
+- `Windows_Scan`  which includes all instances with the tag InstanceOS:Windows
+- `Linux_Scan`  which includes all instances with the tag InstanceOS:Linux
 
 #### 1.4 Command Documents<!-- omit in toc -->
 
@@ -122,6 +126,13 @@ Choose to deploy the Patch Manager solution from within the chosen deployment ty
 
 ---
 
+#### Troubleshooting<!-- omit in toc -->
+
+Q: Its been more than 24 hours and the Instances are still not appearing in Fleet Manager (and therefore not being scanned).
+A: Attach the `patch-mgr-ec2-profile` to the EC2 instances.
+
+---
+
 ## References
 
 - [AWS Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html)
diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-configuration-role.yaml b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-configuration-role.yaml
@@ -74,6 +74,14 @@ Parameters:
     Default: sra-patch-mgmt-org
     Description: The SRA solution name. The default value is the folder name of the solution
     Type: String
+  pPatchMgrEC2Profile:
+    Default: patch-mgr-ec2-profile
+    Description: An instance profile that can be used if facing issues with the Default Host Configuration setting.
+    Type: String
+  pPatchMgrEC2ProfileRole:
+    Default: patch-mgr-ec2-profile-role
+    Description: The Role that the patch-mgr-ec2-profile will use.
+    Type: String
 
 Resources:
   rConfigurationRole:
@@ -266,3 +274,49 @@ Resources:
         - Key: sra-solution
           Value: !Ref pSRASolutionName
 
+  rPatchMgrEC2ProfileRole:
+    Type: AWS::IAM::Role
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: F3
+            reason: Actions require * in permissions policy
+          - id: W11
+            reason: Actions require * in resource
+          - id: W28
+            reason: Explicit role name provided
+    Properties:
+      RoleName: !Ref pPatchMgrEC2ProfileRole
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Action: sts:AssumeRole
+            Effect: Allow
+            Principal:
+              Service:
+                - ec2.amazonaws.com
+      Path: "/"
+      ManagedPolicyArns:
+        - !Sub arn:${AWS::Partition}:iam::${AWS::Partition}:policy/AmazonSSMManagedInstanceCore
+      Tags:
+        - Key: sra-solution
+          Value: !Ref pSRASolutionName
+          
+  rPatchMgrEC2Profile:
+    Type: AWS::IAM::InstanceProfile
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: F3
+            reason: Actions require * in permissions policy
+          - id: W11
+            reason: Actions require * in resource
+          - id: W28
+            reason: Explicit role name provided
+    Properties:
+      InstanceProfileName: !Ref pPatchMgrEC2Profile
+      Path: "/"
+      Roles:
+        -
+          !Ref pPatchMgrEC2ProfileRole
+    DependsOn: rPatchMgrEC2ProfileRole
