By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How to manage SSM Quick Setup configuration managers via aws cli

0

Hi there!

We are currently using patch policies via the Quick Setup configuration managers. I have been recently tasked with updating some of the cron schedules for scan and install settings. We have quite a few of these setup, so going through the UI would be quite tedious. I did stumble upon the CLI Reference for ssm-quicksetup, specifically update-configuration-manager, but there seems to be no way to update the actual parameters within the configuration manager patch policy.

For example, below is a payload that I would like to send to a particular patch policy:

{ "Parameters": { "ConfigurationOptionsScanValue": "cron(15 7 ? * WED#2 *)", "ConfigurationOptionsInstallValue": "cron(30 7 ? * WED#2 *)", "ConfigurationOptionsScanNextInterval": "false", "ConfigurationOptionsInstallNextInterval": "false", "ConfigurationOptionsPatchOperation": "ScanAndInstall", "RateControlConcurrency": "100%", "RateControlErrorThreshold": "25%", "RebootOption": "NoReboot", "PatchBaselineUseDefault": "custom", "PatchPolicyName": "ca1-pre" } }

Is anyone aware of a method to do this operation in bulk, whether through the UI or maybe even some API function?

asked 23 days ago81 views
2 Answers
0

Yes, you can manage SSM Quick Setup configuration managers via the AWS CLI, including updating patch policy parameters. While the update-configuration-manager command doesn't directly allow updating the specific parameters within a patch policy, you can use a combination of commands to achieve this.

Here's a general approach you can take:

  1. First, use the get-configuration-manager command to retrieve the current configuration of the patch policy you want to update.

  2. Modify the retrieved configuration JSON, updating the parameters you want to change (like the cron schedules for scan and install settings).

  3. Use the update-configuration-manager command with the modified configuration to update the patch policy.

Here's an example of how you might do this:

  1. Get the current configuration:

    aws ssm-quicksetup get-configuration-manager --name "your-config-manager-name"
    
  2. Save the output to a file, modify the necessary parameters in the JSON (like the ones in your example payload).

  3. Update the configuration manager with the modified JSON:

    aws ssm-quicksetup update-configuration-manager --name "your-config-manager-name" --configuration-definitions file://path-to-your-modified-json-file
    

To perform this operation in bulk, you could create a script that iterates through your list of configuration managers, retrieves their configurations, modifies the necessary parameters, and then updates each one.

Keep in mind that changes to custom patch baselines are synchronized with Quick Setup once an hour. Also, if a custom patch baseline referenced in a patch policy is deleted, you'll need to select a new patch baseline for the affected operating system.

While this method requires some scripting, it allows you to update multiple patch policies programmatically, which is more efficient than using the UI for numerous updates.
Sources
Using the Quick Setup API to manage configurations and deployments - AWS Systems Manager
ssm-quicksetup — AWS CLI 2.21.0 Command Reference
Configure patching for instances in an organization using Quick Setup - AWS Systems Manager

profile picture
answered 23 days ago
profile picture
EXPERT
reviewed 23 days ago
0

Patch manager GuI isn’t very intuitive imho

profile picture
EXPERT
answered 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions