Add support for setting default SSM patch baseline

[mjseid]

Hello,
After creating new SSM patch baselines with terraform, I'd like the ability to also set them as defaults. Basically what this API call is doing:
https://docs.aws.amazon.com/sdk-for-go/api/service/ssm/#SSM.RegisterDefaultPatchBaseline

So I'm not sure if it would make more sense to update the existing aws_ssm_patch_baseline resource with an optional "default" arugment, or to create a whole new resource just for this.

[KarimDevOps]

Hi,
I'm facing the same issue, do you have an idea when this setting will be implemented ?
Many thanks in advance.

[nbrys]

We need this as well

[nbrys]

Is there any update on this issue?

[claydanford]

For the presentation, this could be implemented with a boolean.

resource "aws_ssm_patch_baseline" "production" {
  name             = "patch-baseline"
  description      = "Patch Baseline Description"
  default          = true

  ...

}

[bbakersmith]

A possible issue with adding this as an option on the aws_ssm_patch_baseline resource is that you can't delete the resource or change that value after setting it to true, first you would have to set a different baseline as the default.

As a workaround, I used a local-exec provisioner on the resource to make an AWS CLI call to register my baseline as the default.

[claydanford]

A possible issue with adding this as an option on the aws_ssm_patch_baseline resource is that you can't delete the resource or change that value after setting it to true, first you would have to set a different baseline as the default.

As a workaround, I used a local-exec provisioner on the resource to make an AWS CLI call to register my baseline as the default.

Yes, changing the patch baseline as default and then making a change would require a new resource to be made which could cascade down into patch group assignment. It would make sense to create a resource that assigns the default patch baseline, but like you said a local exec execution would also accomplish this.

[rentiak]

One option here would be to use the AWS-provided baselines as the 'safe' default as they exist, can't be deleted and can be filtered out by owner == AWS. Resource destruction or a change in the attribute to false could just revert to the AWS default for the specified OS (AWS-DefaultPatchBaseline for Windows, AWS-${OS}DefaultPatchBaseline for everything else)

[debu99]

any update?

[github-actions]

This functionality has been released in v4.38.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.