使用ROS创建补丁基线并执行

可以通过阿里云资源编排ROSOOS模板配合使用,快速创建补丁基线并执行任务。

使用背景

OOS控制台分别支持创建补丁基线立即修复定时修复的操作,但是在控制台不同的页面。资源编排 ROS(Resource Orchestration Service)可以根据模板自动完成所有资源的创建和配置,实现自动化部署和运维。您可以使用资源编排调用系统运维管理,快速并执行补丁基线。

使用到的ROS资源

前提条件

为确保您的阿里云账号及云资源使用安全,如非必要都应避免直接使用阿里云账号(即主账号)建议您

创建RAM角色,并对角色进行授权。

  1. 请确保您已创建服务角色,详情请参见创建可信实体为阿里云服务的RAM角色

  2. 请确保您已为角色进行授权,详情请参见RAM角色授权,权限详情如下表所示。

    权限策略名称

    权限说明

    AliyunOOSFullAccess

    管理OOS

    AliyunROSFullAccess

    管理ROS

    AliyunECSFullAccess

    管理ECS

操作步骤

步骤一:确认参数

  1. 进入OOS控制台的创建补丁基线页面,根据页面展示内容以及ROS的资源类型ALIYUN::OOS::PatchBaseline确认以下参数。

    参数

    类型

    说明

    PatchBaseLineName

    String

    补丁基线名称

    OperationSystem

    String

    操作系统

    Product

    CommaDelimitedList

    产品

    Classification

    CommaDelimitedList

    分类

    Severity

    CommaDelimitedList

    严重性级别

    DefaultPatchBaseline

    Boolean

    是否设置为默认补丁基线

    image

  2. 进入OOS控制台的OOS补丁管理页面。根据页面展示内容以及ROS的资源类型ALIYUN::OOS::Execution确认以下参数。

    参数

    类型

    说明

    OOSTemplateName

    String

    OOS模板名称

    ResourceType

    String

    资源类型

    Targets

    Json

    目标实例

    Timeout

    Number

    超时时间

    CancelOnDelete

    Boolean

    是否删除时取消

    Action

    String

    配置补丁基线的方式

    TimerTrigger

    Json

    定时类型

    WhetherCreateSnapshot

    Boolean

    是否为系统盘创建快照

    RetentionDays

    Number

    快照保留天数

    RebootIfNeed

    Boolean

    是否重启

    image

步骤二:编写ROS模板

当确认参数后可以编写ROS模板,在ParametersResourcesMetadataConditionOutputs中使用参数。

说明

如果您想学习更多关于ROS模板的内容,请参见ROS模板编写快速入门

  1. Parameters中编写用户在页面自定义的参数。

    Parameters:
      RegionId:
        Required: true
        Type: String
        Label:
          zh-cn: 地域ID
          en: RegionId
        AssociationProperty: ALIYUN::ECS::RegionId::RegionDeploy
      PatchBaselineName:
        Required: true
        Type: String
        Label:
          en: PatchBaselineName
          zh-cn: 补丁基线名称
        Default: PatchBaseline_test
      OperationSystem:
        Required: true
        Type: String
        Label:
          zh-cn: 操作系统类型。
          en: The operating system type.
        Default: Windows
        AllowedValues:
          - Windows
          - AliyunLinux
          - CentOS
          - Ubuntu
          - RedhatEnterpriseLinux
          - Debian
          - Anolis
      Product:
        #TODO 这里后续需要优化,增加操作系统对应的版本。
        # https://help.aliyun.com/zh/ecs/developer-reference/api-ecs-2014-05-26-importimage?scm=20140722.S_help%40%40%E6%96%87%E6%A1%A3%40%402679793.S_RQW%40ag0%2BBB2%40ag0%2BBB1%40ag0%2Bos0.ID_2679793-RL_Platform-LOC_doc%7EUND%7Eab-OR_ser-V_4-P0_2&spm=a2c4g.11186623.0.i21
        Required: true
        Label:
          zh-cn: 产品
          en: Product
        Type: CommaDelimitedList
        AssociationPropertyMetadata:
          AllowedValues:
            - Value:
                - Windows Server Datacenter
                - Windows Server 2022
                - Windows Server 2019
                - Windows Server 2016
                - Windows Server 2012 R2
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Windows
            - Value:
                - Aliyun Linux 2.1903
                - Aliyun Linux 3.2104
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - AliyunLinux
            - Value:
                - CentOS Stream 9
                - CentOS 7.9
                - CentOS 7.8
                - CentOS 7.6
                - CentOS 7.5
                - CentOS 7.4
                - CentOS 7.3
                - CentOS 7.2
                - CentOS 7.1
                - CentOS 7.0
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - CentOS
            - Value:
                - Ubuntu 22.04
                - Ubuntu 20.04
                - Ubuntu 18.04
                - Ubuntu 16.04
                - Ubuntu 14.04
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Ubuntu
            - Value:
                - Debian 12.5
                - Debian 12.4
                - Debian 12.2
                - Debian 11.8
                - Debian 11.7
                - Debian 11.6
                - Debian 11.5
                - Debian 11.4
                - Debian 11.3
                - Debian 11.2
                - Debian 11.1
                - Debian 11.0
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Debian
            - Value:
                - Anolis OS 8.8 RHCK
                - Anolis OS 8.6 RHCK
                - Anolis OS 8.4 RHCK
                - Anolis OS 8.2 RHCK
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Anolis
            - Value:
                - Red Hat Enterprise Linux 9.3
                - Red Hat Enterprise Linux 9.2
                - Red Hat Enterprise Linux 9.1
                - Red Hat Enterprise Linux 9.0
                - Red Hat Enterprise Linux 8.9
                - Red Hat Enterprise Linux 8.8
                - Red Hat Enterprise Linux 8.7
                - Red Hat Enterprise Linux 8.6
                - Red Hat Enterprise Linux 8.5
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - RedhatEnterpriseLinux
      Classification:
        Label:
          zh-cn: 分类
          en: Classification
        Type: CommaDelimitedList
        AssociationPropertyMetadata:
          AllowedValues:
            - Value:
                - Applications
                - Definition Updates
                - Drivers
                - Feature Packs
                - Security Updates
                - Service Packs
                - Tools
                - Updates
                - Update Rollups
                - Critical Updates
                - Upgrades
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Windows
            - Value:
                - Security
                - Bugfix
                - Enhancement
                - Recommended
                - NewPackage
              Condition:
                #TODO 这里后续需要优化,根据不同的系统设置不同的分类。
                Fn::Equals:
                  - ${OperationSystem}
                  - AliyunLinux
            - Value:
                - Security
                - Bugfix
                - Enhancement
                - Recommended
                - NewPackage
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - CentOS
            - Value:
                - libs
                - libdevel
                - doc
                - debug
                - translations
                - devel
                - admin
                - oldlibs
                - label
                - utils
                - net
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Ubuntu
            - Value:
                - admin
                - cli-mono
                - libs
                - libdevel
                - doc
                - comm
                - debug
                - database
                - devel
                - oldlibs
                - utils
                - net
                - misc
                - gnome
                - perl
                - x11
                - python
                - java
                - kernel
                - shells
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Debian
            - Value:
                - Security
                - Bugfix
                - Enhancement
                - Recommended
                - NewPackage
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Anolis
            - Value:
                - Security
                - Bugfix
                - Enhancement
                - Recommended
                - NewPackage
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - RedhatEnterpriseLinux
      Severity:
        Type: CommaDelimitedList
        Label:
          zh-cn: 严重程度。
          en: Severity
        AssociationPropertyMetadata:
          AllowedValues:
            - Value:
                - Critical
                - Important
                - Moderate
                - Low
                - Unspecified
              Condition:
                #TODO 这里后续需要优化,根据不同的系统设置不同的分类。
                Fn::Not:
                  Fn::Equals:
                    - ${OperationSystem}
                    - Ubuntu
            - Value:
                - Required
                - Important
                - Standard
                - Optional
                - Extra
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Ubuntu
      DefaultPatchBaseline:
        Type: Boolean
        Label:
          zh-cn: 是否设置为默认补丁基线。
          en: Whether to set the patch baseline as the default.
        Default: false
        AllowedValues:
          - true
          - false
        AssociationPropertyMetadata:
          ValueLabelMapping:
            true:
              zh-cn: 是
              en: true
            false:
              zh-cn: 否
              en: false
      OOSTemplateName:
        Type: String
        Label:
          zh-cn: 模板名称。
          en: Template name
        Default: ACS-ECS-BulkyApplyPatchBaseline
        AssociationProperty: ALIYUN::OOS::Template::TemplateName
        AssociationPropertyMetadata:
          RegionId:
            Ref: RegionId
        Description:
          zh-cn: ACS-ECS-BulkyApplyPatchBaseline:用于执行补丁操作的模板。
          en: ACS-ECS-BulkyApplyPatchBaseline:The template name used to execute patch operations.
        MinLength: 2
        MaxLength: 128
      Action:
        Default: install
        AssociationPropertyMetadata:
          LocaleKey: OOSPatchExecuteType
          ValueLabelMapping:
            install:
              zh-cn: 安装并扫描
              en: Install
            scan:
              zh-cn: 扫描
              en: Scan
        AllowedValues:
          - install
          - scan
        Type: String
        Label:
          zh-cn: 配置补丁基线的方式
          en: Action
      TimerTrigger:
        AssociationProperty: ALIYUN::OOS::Component::TimerTrigger
        AssociationPropertyMetadata:
          MinuteInterval: 30
        Type: Json
        Label:
          zh-cn: 定时类型
          en: TimerTrigger
      WhetherCreateSnapshot:
        Default: false
        AssociationPropertyMetadata:
          Visible:
            Condition:
              Fn::Equals:
                - ${Action}
                - install
        Type: Boolean
        Label:
          zh-cn: 是否为系统盘创建快照
          en: WhetherCreateSnapshot
      RetentionDays:
        AssociationPropertyMetadata:
          Visible:
            Condition:
              Fn::Equals:
                - ${WhetherCreateSnapshot}
                - true
        Default: 7
        MaxValue: 65536
        MinValue: 1
        Label:
          zh-cn: 快照保留天数
          en: RetentionDays
        Type: Number
      RebootIfNeed:
        Default: false
        AssociationPropertyMetadata:
          Visible:
            Condition:
              Fn::Equals:
                - ${Action}
                - install
        Type: Boolean
        Label:
          zh-cn: 是否重启
          en: RebootIfNeed
      ResourceType:
        Type: String
        Label:
          en: ResourceType
          zh-cn: 资源类型
        AssociationPropertyMetadata:
          ValueLabelMapping:
            ALIYUN::ECS::Instance:
              zh-cn: ECS实例
              en: ECS instance
            ALIYUN::ECD::Desktop:
              zh-cn: 无影云桌面
              en: Desktop
        AllowedValues:
          - ALIYUN::ECS::Instance
          - ALIYUN::ECD::Desktop
        Default: ALIYUN::ECS::Instance
      Targets:
        AssociationProperty: Targets
        AssociationPropertyMetadata:
          ResourceType: ResourceType
          DeployedRegionId: RegionId
          Status: Running
        Type: Json
        Label:
          zh-cn: 目标实例
          en: TargetInstance
      Timeout:
        Type: Number
        Label:
          zh-cn: 超时时间。
          en: Timeout
        Default: 1800
        Description:
          zh-cn: 超时时间,单位为秒。
          en: Timeout in seconds'
      CancelOnDelete:
        Type: Boolean
        Label:
          zh-cn: 是否删除时取消
          en: CancelOnDelete
        Default: true
        AllowedValues:
          - true
          - false
        AssociationPropertyMetadata:
          ValueLabelMapping:
            true:
              zh-cn: 是
              en: true
            false:
              zh-cn: 否
              en: false
    provider "alicloud" {
      region = "cn-hangzhou"
    }
    
    variable "patch_baseline_name" {
      description = "补丁基线名称"
      type        = string
    }
  2. Metadata中将参数分为补丁基线、执行参数两个区域。

    Metadata:
      ALIYUN::ROS::Interface:
        ParameterGroups:
          - Parameters:
              - PatchBaselineName
              - OperationSystem
              - Product
              - Classification
              - Severity
              - DefaultPatchBaseline
            Label:
              zh-cn: 补丁基线
              en: Patch baseline
          - Parameters:
              - OOSTemplateName
              - ResourceType
              - Targets
              - Timeout
              - CancelOnDelete
              - Action
              - TimerTrigger
              - WhetherCreateSnapshot
              - RetentionDays
              - RebootIfNeed
            Label:
              zh-cn: 执行参数
              en: Execution parameters
    locals {
      approval_rules_json = <<EOF
    {
      "PatchRules": [
        {
          "EnableNonSecurity": true,
          "PatchFilterGroup": [
            {
              "Values": ["OS"],
              "Key": "PatchSet"
            },
            {
              "Values": ["Windows"],
              "Key": "ProductFamily"
            },
            {
              "Values": ["Windows 10", "Windows 7", "Windows Server 2022"],
              "Key": "Product"
            },
            {
              "Values": ["Security Updates", "Updates", "Update Rollups", "Critical Updates"],
              "Key": "Classification"
            },
            {
              "Values": ["Critical", "Important"],
              "Key": "Severity"
            }
          ],
          "ApproveAfterDays": 7,
          "ComplianceLevel": "Medium"
        }
      ]
    }
    EOF
      oos_parameters_json = <<EOF
    {
        "resourceType": "ALIYUN::ECS::Instance",
        "targets": {
            "Type": "All",
            "Parameters": {
                "regionId": "cn-hangzhou",
                "Status": "Running"
            }
        }
    }
    EOF
    }
  3. 依据ROS资源的依赖关系编写Resource

    Resources:
      OOSPatchBaseline:
        Type: ALIYUN::OOS::PatchBaseline
        Condition: IsWindows
        Properties:
          PatchBaselineName:
            Ref: PatchBaselineName
          OperationSystem:
            Ref: OperationSystem
          ApprovalRules:
            PatchRules:
              - PatchFilterGroup:
                  - Key: PatchSet
                    Values:
                      - OS
                  - Key: ProductFamily
                    Values:
                      - Ref: OperationSystem
                  - Key: Product
                    Values:
                      - Ref: Product
                  - Key: Classification
                    Values:
                      - Ref: Classification
                  - Key: Severity
                    Values:
                      - Ref: Severity
                ApproveAfterDays: 7
                EnableNonSecurity: true
                ComplianceLevel: Medium
      LinuxPatchBaseline:
        Type: ALIYUN::OOS::PatchBaseline
        Condition: IsNotWindows
        Properties:
          PatchBaselineName:
            Ref: PatchBaselineName
          OperationSystem:
            Ref: OperationSystem
          ApprovalRules:
            PatchRules:
              - PatchFilterGroup:
                  - Key: Product
                    Values:
                      - Ref: Product
                  - Key: Classification
                    Values:
                      - Ref: Classification
                  - Key: Severity
                    Values:
                      - Ref: Severity
                ApproveAfterDays: 7
                EnableNonSecurity: true
                ComplianceLevel: Medium
      OOSDefaultPatchBaseline:
        Type: ALIYUN::OOS::DefaultPatchBaseline
        Properties:
          PatchBaselineName:
            Ref: PatchBaselineName
        Condition: IsDefault
        DependsOn: OOSPatchBaseline
      Execution:
        Type: ALIYUN::OOS::Execution
        #依赖于补丁基线的创建
        DependsOn: OOSPatchBaseline
        Properties:
          TemplateName:
            Ref: OOSTemplateName
          Parameters:
            resourceType:
              Ref: ResourceType
            targets:
              Ref: Targets
            Action:
              Ref: Action
            TimerTrigger:
              Ref: TimerTrigger
            WhetherCreateSnapshot:
              Ref: WhetherCreateSnapshot
            RetentionDays:
              Ref: RetentionDays
          ResourceOptions:
            SuccessStatuses:
              - Running
              - Success
              - Queued
              - Waiting
            Timeout:
              Ref: Timeout
            CancelOnDelete:
              Ref: CancelOnDelete
    resource "alicloud_oos_patch_baseline" "baseline" {
      patch_baseline_name = var.patch_baseline_name
      operation_system    = "Windows"
      approval_rules = local.approval_rules_json
    }
    resource "alicloud_oos_default_patch_baseline" "default" {
      patch_baseline_name = alicloud_oos_patch_baseline.baseline.patch_baseline_name
    }
    resource "alicloud_oos_execution" "example" {
      template_name = "ACS-ECS-BulkyApplyPatchBaseline"
      parameters    = local.oos_parameters_json
      depends_on    = [alicloud_oos_patch_baseline.baseline,alicloud_oos_default_patch_baseline.default]
    }
  4. 通过Outputs输出创建成功的资源。

    Outputs:
      Execution:
        Description:
          zh-cn: 执行成功。
          en: Whether the execution is successful.
        Value:
          Fn::GetAtt:
            - Execution
            - Status
      PatchBaseline:
        Description:
          zh-cn: 创建的补丁基线名称。
          en: The name of the patch baseline.
        Value:
          Fn::GetAtt:
            - OOSPatchBaseline
            - PatchBaselineName
    output "patch_baseline_id" {
      value = alicloud_oos_patch_baseline.baseline.id
    }
  5. 完整的示例模板如下。

    ROSTemplateFormatVersion: "2015-09-01"
    Description:
      en: Create a patch baseline and execute.
      zh-cn: 创建一个补丁基线,并创建一个补丁基线的执行任务,定时或立即执行。
    Parameters:
      RegionId:
        Required: true
        Type: String
        Label:
          zh-cn: 地域ID
          en: RegionId
        AssociationProperty: ALIYUN::ECS::RegionId::RegionDeploy
      PatchBaselineName:
        Required: true
        Type: String
        Label:
          en: PatchBaselineName
          zh-cn: 补丁基线名称
        Default: PatchBaseline_test
      OperationSystem:
        Required: true
        Type: String
        Label:
          zh-cn: 操作系统类型。
          en: The operating system type.
        Default: Windows
        AllowedValues:
          - Windows
          - AliyunLinux
          - CentOS
          - Ubuntu
          - RedhatEnterpriseLinux
          - Debian
          - Anolis
      Product:
        #TODO 这里后续需要优化,增加操作系统对应的版本。
        # https://help.aliyun.com/zh/ecs/developer-reference/api-ecs-2014-05-26-importimage?scm=20140722.S_help%40%40%E6%96%87%E6%A1%A3%40%402679793.S_RQW%40ag0%2BBB2%40ag0%2BBB1%40ag0%2Bos0.ID_2679793-RL_Platform-LOC_doc%7EUND%7Eab-OR_ser-V_4-P0_2&spm=a2c4g.11186623.0.i21
        Required: true
        Label:
          zh-cn: 产品
          en: Product
        Type: CommaDelimitedList
        AssociationPropertyMetadata:
          AllowedValues:
            - Value:
                - Windows Server Datacenter
                - Windows Server 2022
                - Windows Server 2019
                - Windows Server 2016
                - Windows Server 2012 R2
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Windows
            - Value:
                - Aliyun Linux 2.1903
                - Aliyun Linux 3.2104
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - AliyunLinux
            - Value:
                - CentOS Stream 9
                - CentOS 7.9
                - CentOS 7.8
                - CentOS 7.6
                - CentOS 7.5
                - CentOS 7.4
                - CentOS 7.3
                - CentOS 7.2
                - CentOS 7.1
                - CentOS 7.0
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - CentOS
            - Value:
                - Ubuntu 22.04
                - Ubuntu 20.04
                - Ubuntu 18.04
                - Ubuntu 16.04
                - Ubuntu 14.04
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Ubuntu
            - Value:
                - Debian 12.5
                - Debian 12.4
                - Debian 12,2
                - Debian 11.8
                - Debian 11.7
                - Debian 11.6
                - Debian 11.5
                - Debian 11.4
                - Debian 11.3
                - Debian 11.2
                - Debian 11.1
                - Debian 11.0
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Debian
            - Value:
                - Anolis OS 8.8 RHCK
                - Anolis OS 8.6 RHCK
                - Anolis OS 8.4 RHCK
                - Anolis OS 8.2 RHCK
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Anolis
            - Value:
                - Red Hat Enterprise Linux 9.3
                - Red Hat Enterprise Linux 9.2
                - Red Hat Enterprise Linux 9.1
                - Red Hat Enterprise Linux 9.0
                - Red Hat Enterprise Linux 8.9
                - Red Hat Enterprise Linux 8.8
                - Red Hat Enterprise Linux 8.7
                - Red Hat Enterprise Linux 8.6
                - Red Hat Enterprise Linux 8.5
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - RedhatEnterpriseLinux
      Classification:
        Label:
          zh-cn: 分类
          en: Classification
        Type: CommaDelimitedList
        AssociationPropertyMetadata:
          AllowedValues:
            - Value:
                - Applications
                - Definition Updates
                - Drivers
                - Feature Packs
                - Security Updates
                - Service Packs
                - Tools
                - Updates
                - Update Rollups
                - Critical Updates
                - Upgrades
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Windows
            - Value:
                - Security
                - Bugfix
                - Enhancement
                - Recommended
                - NewPackage
              Condition:
                #TODO 这里后续需要优化,根据不同的系统设置不同的分类。
                Fn::Equals:
                  - ${OperationSystem}
                  - AliyunLinux
            - Value:
                - Security
                - Bugfix
                - Enhancement
                - Recommended
                - NewPackage
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - CentOS
            - Value:
                - libs
                - libdevel
                - doc
                - debug
                - translations
                - devel
                - admin
                - oldlibs
                - label
                - utils
                - net
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Ubuntu
            - Value:
                - admin
                - cli-mono
                - libs
                - libdevel
                - doc
                - comm
                - debug
                - database
                - devel
                - oldlibs
                - utils
                - net
                - misc
                - gnome
                - perl
                - x11
                - python
                - java
                - kernel
                - shells
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Debian
            - Value:
                - Security
                - Bugfix
                - Enhancement
                - Recommended
                - NewPackage
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Anolis
            - Value:
                - Security
                - Bugfix
                - Enhancement
                - Recommended
                - NewPackage
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - RedhatEnterpriseLinux
      Severity:
        Type: CommaDelimitedList
        Label:
          zh-cn: 严重程度。
          en: Severity
        AssociationPropertyMetadata:
          AllowedValues:
            - Value:
                - Critical
                - Important
                - Moderate
                - Low
                - Unspecified
              Condition:
                #TODO 这里后续需要优化,根据不同的系统设置不同的分类。
                Fn::Not:
                  Fn::Equals:
                    - ${OperationSystem}
                    - Ubuntu
            - Value:
                - Required
                - Important
                - Standard
                - Optional
                - Extra
              Condition:
                Fn::Equals:
                  - ${OperationSystem}
                  - Ubuntu
      DefaultPatchBaseline:
        Type: Boolean
        Label:
          zh-cn: 是否设置为默认补丁基线。
          en: Whether to set the patch baseline as the default.
        Default: false
        AllowedValues:
          - true
          - false
        AssociationPropertyMetadata:
          ValueLabelMapping:
            true:
              zh-cn: 是
              en: true
            false:
              zh-cn: 否
              en: false
      OOSTemplateName:
        Type: String
        Label:
          zh-cn: 模板名称。
          en: Template name
        Default: ACS-ECS-BulkyApplyPatchBaseline
        AssociationProperty: ALIYUN::OOS::Template::TemplateName
        AssociationPropertyMetadata:
          RegionId:
            Ref: RegionId
        Description:
          zh-cn: ACS-ECS-BulkyApplyPatchBaseline:用于执行补丁操作的模板。
          en: ACS-ECS-BulkyApplyPatchBaseline:The template name used to execute patch operations.
        MinLength: 2
        MaxLength: 128
      Action:
        Default: install
        AssociationPropertyMetadata:
          LocaleKey: OOSPatchExecuteType
          ValueLabelMapping:
            install:
              zh-cn: 安装并扫描
              en: Install
            scan:
              zh-cn: 扫描
              en: Scan
        AllowedValues:
          - install
          - scan
        Type: String
        Label:
          zh-cn: 配置补丁基线的方式
          en: Action
      TimerTrigger:
        AssociationProperty: ALIYUN::OOS::Component::TimerTrigger
        AssociationPropertyMetadata:
          MinuteInterval: 30
        Type: Json
        Label:
          zh-cn: 定时类型
          en: TimerTrigger
      WhetherCreateSnapshot:
        Default: false
        AssociationPropertyMetadata:
          Visible:
            Condition:
              Fn::Equals:
                - ${Action}
                - install
        Type: Boolean
        Label:
          zh-cn: 是否为系统盘创建快照
          en: WhetherCreateSnapshot
      RetentionDays:
        AssociationPropertyMetadata:
          Visible:
            Condition:
              Fn::Equals:
                - ${WhetherCreateSnapshot}
                - true
        Default: 7
        MaxValue: 65536
        MinValue: 1
        Label:
          zh-cn: 快照保留天数
          en: RetentionDays
        Type: Number
      RebootIfNeed:
        Default: false
        AssociationPropertyMetadata:
          Visible:
            Condition:
              Fn::Equals:
                - ${Action}
                - install
        Type: Boolean
        Label:
          zh-cn: 是否重启
          en: RebootIfNeed
      ResourceType:
        Type: String
        Label:
          en: ResourceType
          zh-cn: 资源类型
        AssociationPropertyMetadata:
          ValueLabelMapping:
            ALIYUN::ECS::Instance:
              zh-cn: ECS实例
              en: ECS instance
            ALIYUN::ECD::Desktop:
              zh-cn: 无影云桌面
              en: Desktop
        AllowedValues:
          - ALIYUN::ECS::Instance
          - ALIYUN::ECD::Desktop
        Default: ALIYUN::ECS::Instance
      Targets:
        AssociationProperty: Targets
        AssociationPropertyMetadata:
          ResourceType: ResourceType
          DeployedRegionId: RegionId
          Status: Running
        Type: Json
        Label:
          zh-cn: 目标实例
          en: TargetInstance
      Timeout:
        Type: Number
        Label:
          zh-cn: 超时时间。
          en: Timeout
        Default: 1800
        Description:
          zh-cn: 超时时间,单位为秒。
          en: Timeout in seconds'
      CancelOnDelete:
        Type: Boolean
        Label:
          zh-cn: 是否删除时取消
          en: CancelOnDelete
        Default: true
        AllowedValues:
          - true
          - false
        AssociationPropertyMetadata:
          ValueLabelMapping:
            true:
              zh-cn: 是
              en: true
            false:
              zh-cn: 否
              en: false
    Metadata:
      ALIYUN::ROS::Interface:
        ParameterGroups:
          - Parameters:
              - PatchBaselineName
              - OperationSystem
              - Product
              - Classification
              - Severity
              - DefaultPatchBaseline
            Label:
              zh-cn: 补丁基线
              en: Patch baseline
          - Parameters:
              - OOSTemplateName
              - ResourceType
              - Targets
              - Timeout
              - CancelOnDelete
              - Action
              - TimerTrigger
              - WhetherCreateSnapshot
              - RetentionDays
              - RebootIfNeed
            Label:
              zh-cn: 执行参数
              en: Execution parameters
    Resources:
      OOSPatchBaseline:
        Type: ALIYUN::OOS::PatchBaseline
        Condition: IsWindows
        Properties:
          PatchBaselineName:
            Ref: PatchBaselineName
          OperationSystem:
            Ref: OperationSystem
          ApprovalRules:
            PatchRules:
              - PatchFilterGroup:
                  - Key: PatchSet
                    Values:
                      - OS
                  - Key: ProductFamily
                    Values:
                      - Ref: OperationSystem
                  - Key: Product
                    Values:
                      - Ref: Product
                  - Key: Classification
                    Values:
                      - Ref: Classification
                  - Key: Severity
                    Values:
                      - Ref: Severity
                ApproveAfterDays: 7
                EnableNonSecurity: true
                ComplianceLevel: Medium
      LinuxPatchBaseline:
        Type: ALIYUN::OOS::PatchBaseline
        Condition: IsNotWindows
        Properties:
          PatchBaselineName:
            Ref: PatchBaselineName
          OperationSystem:
            Ref: OperationSystem
          ApprovalRules:
            PatchRules:
              - PatchFilterGroup:
                  - Key: Product
                    Values:
                      - Ref: Product
                  - Key: Classification
                    Values:
                      - Ref: Classification
                  - Key: Severity
                    Values:
                      - Ref: Severity
                ApproveAfterDays: 7
                EnableNonSecurity: true
                ComplianceLevel: Medium
      OOSDefaultPatchBaseline:
        Type: ALIYUN::OOS::DefaultPatchBaseline
        Properties:
          PatchBaselineName:
            Ref: PatchBaselineName
        Condition: IsDefault
        DependsOn: OOSPatchBaseline
      Execution:
        Type: ALIYUN::OOS::Execution
        #依赖于补丁基线的创建
        DependsOn: OOSPatchBaseline
        Properties:
          TemplateName:
            Ref: OOSTemplateName
          Parameters:
            resourceType:
              Ref: ResourceType
            targets:
              Ref: Targets
            Action:
              Ref: Action
            TimerTrigger:
              Ref: TimerTrigger
            WhetherCreateSnapshot:
              Ref: WhetherCreateSnapshot
            RetentionDays:
              Ref: RetentionDays
          ResourceOptions:
            SuccessStatuses:
              - Running
              - Success
              - Queued
              - Waiting
            Timeout:
              Ref: Timeout
            CancelOnDelete:
              Ref: CancelOnDelete
    Conditions:
      IsDefault:
        Fn::Equals:
          - true
          - Ref: DefaultPatchBaseline
      IsNotWindows:
        Fn::Not:
          Fn::Equals:
            - ${OperationSystem}
            - Windows
      IsWindows:
        Fn::Equals:
          - ${OperationSystem}
          - Windows
    Outputs:
      Execution:
        Description:
          zh-cn: 执行成功。
          en: Whether the execution is successful.
        Value:
          Fn::GetAtt:
            - Execution
            - Status
    terraform {
      required_providers {
        alicloud = {
          source  = "aliyun/alicloud"
          version = "1.229.1"
        }
      }
    }
    provider "alicloud" {
      region = "cn-hangzhou"
    }
    
    variable "patch_baseline_name" {
      description = "补丁基线名称"
      type        = string
    }
    locals {
      approval_rules_json = <<EOF
    {
      "PatchRules": [
        {
          "EnableNonSecurity": true,
          "PatchFilterGroup": [
            {
              "Values": ["OS"],
              "Key": "PatchSet"
            },
            {
              "Values": ["Windows"],
              "Key": "ProductFamily"
            },
            {
              "Values": ["Windows 10", "Windows 7", "Windows Server 2022"],
              "Key": "Product"
            },
            {
              "Values": ["Security Updates", "Updates", "Update Rollups", "Critical Updates"],
              "Key": "Classification"
            },
            {
              "Values": ["Critical", "Important"],
              "Key": "Severity"
            }
          ],
          "ApproveAfterDays": 7,
          "ComplianceLevel": "Medium"
        }
      ]
    }
    EOF
      oos_parameters_json = <<EOF
    {
        "resourceType": "ALIYUN::ECS::Instance",
        "targets": {
            "Type": "All",
            "Parameters": {
                "regionId": "cn-hangzhou",
                "Status": "Running"
            }
        }
    }
    EOF
    }
    resource "alicloud_oos_patch_baseline" "baseline" {
      patch_baseline_name = var.patch_baseline_name
      operation_system    = "Windows"
      approval_rules = local.approval_rules_json
    }
    resource "alicloud_oos_default_patch_baseline" "default" {
      patch_baseline_name = alicloud_oos_patch_baseline.baseline.patch_baseline_name
    }
    resource "alicloud_oos_execution" "example" {
      template_name = "ACS-ECS-BulkyApplyPatchBaseline"
      parameters    = local.oos_parameters_json
      depends_on    = [alicloud_oos_patch_baseline.baseline,alicloud_oos_default_patch_baseline.default]
    }
    output "patch_baseline_id" {
      value = alicloud_oos_patch_baseline.baseline.id
    }

步骤三:使用模板创建资源栈

本节仅展示创建资源栈的主要步骤,更多内容,请参见创建资源栈

  1. 登录资源编排控制台并使用ROS创建资源栈。

    image

  2. 创建资源栈的页面中,将步骤二提供的完整示例模板复制粘贴到模板内容中,并单击下一步

    image

  3. 根据实际情况配置信息。并单击下一步

  4. 状态创建成功时,单击资源页签可看到成功创建的资源。

  5. 单击资源ID即可进入对应资源的控制台。

    image

相关操作

资源栈创建失败

  1. 如果您在创建资源栈时失败可在资源栈列表界面,找到目标资源栈并单击问题诊断,帮助您快速定位问题。image

  2. 诊断完成之后会跳转至问题诊断页面,您可以根据诊断建议进行排查。

    image