可以通过阿里云资源编排ROS与OOS模板配合使用,快速创建补丁基线并执行任务。
使用背景
OOS控制台分别支持创建补丁基线、立即修复和定时修复的操作,但是在控制台不同的页面。资源编排 ROS(Resource Orchestration Service)可以根据模板自动完成所有资源的创建和配置,实现自动化部署和运维。您可以使用资源编排调用系统运维管理,快速并执行补丁基线。
使用到的ROS资源
创建补丁基线:ALIYUN::OOS::PatchBaseline
设置默认补丁基线:ALIYUN::OOS::DefaultPatchBaseline
创建补丁修复执行:ALIYUN::OOS::Execution
前提条件
为确保您的阿里云账号及云资源使用安全,如非必要都应避免直接使用阿里云账号(即主账号)建议您
创建RAM角色,并对角色进行授权。
请确保您已创建服务角色,详情请参见创建可信实体为阿里云服务的RAM角色。
请确保您已为角色进行授权,详情请参见为RAM角色授权,权限详情如下表所示。
权限策略名称
权限说明
AliyunOOSFullAccess
管理OOS
AliyunROSFullAccess
管理ROS
AliyunECSFullAccess
管理ECS
操作步骤
步骤一:确认参数
进入OOS控制台的创建补丁基线页面,根据页面展示内容以及ROS的资源类型ALIYUN::OOS::PatchBaseline确认以下参数。
参数
类型
说明
PatchBaseLineName
String
补丁基线名称
OperationSystem
String
操作系统
Product
CommaDelimitedList
产品
Classification
CommaDelimitedList
分类
Severity
CommaDelimitedList
严重性级别
DefaultPatchBaseline
Boolean
是否设置为默认补丁基线
进入OOS控制台的OOS补丁管理页面。根据页面展示内容以及ROS的资源类型ALIYUN::OOS::Execution确认以下参数。
参数
类型
说明
OOSTemplateName
String
OOS模板名称
ResourceType
String
资源类型
Targets
Json
目标实例
Timeout
Number
超时时间
CancelOnDelete
Boolean
是否删除时取消
Action
String
配置补丁基线的方式
TimerTrigger
Json
定时类型
WhetherCreateSnapshot
Boolean
是否为系统盘创建快照
RetentionDays
Number
快照保留天数
RebootIfNeed
Boolean
是否重启
步骤二:编写ROS模板
当确认参数后可以编写ROS模板,在Parameters
、Resources
、Metadata
、Condition
、Outputs
中使用参数。
如果您想学习更多关于ROS模板的内容,请参见ROS模板编写快速入门。
在
Parameters
中编写用户在页面自定义的参数。Parameters: RegionId: Required: true Type: String Label: zh-cn: 地域ID en: RegionId AssociationProperty: ALIYUN::ECS::RegionId::RegionDeploy PatchBaselineName: Required: true Type: String Label: en: PatchBaselineName zh-cn: 补丁基线名称 Default: PatchBaseline_test OperationSystem: Required: true Type: String Label: zh-cn: 操作系统类型。 en: The operating system type. Default: Windows AllowedValues: - Windows - AliyunLinux - CentOS - Ubuntu - RedhatEnterpriseLinux - Debian - Anolis Product: #TODO 这里后续需要优化,增加操作系统对应的版本。 # https://help.aliyun.com/zh/ecs/developer-reference/api-ecs-2014-05-26-importimage?scm=20140722.S_help%40%40%E6%96%87%E6%A1%A3%40%402679793.S_RQW%40ag0%2BBB2%40ag0%2BBB1%40ag0%2Bos0.ID_2679793-RL_Platform-LOC_doc%7EUND%7Eab-OR_ser-V_4-P0_2&spm=a2c4g.11186623.0.i21 Required: true Label: zh-cn: 产品 en: Product Type: CommaDelimitedList AssociationPropertyMetadata: AllowedValues: - Value: - Windows Server Datacenter - Windows Server 2022 - Windows Server 2019 - Windows Server 2016 - Windows Server 2012 R2 Condition: Fn::Equals: - ${OperationSystem} - Windows - Value: - Aliyun Linux 2.1903 - Aliyun Linux 3.2104 Condition: Fn::Equals: - ${OperationSystem} - AliyunLinux - Value: - CentOS Stream 9 - CentOS 7.9 - CentOS 7.8 - CentOS 7.6 - CentOS 7.5 - CentOS 7.4 - CentOS 7.3 - CentOS 7.2 - CentOS 7.1 - CentOS 7.0 Condition: Fn::Equals: - ${OperationSystem} - CentOS - Value: - Ubuntu 22.04 - Ubuntu 20.04 - Ubuntu 18.04 - Ubuntu 16.04 - Ubuntu 14.04 Condition: Fn::Equals: - ${OperationSystem} - Ubuntu - Value: - Debian 12.5 - Debian 12.4 - Debian 12.2 - Debian 11.8 - Debian 11.7 - Debian 11.6 - Debian 11.5 - Debian 11.4 - Debian 11.3 - Debian 11.2 - Debian 11.1 - Debian 11.0 Condition: Fn::Equals: - ${OperationSystem} - Debian - Value: - Anolis OS 8.8 RHCK - Anolis OS 8.6 RHCK - Anolis OS 8.4 RHCK - Anolis OS 8.2 RHCK Condition: Fn::Equals: - ${OperationSystem} - Anolis - Value: - Red Hat Enterprise Linux 9.3 - Red Hat Enterprise Linux 9.2 - Red Hat Enterprise Linux 9.1 - Red Hat Enterprise Linux 9.0 - Red Hat Enterprise Linux 8.9 - Red Hat Enterprise Linux 8.8 - Red Hat Enterprise Linux 8.7 - Red Hat Enterprise Linux 8.6 - Red Hat Enterprise Linux 8.5 Condition: Fn::Equals: - ${OperationSystem} - RedhatEnterpriseLinux Classification: Label: zh-cn: 分类 en: Classification Type: CommaDelimitedList AssociationPropertyMetadata: AllowedValues: - Value: - Applications - Definition Updates - Drivers - Feature Packs - Security Updates - Service Packs - Tools - Updates - Update Rollups - Critical Updates - Upgrades Condition: Fn::Equals: - ${OperationSystem} - Windows - Value: - Security - Bugfix - Enhancement - Recommended - NewPackage Condition: #TODO 这里后续需要优化,根据不同的系统设置不同的分类。 Fn::Equals: - ${OperationSystem} - AliyunLinux - Value: - Security - Bugfix - Enhancement - Recommended - NewPackage Condition: Fn::Equals: - ${OperationSystem} - CentOS - Value: - libs - libdevel - doc - debug - translations - devel - admin - oldlibs - label - utils - net Condition: Fn::Equals: - ${OperationSystem} - Ubuntu - Value: - admin - cli-mono - libs - libdevel - doc - comm - debug - database - devel - oldlibs - utils - net - misc - gnome - perl - x11 - python - java - kernel - shells Condition: Fn::Equals: - ${OperationSystem} - Debian - Value: - Security - Bugfix - Enhancement - Recommended - NewPackage Condition: Fn::Equals: - ${OperationSystem} - Anolis - Value: - Security - Bugfix - Enhancement - Recommended - NewPackage Condition: Fn::Equals: - ${OperationSystem} - RedhatEnterpriseLinux Severity: Type: CommaDelimitedList Label: zh-cn: 严重程度。 en: Severity AssociationPropertyMetadata: AllowedValues: - Value: - Critical - Important - Moderate - Low - Unspecified Condition: #TODO 这里后续需要优化,根据不同的系统设置不同的分类。 Fn::Not: Fn::Equals: - ${OperationSystem} - Ubuntu - Value: - Required - Important - Standard - Optional - Extra Condition: Fn::Equals: - ${OperationSystem} - Ubuntu DefaultPatchBaseline: Type: Boolean Label: zh-cn: 是否设置为默认补丁基线。 en: Whether to set the patch baseline as the default. Default: false AllowedValues: - true - false AssociationPropertyMetadata: ValueLabelMapping: true: zh-cn: 是 en: true false: zh-cn: 否 en: false OOSTemplateName: Type: String Label: zh-cn: 模板名称。 en: Template name Default: ACS-ECS-BulkyApplyPatchBaseline AssociationProperty: ALIYUN::OOS::Template::TemplateName AssociationPropertyMetadata: RegionId: Ref: RegionId Description: zh-cn: ACS-ECS-BulkyApplyPatchBaseline:用于执行补丁操作的模板。 en: ACS-ECS-BulkyApplyPatchBaseline:The template name used to execute patch operations. MinLength: 2 MaxLength: 128 Action: Default: install AssociationPropertyMetadata: LocaleKey: OOSPatchExecuteType ValueLabelMapping: install: zh-cn: 安装并扫描 en: Install scan: zh-cn: 扫描 en: Scan AllowedValues: - install - scan Type: String Label: zh-cn: 配置补丁基线的方式 en: Action TimerTrigger: AssociationProperty: ALIYUN::OOS::Component::TimerTrigger AssociationPropertyMetadata: MinuteInterval: 30 Type: Json Label: zh-cn: 定时类型 en: TimerTrigger WhetherCreateSnapshot: Default: false AssociationPropertyMetadata: Visible: Condition: Fn::Equals: - ${Action} - install Type: Boolean Label: zh-cn: 是否为系统盘创建快照 en: WhetherCreateSnapshot RetentionDays: AssociationPropertyMetadata: Visible: Condition: Fn::Equals: - ${WhetherCreateSnapshot} - true Default: 7 MaxValue: 65536 MinValue: 1 Label: zh-cn: 快照保留天数 en: RetentionDays Type: Number RebootIfNeed: Default: false AssociationPropertyMetadata: Visible: Condition: Fn::Equals: - ${Action} - install Type: Boolean Label: zh-cn: 是否重启 en: RebootIfNeed ResourceType: Type: String Label: en: ResourceType zh-cn: 资源类型 AssociationPropertyMetadata: ValueLabelMapping: ALIYUN::ECS::Instance: zh-cn: ECS实例 en: ECS instance ALIYUN::ECD::Desktop: zh-cn: 无影云桌面 en: Desktop AllowedValues: - ALIYUN::ECS::Instance - ALIYUN::ECD::Desktop Default: ALIYUN::ECS::Instance Targets: AssociationProperty: Targets AssociationPropertyMetadata: ResourceType: ResourceType DeployedRegionId: RegionId Status: Running Type: Json Label: zh-cn: 目标实例 en: TargetInstance Timeout: Type: Number Label: zh-cn: 超时时间。 en: Timeout Default: 1800 Description: zh-cn: 超时时间,单位为秒。 en: Timeout in seconds' CancelOnDelete: Type: Boolean Label: zh-cn: 是否删除时取消 en: CancelOnDelete Default: true AllowedValues: - true - false AssociationPropertyMetadata: ValueLabelMapping: true: zh-cn: 是 en: true false: zh-cn: 否 en: false
provider "alicloud" { region = "cn-hangzhou" } variable "patch_baseline_name" { description = "补丁基线名称" type = string }
在
Metadata
中将参数分为补丁基线、执行参数两个区域。Metadata: ALIYUN::ROS::Interface: ParameterGroups: - Parameters: - PatchBaselineName - OperationSystem - Product - Classification - Severity - DefaultPatchBaseline Label: zh-cn: 补丁基线 en: Patch baseline - Parameters: - OOSTemplateName - ResourceType - Targets - Timeout - CancelOnDelete - Action - TimerTrigger - WhetherCreateSnapshot - RetentionDays - RebootIfNeed Label: zh-cn: 执行参数 en: Execution parameters
locals { approval_rules_json = <<EOF { "PatchRules": [ { "EnableNonSecurity": true, "PatchFilterGroup": [ { "Values": ["OS"], "Key": "PatchSet" }, { "Values": ["Windows"], "Key": "ProductFamily" }, { "Values": ["Windows 10", "Windows 7", "Windows Server 2022"], "Key": "Product" }, { "Values": ["Security Updates", "Updates", "Update Rollups", "Critical Updates"], "Key": "Classification" }, { "Values": ["Critical", "Important"], "Key": "Severity" } ], "ApproveAfterDays": 7, "ComplianceLevel": "Medium" } ] } EOF oos_parameters_json = <<EOF { "resourceType": "ALIYUN::ECS::Instance", "targets": { "Type": "All", "Parameters": { "regionId": "cn-hangzhou", "Status": "Running" } } } EOF }
依据ROS资源的依赖关系编写
Resource
。Resources: OOSPatchBaseline: Type: ALIYUN::OOS::PatchBaseline Condition: IsWindows Properties: PatchBaselineName: Ref: PatchBaselineName OperationSystem: Ref: OperationSystem ApprovalRules: PatchRules: - PatchFilterGroup: - Key: PatchSet Values: - OS - Key: ProductFamily Values: - Ref: OperationSystem - Key: Product Values: - Ref: Product - Key: Classification Values: - Ref: Classification - Key: Severity Values: - Ref: Severity ApproveAfterDays: 7 EnableNonSecurity: true ComplianceLevel: Medium LinuxPatchBaseline: Type: ALIYUN::OOS::PatchBaseline Condition: IsNotWindows Properties: PatchBaselineName: Ref: PatchBaselineName OperationSystem: Ref: OperationSystem ApprovalRules: PatchRules: - PatchFilterGroup: - Key: Product Values: - Ref: Product - Key: Classification Values: - Ref: Classification - Key: Severity Values: - Ref: Severity ApproveAfterDays: 7 EnableNonSecurity: true ComplianceLevel: Medium OOSDefaultPatchBaseline: Type: ALIYUN::OOS::DefaultPatchBaseline Properties: PatchBaselineName: Ref: PatchBaselineName Condition: IsDefault DependsOn: OOSPatchBaseline Execution: Type: ALIYUN::OOS::Execution #依赖于补丁基线的创建 DependsOn: OOSPatchBaseline Properties: TemplateName: Ref: OOSTemplateName Parameters: resourceType: Ref: ResourceType targets: Ref: Targets Action: Ref: Action TimerTrigger: Ref: TimerTrigger WhetherCreateSnapshot: Ref: WhetherCreateSnapshot RetentionDays: Ref: RetentionDays ResourceOptions: SuccessStatuses: - Running - Success - Queued - Waiting Timeout: Ref: Timeout CancelOnDelete: Ref: CancelOnDelete
resource "alicloud_oos_patch_baseline" "baseline" { patch_baseline_name = var.patch_baseline_name operation_system = "Windows" approval_rules = local.approval_rules_json } resource "alicloud_oos_default_patch_baseline" "default" { patch_baseline_name = alicloud_oos_patch_baseline.baseline.patch_baseline_name } resource "alicloud_oos_execution" "example" { template_name = "ACS-ECS-BulkyApplyPatchBaseline" parameters = local.oos_parameters_json depends_on = [alicloud_oos_patch_baseline.baseline,alicloud_oos_default_patch_baseline.default] }
通过
Outputs
输出创建成功的资源。Outputs: Execution: Description: zh-cn: 执行成功。 en: Whether the execution is successful. Value: Fn::GetAtt: - Execution - Status PatchBaseline: Description: zh-cn: 创建的补丁基线名称。 en: The name of the patch baseline. Value: Fn::GetAtt: - OOSPatchBaseline - PatchBaselineName
output "patch_baseline_id" { value = alicloud_oos_patch_baseline.baseline.id }
完整的示例模板如下。
ROSTemplateFormatVersion: "2015-09-01" Description: en: Create a patch baseline and execute. zh-cn: 创建一个补丁基线,并创建一个补丁基线的执行任务,定时或立即执行。 Parameters: RegionId: Required: true Type: String Label: zh-cn: 地域ID en: RegionId AssociationProperty: ALIYUN::ECS::RegionId::RegionDeploy PatchBaselineName: Required: true Type: String Label: en: PatchBaselineName zh-cn: 补丁基线名称 Default: PatchBaseline_test OperationSystem: Required: true Type: String Label: zh-cn: 操作系统类型。 en: The operating system type. Default: Windows AllowedValues: - Windows - AliyunLinux - CentOS - Ubuntu - RedhatEnterpriseLinux - Debian - Anolis Product: #TODO 这里后续需要优化,增加操作系统对应的版本。 # https://help.aliyun.com/zh/ecs/developer-reference/api-ecs-2014-05-26-importimage?scm=20140722.S_help%40%40%E6%96%87%E6%A1%A3%40%402679793.S_RQW%40ag0%2BBB2%40ag0%2BBB1%40ag0%2Bos0.ID_2679793-RL_Platform-LOC_doc%7EUND%7Eab-OR_ser-V_4-P0_2&spm=a2c4g.11186623.0.i21 Required: true Label: zh-cn: 产品 en: Product Type: CommaDelimitedList AssociationPropertyMetadata: AllowedValues: - Value: - Windows Server Datacenter - Windows Server 2022 - Windows Server 2019 - Windows Server 2016 - Windows Server 2012 R2 Condition: Fn::Equals: - ${OperationSystem} - Windows - Value: - Aliyun Linux 2.1903 - Aliyun Linux 3.2104 Condition: Fn::Equals: - ${OperationSystem} - AliyunLinux - Value: - CentOS Stream 9 - CentOS 7.9 - CentOS 7.8 - CentOS 7.6 - CentOS 7.5 - CentOS 7.4 - CentOS 7.3 - CentOS 7.2 - CentOS 7.1 - CentOS 7.0 Condition: Fn::Equals: - ${OperationSystem} - CentOS - Value: - Ubuntu 22.04 - Ubuntu 20.04 - Ubuntu 18.04 - Ubuntu 16.04 - Ubuntu 14.04 Condition: Fn::Equals: - ${OperationSystem} - Ubuntu - Value: - Debian 12.5 - Debian 12.4 - Debian 12,2 - Debian 11.8 - Debian 11.7 - Debian 11.6 - Debian 11.5 - Debian 11.4 - Debian 11.3 - Debian 11.2 - Debian 11.1 - Debian 11.0 Condition: Fn::Equals: - ${OperationSystem} - Debian - Value: - Anolis OS 8.8 RHCK - Anolis OS 8.6 RHCK - Anolis OS 8.4 RHCK - Anolis OS 8.2 RHCK Condition: Fn::Equals: - ${OperationSystem} - Anolis - Value: - Red Hat Enterprise Linux 9.3 - Red Hat Enterprise Linux 9.2 - Red Hat Enterprise Linux 9.1 - Red Hat Enterprise Linux 9.0 - Red Hat Enterprise Linux 8.9 - Red Hat Enterprise Linux 8.8 - Red Hat Enterprise Linux 8.7 - Red Hat Enterprise Linux 8.6 - Red Hat Enterprise Linux 8.5 Condition: Fn::Equals: - ${OperationSystem} - RedhatEnterpriseLinux Classification: Label: zh-cn: 分类 en: Classification Type: CommaDelimitedList AssociationPropertyMetadata: AllowedValues: - Value: - Applications - Definition Updates - Drivers - Feature Packs - Security Updates - Service Packs - Tools - Updates - Update Rollups - Critical Updates - Upgrades Condition: Fn::Equals: - ${OperationSystem} - Windows - Value: - Security - Bugfix - Enhancement - Recommended - NewPackage Condition: #TODO 这里后续需要优化,根据不同的系统设置不同的分类。 Fn::Equals: - ${OperationSystem} - AliyunLinux - Value: - Security - Bugfix - Enhancement - Recommended - NewPackage Condition: Fn::Equals: - ${OperationSystem} - CentOS - Value: - libs - libdevel - doc - debug - translations - devel - admin - oldlibs - label - utils - net Condition: Fn::Equals: - ${OperationSystem} - Ubuntu - Value: - admin - cli-mono - libs - libdevel - doc - comm - debug - database - devel - oldlibs - utils - net - misc - gnome - perl - x11 - python - java - kernel - shells Condition: Fn::Equals: - ${OperationSystem} - Debian - Value: - Security - Bugfix - Enhancement - Recommended - NewPackage Condition: Fn::Equals: - ${OperationSystem} - Anolis - Value: - Security - Bugfix - Enhancement - Recommended - NewPackage Condition: Fn::Equals: - ${OperationSystem} - RedhatEnterpriseLinux Severity: Type: CommaDelimitedList Label: zh-cn: 严重程度。 en: Severity AssociationPropertyMetadata: AllowedValues: - Value: - Critical - Important - Moderate - Low - Unspecified Condition: #TODO 这里后续需要优化,根据不同的系统设置不同的分类。 Fn::Not: Fn::Equals: - ${OperationSystem} - Ubuntu - Value: - Required - Important - Standard - Optional - Extra Condition: Fn::Equals: - ${OperationSystem} - Ubuntu DefaultPatchBaseline: Type: Boolean Label: zh-cn: 是否设置为默认补丁基线。 en: Whether to set the patch baseline as the default. Default: false AllowedValues: - true - false AssociationPropertyMetadata: ValueLabelMapping: true: zh-cn: 是 en: true false: zh-cn: 否 en: false OOSTemplateName: Type: String Label: zh-cn: 模板名称。 en: Template name Default: ACS-ECS-BulkyApplyPatchBaseline AssociationProperty: ALIYUN::OOS::Template::TemplateName AssociationPropertyMetadata: RegionId: Ref: RegionId Description: zh-cn: ACS-ECS-BulkyApplyPatchBaseline:用于执行补丁操作的模板。 en: ACS-ECS-BulkyApplyPatchBaseline:The template name used to execute patch operations. MinLength: 2 MaxLength: 128 Action: Default: install AssociationPropertyMetadata: LocaleKey: OOSPatchExecuteType ValueLabelMapping: install: zh-cn: 安装并扫描 en: Install scan: zh-cn: 扫描 en: Scan AllowedValues: - install - scan Type: String Label: zh-cn: 配置补丁基线的方式 en: Action TimerTrigger: AssociationProperty: ALIYUN::OOS::Component::TimerTrigger AssociationPropertyMetadata: MinuteInterval: 30 Type: Json Label: zh-cn: 定时类型 en: TimerTrigger WhetherCreateSnapshot: Default: false AssociationPropertyMetadata: Visible: Condition: Fn::Equals: - ${Action} - install Type: Boolean Label: zh-cn: 是否为系统盘创建快照 en: WhetherCreateSnapshot RetentionDays: AssociationPropertyMetadata: Visible: Condition: Fn::Equals: - ${WhetherCreateSnapshot} - true Default: 7 MaxValue: 65536 MinValue: 1 Label: zh-cn: 快照保留天数 en: RetentionDays Type: Number RebootIfNeed: Default: false AssociationPropertyMetadata: Visible: Condition: Fn::Equals: - ${Action} - install Type: Boolean Label: zh-cn: 是否重启 en: RebootIfNeed ResourceType: Type: String Label: en: ResourceType zh-cn: 资源类型 AssociationPropertyMetadata: ValueLabelMapping: ALIYUN::ECS::Instance: zh-cn: ECS实例 en: ECS instance ALIYUN::ECD::Desktop: zh-cn: 无影云桌面 en: Desktop AllowedValues: - ALIYUN::ECS::Instance - ALIYUN::ECD::Desktop Default: ALIYUN::ECS::Instance Targets: AssociationProperty: Targets AssociationPropertyMetadata: ResourceType: ResourceType DeployedRegionId: RegionId Status: Running Type: Json Label: zh-cn: 目标实例 en: TargetInstance Timeout: Type: Number Label: zh-cn: 超时时间。 en: Timeout Default: 1800 Description: zh-cn: 超时时间,单位为秒。 en: Timeout in seconds' CancelOnDelete: Type: Boolean Label: zh-cn: 是否删除时取消 en: CancelOnDelete Default: true AllowedValues: - true - false AssociationPropertyMetadata: ValueLabelMapping: true: zh-cn: 是 en: true false: zh-cn: 否 en: false Metadata: ALIYUN::ROS::Interface: ParameterGroups: - Parameters: - PatchBaselineName - OperationSystem - Product - Classification - Severity - DefaultPatchBaseline Label: zh-cn: 补丁基线 en: Patch baseline - Parameters: - OOSTemplateName - ResourceType - Targets - Timeout - CancelOnDelete - Action - TimerTrigger - WhetherCreateSnapshot - RetentionDays - RebootIfNeed Label: zh-cn: 执行参数 en: Execution parameters Resources: OOSPatchBaseline: Type: ALIYUN::OOS::PatchBaseline Condition: IsWindows Properties: PatchBaselineName: Ref: PatchBaselineName OperationSystem: Ref: OperationSystem ApprovalRules: PatchRules: - PatchFilterGroup: - Key: PatchSet Values: - OS - Key: ProductFamily Values: - Ref: OperationSystem - Key: Product Values: - Ref: Product - Key: Classification Values: - Ref: Classification - Key: Severity Values: - Ref: Severity ApproveAfterDays: 7 EnableNonSecurity: true ComplianceLevel: Medium LinuxPatchBaseline: Type: ALIYUN::OOS::PatchBaseline Condition: IsNotWindows Properties: PatchBaselineName: Ref: PatchBaselineName OperationSystem: Ref: OperationSystem ApprovalRules: PatchRules: - PatchFilterGroup: - Key: Product Values: - Ref: Product - Key: Classification Values: - Ref: Classification - Key: Severity Values: - Ref: Severity ApproveAfterDays: 7 EnableNonSecurity: true ComplianceLevel: Medium OOSDefaultPatchBaseline: Type: ALIYUN::OOS::DefaultPatchBaseline Properties: PatchBaselineName: Ref: PatchBaselineName Condition: IsDefault DependsOn: OOSPatchBaseline Execution: Type: ALIYUN::OOS::Execution #依赖于补丁基线的创建 DependsOn: OOSPatchBaseline Properties: TemplateName: Ref: OOSTemplateName Parameters: resourceType: Ref: ResourceType targets: Ref: Targets Action: Ref: Action TimerTrigger: Ref: TimerTrigger WhetherCreateSnapshot: Ref: WhetherCreateSnapshot RetentionDays: Ref: RetentionDays ResourceOptions: SuccessStatuses: - Running - Success - Queued - Waiting Timeout: Ref: Timeout CancelOnDelete: Ref: CancelOnDelete Conditions: IsDefault: Fn::Equals: - true - Ref: DefaultPatchBaseline IsNotWindows: Fn::Not: Fn::Equals: - ${OperationSystem} - Windows IsWindows: Fn::Equals: - ${OperationSystem} - Windows Outputs: Execution: Description: zh-cn: 执行成功。 en: Whether the execution is successful. Value: Fn::GetAtt: - Execution - Status
terraform { required_providers { alicloud = { source = "aliyun/alicloud" version = "1.229.1" } } } provider "alicloud" { region = "cn-hangzhou" } variable "patch_baseline_name" { description = "补丁基线名称" type = string } locals { approval_rules_json = <<EOF { "PatchRules": [ { "EnableNonSecurity": true, "PatchFilterGroup": [ { "Values": ["OS"], "Key": "PatchSet" }, { "Values": ["Windows"], "Key": "ProductFamily" }, { "Values": ["Windows 10", "Windows 7", "Windows Server 2022"], "Key": "Product" }, { "Values": ["Security Updates", "Updates", "Update Rollups", "Critical Updates"], "Key": "Classification" }, { "Values": ["Critical", "Important"], "Key": "Severity" } ], "ApproveAfterDays": 7, "ComplianceLevel": "Medium" } ] } EOF oos_parameters_json = <<EOF { "resourceType": "ALIYUN::ECS::Instance", "targets": { "Type": "All", "Parameters": { "regionId": "cn-hangzhou", "Status": "Running" } } } EOF } resource "alicloud_oos_patch_baseline" "baseline" { patch_baseline_name = var.patch_baseline_name operation_system = "Windows" approval_rules = local.approval_rules_json } resource "alicloud_oos_default_patch_baseline" "default" { patch_baseline_name = alicloud_oos_patch_baseline.baseline.patch_baseline_name } resource "alicloud_oos_execution" "example" { template_name = "ACS-ECS-BulkyApplyPatchBaseline" parameters = local.oos_parameters_json depends_on = [alicloud_oos_patch_baseline.baseline,alicloud_oos_default_patch_baseline.default] } output "patch_baseline_id" { value = alicloud_oos_patch_baseline.baseline.id }
步骤三:使用模板创建资源栈
本节仅展示创建资源栈的主要步骤,更多内容,请参见创建资源栈。
相关操作
资源栈创建失败
如果您在创建资源栈时失败可在资源栈列表界面,找到目标资源栈并单击问题诊断,帮助您快速定位问题。
诊断完成之后会跳转至问题诊断页面,您可以根据诊断建议进行排查。