[NRL-1739] Add automatic scheduled updates for Window PowerBI GW instances

mattdean3-nhs · mattdean3-nhs · commit 1aef75e94dcf · 2025-10-28T16:12:29.000Z
diff --git a/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf
@@ -15,11 +15,71 @@ resource "aws_instance" "powerbi_gw" {
   user_data = file("${path.module}/scripts/user_data.tpl")
 
   tags = {
-    Name = "${var.name_prefix}-ec2"
+    Name       = "${var.name_prefix}-ec2"
+    PatchGroup = local.windows_patching_tag
   }
 
 }
 
+resource "aws_ssm_maintenance_window" "updates" {
+  name     = "windows-updates"
+  schedule = "cron(0 2 ? * SUN *)" # Sunday 2am UTC
+  duration = 3
+  cutoff   = 1
+}
+
+resource "aws_ssm_maintenance_window_target" "windows_instances" {
+  window_id     = aws_ssm_maintenance_window.updates.id
+  resource_type = "INSTANCE"
+
+  targets {
+    key    = "tag:PatchGroup"
+    values = [local.windows_patching_tag]
+  }
+}
+
+resource "aws_ssm_maintenance_window_task" "patch_task" {
+  window_id        = aws_ssm_maintenance_window.updates.id
+  task_type        = "RUN_COMMAND"
+  task_arn         = "AWS-RunPatchBaseline"
+  priority         = 1
+  service_role_arn = aws_iam_role.maintenance_window_role.arn
+
+  targets {
+    key    = "WindowTargetIds"
+    values = [aws_ssm_maintenance_window_target.windows_instances.id]
+  }
+
+  task_invocation_parameters {
+    run_command_parameters {
+      parameter {
+        name   = "Operation"
+        values = ["Install"]
+      }
+    }
+  }
+}
+
+resource "aws_iam_role" "maintenance_window_role" {
+  name = "maintenance-window-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ssm.amazonaws.com"
+      }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "maintenance_window_policy" {
+  role       = aws_iam_role.maintenance_window_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMMaintenanceWindowRole"
+}
+
 resource "tls_private_key" "instance_key_pair" {
   algorithm = "RSA"
 }
diff --git a/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/locals.tf b/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/locals.tf
@@ -1,3 +1,4 @@
 locals {
-  selected_ami_id = var.use_custom_ami ? data.aws_ami.PowerBI_Gateway[0].id : data.aws_ami.windows-2019.id
+  selected_ami_id      = var.use_custom_ami ? data.aws_ami.PowerBI_Gateway[0].id : data.aws_ami.windows-2019.id
+  windows_patching_tag = "windows_scheduled_patching"
 }

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
`1`	`1`	`locals {`
`2`		`- selected_ami_id = var.use_custom_ami ? data.aws_ami.PowerBI_Gateway[0].id : data.aws_ami.windows-2019.id`
	`2`	`+ selected_ami_id = var.use_custom_ami ? data.aws_ami.PowerBI_Gateway[0].id : data.aws_ami.windows-2019.id`
	`3`	`+ windows_patching_tag = "windows_scheduled_patching"`
`3`	`4`	`}`