Question 300913 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – aws ssm automation document with terraform

I used SSM Terraform module to create windows maintenance, I have created a task on one of this windows maintenance.

I have created a json file what it will help me to create a new ssm document.
The creations of the SSM document works fine, the document needs security id and other values, I have tried to use TempleateFile so I can pass ID-SG id to the document, but it does not work, the windows maintenance fails with error “The supplied parameters for invoking the specified Automation document are incorrect.”
I have tried without local, just the resource but still not working.

I am not sure how to pass the SecurityGroupID to the document.

resource "aws_ssm_document" "t-document" {
  name          = "SGDocument"
  document_type = "Automation"
  document_format = "JSON"

  content    = templatefile("${path.module}/internet-SG.json.tpl",
    {
      SecurityGroupId      = local.SecurityGroupId 
      AutomationAssumeRole = local.AutomationAssumeRole
       
    })
}

json

{
  "schemaVersion": "0.3",
  "parameters": {
    "SecurityGroupId": {
      "type": "String",
      "description": "(Required) The security group ID.",
      "allowedPattern": "^(sg-)([0-9a-f]){1,}$"
    },
    "AutomationAssumeRole": {
      "type": "String",
      "description": "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf.",
      "default": "",
      "allowedPattern": "^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/[\w+=,.@_\/-]+|^$"
    }
  },
  "mainSteps": [
    {
      "name": "ModifySecurityGroup",
      "action": "aws:executeScript",
      "onFailure": "Abort",
      "isCritical": true,
      "isEnd": true,
      "timeoutSeconds": 600,
      "description": "## ModifySecurityGroupnAdds a new rule to the security group allowing all traffic (0.0.0.0/0).n## Inputsn* SecurityGroupId: The security group ID.n## OutputsnThis step has no outputs.n",
      "inputs": {
        "Runtime": "python3.7",
        "Handler": "modify_security_group_handler",
        "InputPayload": {
          "SecurityGroupId": "{{SecurityGroupId}}"
        },
        "Script": "import boto3nnec2_resource = boto3.resource("ec2")nec2_client = boto3.client("ec2")nndef modify_security_group_handler(event, context):n    sg_id = event["SecurityGroupId"]n    sg_resource = ec2_resource.SecurityGroup(sg_id)n    successful = Truen    errorMsg = ""n    //more code
      }
  ]
}
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Thanks @Marko E and @Helder Sepulveda for your comments. With your feedback, I found my error. As I'm not an expert in Terraform, I forgot to add the parameters in the maintenance window task. Another mistake was how I was passing the variables to the document."


  2. 0

    In my experience with templatefile it is always best to start small…
    and yes locals work fine, that should not be a problem, but your variable interpolation is not.

    • You have {{SecurityGroupId}} that should be ${SecurityGroupId}
    • I do not see you using the AutomationAssumeRole maybe that is not needed

    Here is a small example:

    locals {
  tests = {
    aaa = { one = "111", two = "222" }
    bbb = { one = "777", two = "999" }
  }
}

resource "null_resource" "test" {
  for_each = local.tests
  triggers = {
    txt = templatefile("./foo.tftpl", { name = each.key, config = each.value })
  }
}

    the contents of foo.tftpl:

    hello ${name}
option one ${config.one}
option two ${config.two}

    and a Terraform plan on that will output:

    Terraform will perform the following actions:

  # null_resource.test["aaa"] will be created
  + resource "null_resource" "test" {
      + id       = (known after apply)
      + triggers = {
          + "txt" = <<-EOT
                hello aaa
                option one 111
                option two 222
            EOT
        }
    }

  # null_resource.test["bbb"] will be created
  + resource "null_resource" "test" {
      + id       = (known after apply)
      + triggers = {
          + "txt" = <<-EOT
                hello bbb
                option one 777
                option two 999
            EOT
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.

    Always double check the plan! Make sure it is what you expect it to be.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search