I used SSM Terraform module to create windows maintenance, I have created a task on one of this windows maintenance.
I have created a json file what it will help me to create a new ssm document.
The creations of the SSM document works fine, the document needs security id and other values, I have tried to use TempleateFile so I can pass ID-SG id to the document, but it does not work, the windows maintenance fails with error “The supplied parameters for invoking the specified Automation document are incorrect.”
I have tried without local, just the resource but still not working.
I am not sure how to pass the SecurityGroupID to the document.
resource "aws_ssm_document" "t-document" {
name = "SGDocument"
document_type = "Automation"
document_format = "JSON"
content = templatefile("${path.module}/internet-SG.json.tpl",
{
SecurityGroupId = local.SecurityGroupId
AutomationAssumeRole = local.AutomationAssumeRole
})
}
json
{
"schemaVersion": "0.3",
"parameters": {
"SecurityGroupId": {
"type": "String",
"description": "(Required) The security group ID.",
"allowedPattern": "^(sg-)([0-9a-f]){1,}$"
},
"AutomationAssumeRole": {
"type": "String",
"description": "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf.",
"default": "",
"allowedPattern": "^arn:aws(-cn|-us-gov)?:iam::\d{12}:role\/[\w+=,.@_\/-]+|^$"
}
},
"mainSteps": [
{
"name": "ModifySecurityGroup",
"action": "aws:executeScript",
"onFailure": "Abort",
"isCritical": true,
"isEnd": true,
"timeoutSeconds": 600,
"description": "## ModifySecurityGroupnAdds a new rule to the security group allowing all traffic (0.0.0.0/0).n## Inputsn* SecurityGroupId: The security group ID.n## OutputsnThis step has no outputs.n",
"inputs": {
"Runtime": "python3.7",
"Handler": "modify_security_group_handler",
"InputPayload": {
"SecurityGroupId": "{{SecurityGroupId}}"
},
"Script": "import boto3nnec2_resource = boto3.resource("ec2")nec2_client = boto3.client("ec2")nndef modify_security_group_handler(event, context):n sg_id = event["SecurityGroupId"]n sg_resource = ec2_resource.SecurityGroup(sg_id)n successful = Truen errorMsg = ""n //more code
}
]
}
2
Answers
Thanks @Marko E and @Helder Sepulveda for your comments. With your feedback, I found my error. As I'm not an expert in Terraform, I forgot to add the parameters in the maintenance window task. Another mistake was how I was passing the variables to the document."
In my experience with
templatefile
it is always best to start small…and yes locals work fine, that should not be a problem, but your variable interpolation is not.
{{SecurityGroupId}}
that should be${SecurityGroupId}
AutomationAssumeRole
maybe that is not neededHere is a small example:
the contents of
foo.tftpl
:and a Terraform plan on that will output:
Always double check the plan! Make sure it is what you expect it to be.