AWS Systems Manager Association
This page shows how to write Terraform and CloudFormation for Systems Manager Association and write them securely.
aws_ssm_association (Terraform)
The Association in Systems Manager can be configured in Terraform with the resource name aws_ssm_association
. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ssm_association" "init" {
depends_on = [aws_instance.db1, aws_instance.db2, aws_instance.db3, aws_iam_role_policy_attachment.resources_s3read_policy, aws_iam_role_policy_attachment.resources_ssm_policy]
name = "AWS-ApplyAnsiblePlaybooks"
association_name = "01_init"
max_concurrency = "50"
max_errors = "0"
resource "aws_ssm_association" "start_instance" {
name = data.aws_ssm_document.start_instance.name
schedule_expression = var.schedule_expressions["start_instance"]
compliance_severity = "MEDIUM"
parameters = {
AutomationAssumeRole = aws_iam_role.ssm_automation.arn
resource "aws_ssm_association" "run_patch_baseline" {
name = "AWS-RunPatchBaseline"
parameters = {
Operation = "Scan"
}
resource "aws_ssm_association" "install-cwagent" {
depends_on = [module.ec2]
name = "AWS-ConfigureAWSPackage"
targets {
key = "tag:release"
Parameters
-
apply_only_at_cron_interval
optional - bool -
association_id
optional computed - string -
association_name
optional - string -
automation_target_parameter_name
optional - string -
compliance_severity
optional - string -
document_version
optional computed - string -
id
optional computed - string -
instance_id
optional - string -
max_concurrency
optional - string -
max_errors
optional - string -
name
required - string -
parameters
optional computed - map from string to string -
schedule_expression
optional - string -
output_location
list block-
s3_bucket_name
required - string -
s3_key_prefix
optional - string
-
-
targets
list block
Explanation in Terraform Registry
Associates an SSM Document to an instance or EC2 tag.
AWS::SSM::Association (CloudFormation)
The Association in SSM can be configured in CloudFormation with the resource name AWS::SSM::Association
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: 'AWS::SSM::Association'
Properties:
Name: 'AWS-GatherSoftwareInventory'
ScheduleExpression: 'rate(1 hour)'
Targets:
- Key: 'tag:aws:autoscaling:groupName'
Type: 'AWS::SSM::Association'
Properties:
Name: 'AWS-GatherSoftwareInventory'
ScheduleExpression: 'rate(1 hour)'
Targets:
- Key: InstanceIds
Type: "AWS::SSM::Association"
Properties:
AssociationName: !Sub HS-ADM-BASE-UpdateAWS-Inspector-${Environment}
Name: AmazonInspector-ManageAWSAgent
Parameters:
Operation:
Type: AWS::SSM::Association
Properties:
Name: document-uLiFQIWltidY
# AssociationName: TestAssociation
ScheduleExpression:
Ref: AWS::NoValue
Type: "AWS::SSM::Association"
Properties:
AssociationName: DemoAssociation
Name: !Ref SSMDocument
OutputLocation:
S3Location:
"Type": "AWS::SSM::Association",
"Properties": {
"Name": "association",
"Parameters": {
"P1": ["a", "b"],
"p2": []
"resourceType" : "AWS::SSM::Association",
"properties" : [ {
"propertyName" : "DocumentVersion",
"propertyType" : "String",
"required" : false
}, {
"Type": "AWS::SSM::Association",
"Properties": {
"Name": "AWS-RunPowerShellScript",
"Parameters": {
"commands": [
"Write-Output \"#####################################################################################\"",
"Type": "AWS::SSM::Association",
"Properties": {
"Name": "AWS-InstallApplication",
"Parameters": {
"action": [
"Install"
"Type": "AWS::SSM::Association",
"Properties": {
"Name": "AWS-InstallApplication",
"Parameters": {
"action": [
"Install"
Parameters
-
AssociationName
optional - String -
DocumentVersion
optional - String -
InstanceId
optional - String -
Name
required - String -
Parameters
optional - Map -
ScheduleExpression
optional - String -
Targets
optional - List of Target -
OutputLocation
optional - InstanceAssociationOutputLocation -
AutomationTargetParameterName
optional - String -
MaxErrors
optional - String -
MaxConcurrency
optional - String -
ComplianceSeverity
optional - String -
SyncCompliance
optional - String -
WaitForSuccessTimeoutSeconds
optional - Integer -
ApplyOnlyAtCronInterval
optional - Boolean -
CalendarNames
optional - List
Explanation in CloudFormation Registry
The
AWS::SSM::Association
resource creates a State Manager association for your managed instances. A State Manager association defines the state that you want to maintain on your instances. For example, an association can specify that anti-virus software must be installed and running on your instances, or that certain ports must be closed. For static targets, the association specifies a schedule for when the configuration is reapplied. For dynamic targets, such as an AWS Resource Groups or an AWS Auto Scaling Group, State Manager applies the configuration when new instances are added to the group. The association also specifies actions to take when applying the configuration. For example, an association for anti-virus software might run once a day. If the software is not installed, then State Manager installs it. If the software is installed, but the service is not running, then the association might instruct State Manager to start the service.
Frequently asked questions
What is AWS Systems Manager Association?
AWS Systems Manager Association is a resource for Systems Manager of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Systems Manager Association?
For Terraform, the jakshaym1234/homelike, sasatake/aws-terraform-patterns and ScrumBlaster/app-terraform-live source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the cfn-modules/docs, cfn-modules/docs and bo67192/aws-windows-configman source code examples are useful. See the CloudFormation Example section for further details.