AWS Systems Manager Association

This page shows how to write Terraform and CloudFormation for Systems Manager Association and write them securely.

aws_ssm_association (Terraform)

The Association in Systems Manager can be configured in Terraform with the resource name aws_ssm_association. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

05_db.tf#L29
resource "aws_ssm_association" "init" {
  depends_on       = [aws_instance.db1, aws_instance.db2, aws_instance.db3, aws_iam_role_policy_attachment.resources_s3read_policy, aws_iam_role_policy_attachment.resources_ssm_policy]
  name             = "AWS-ApplyAnsiblePlaybooks"
  association_name = "01_init"
  max_concurrency  = "50"
  max_errors       = "0"
ssm.tf#L1
resource "aws_ssm_association" "start_instance" {
  name                = data.aws_ssm_document.start_instance.name
  schedule_expression = var.schedule_expressions["start_instance"]
  compliance_severity = "MEDIUM"
  parameters = {
    AutomationAssumeRole = aws_iam_role.ssm_automation.arn
main.tf#L17
resource "aws_ssm_association" "run_patch_baseline" {
  name = "AWS-RunPatchBaseline"

  parameters = {
    Operation = "Scan"
  }
aws-cw.tf#L1
resource "aws_ssm_association" "install-cwagent" {
  depends_on = [module.ec2]
  name       = "AWS-ConfigureAWSPackage"

  targets {
    key    = "tag:release"

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Associates an SSM Document to an instance or EC2 tag.

AWS::SSM::Association (CloudFormation)

The Association in SSM can be configured in CloudFormation with the resource name AWS::SSM::Association. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

example.yml#L73
    Type: 'AWS::SSM::Association'
    Properties:
      Name: 'AWS-GatherSoftwareInventory'
      ScheduleExpression: 'rate(1 hour)'
      Targets:
      - Key: InstanceIds
example.yml#L73
    Type: 'AWS::SSM::Association'
    Properties:
      Name: 'AWS-GatherSoftwareInventory'
      ScheduleExpression: 'rate(1 hour)'
      Targets:
      - Key: 'tag:aws:autoscaling:groupName'
dep.yml#L55
    Type: "AWS::SSM::Association"
    Properties:
      AssociationName: !Sub HS-ADM-BASE-UpdateAWS-Inspector-${Environment}
      Name: AmazonInspector-ManageAWSAgent
      Parameters:
        Operation:
test.yml#L4
    Type: AWS::SSM::Association
    Properties:
      Name: document-uLiFQIWltidY
#      AssociationName: TestAssociation
      ScheduleExpression:
        Ref: AWS::NoValue
ssm-basics-state-manager.yml#L10
    Type: "AWS::SSM::Association"
    Properties:
      AssociationName: DemoAssociation
      Name: !Ref SSMDocument
      OutputLocation:
        S3Location:
ssm-association.json#L4
      "Type": "AWS::SSM::Association",
      "Properties": {
        "Name": "association",
        "Parameters": {
          "P1": ["a", "b"],
          "p2": []
SSM.json#L3
  "resourceType" : "AWS::SSM::Association",
  "properties" : [ {
    "propertyName" : "DocumentVersion",
    "propertyType" : "String",
    "required" : false
  }, {
ssm-association-InstallApplication.json#L19
            "Type": "AWS::SSM::Association",
            "Properties": {
                "Name": "AWS-InstallApplication",
                "Parameters": {
                    "action": [
                        "Install"
ssm-association-vcx64.json#L19
            "Type": "AWS::SSM::Association",
            "Properties": {
                "Name": "AWS-RunPowerShellScript",
                "Parameters": {
                    "commands": [
                        "Write-Output \"#####################################################################################\"",
ssm-association-awscli.json#L19
            "Type": "AWS::SSM::Association",
            "Properties": {
                "Name": "AWS-InstallApplication",
                "Parameters": {
                    "action": [
                        "Install"

Parameters

Explanation in CloudFormation Registry

The AWS::SSM::Association resource creates a State Manager association for your managed instances. A State Manager association defines the state that you want to maintain on your instances. For example, an association can specify that anti-virus software must be installed and running on your instances, or that certain ports must be closed. For static targets, the association specifies a schedule for when the configuration is reapplied. For dynamic targets, such as an AWS Resource Groups or an AWS Auto Scaling Group, State Manager applies the configuration when new instances are added to the group. The association also specifies actions to take when applying the configuration. For example, an association for anti-virus software might run once a day. If the software is not installed, then State Manager installs it. If the software is installed, but the service is not running, then the association might instruct State Manager to start the service.

Frequently asked questions

What is AWS Systems Manager Association?

AWS Systems Manager Association is a resource for Systems Manager of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Systems Manager Association?

For Terraform, the jakshaym1234/homelike, sasatake/aws-terraform-patterns and ScrumBlaster/app-terraform-live source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the cfn-modules/docs, cfn-modules/docs and bo67192/aws-windows-configman source code examples are useful. See the CloudFormation Example section for further details.