AWS Systems Manager Association
This page shows how to write Terraform and CloudFormation for Systems Manager Association and write them securely.
aws_ssm_association (Terraform)
The Association in Systems Manager can be configured in Terraform with the resource name aws_ssm_association. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ssm_association" "init" {
depends_on = [aws_instance.db1, aws_instance.db2, aws_instance.db3, aws_iam_role_policy_attachment.resources_s3read_policy, aws_iam_role_policy_attachment.resources_ssm_policy]
name = "AWS-ApplyAnsiblePlaybooks"
association_name = "01_init"
max_concurrency = "50"
max_errors = "0"
resource "aws_ssm_association" "start_instance" {
name = data.aws_ssm_document.start_instance.name
schedule_expression = var.schedule_expressions["start_instance"]
compliance_severity = "MEDIUM"
parameters = {
AutomationAssumeRole = aws_iam_role.ssm_automation.arn
resource "aws_ssm_association" "run_patch_baseline" {
name = "AWS-RunPatchBaseline"
parameters = {
Operation = "Scan"
}
resource "aws_ssm_association" "install-cwagent" {
depends_on = [module.ec2]
name = "AWS-ConfigureAWSPackage"
targets {
key = "tag:release"
Parameters
-
apply_only_at_cron_intervaloptional - bool -
association_idoptional computed - string -
association_nameoptional - string -
automation_target_parameter_nameoptional - string -
compliance_severityoptional - string -
document_versionoptional computed - string -
idoptional computed - string -
instance_idoptional - string -
max_concurrencyoptional - string -
max_errorsoptional - string -
namerequired - string -
parametersoptional computed - map from string to string -
schedule_expressionoptional - string -
output_locationlist block-
s3_bucket_namerequired - string -
s3_key_prefixoptional - string
-
-
targetslist block
Explanation in Terraform Registry
Associates an SSM Document to an instance or EC2 tag.
AWS::SSM::Association (CloudFormation)
The Association in SSM can be configured in CloudFormation with the resource name AWS::SSM::Association. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: 'AWS::SSM::Association'
Properties:
Name: 'AWS-GatherSoftwareInventory'
ScheduleExpression: 'rate(1 hour)'
Targets:
- Key: 'tag:aws:autoscaling:groupName'
Type: 'AWS::SSM::Association'
Properties:
Name: 'AWS-GatherSoftwareInventory'
ScheduleExpression: 'rate(1 hour)'
Targets:
- Key: InstanceIds
Type: "AWS::SSM::Association"
Properties:
AssociationName: !Sub HS-ADM-BASE-UpdateAWS-Inspector-${Environment}
Name: AmazonInspector-ManageAWSAgent
Parameters:
Operation:
Type: AWS::SSM::Association
Properties:
Name: document-uLiFQIWltidY
# AssociationName: TestAssociation
ScheduleExpression:
Ref: AWS::NoValue
Type: "AWS::SSM::Association"
Properties:
AssociationName: DemoAssociation
Name: !Ref SSMDocument
OutputLocation:
S3Location:
"Type": "AWS::SSM::Association",
"Properties": {
"Name": "association",
"Parameters": {
"P1": ["a", "b"],
"p2": []
"resourceType" : "AWS::SSM::Association",
"properties" : [ {
"propertyName" : "DocumentVersion",
"propertyType" : "String",
"required" : false
}, {
"Type": "AWS::SSM::Association",
"Properties": {
"Name": "AWS-RunPowerShellScript",
"Parameters": {
"commands": [
"Write-Output \"#####################################################################################\"",
"Type": "AWS::SSM::Association",
"Properties": {
"Name": "AWS-InstallApplication",
"Parameters": {
"action": [
"Install"
"Type": "AWS::SSM::Association",
"Properties": {
"Name": "AWS-InstallApplication",
"Parameters": {
"action": [
"Install"
Parameters
-
AssociationNameoptional - String -
DocumentVersionoptional - String -
InstanceIdoptional - String -
Namerequired - String -
Parametersoptional - Map -
ScheduleExpressionoptional - String -
Targetsoptional - List of Target -
OutputLocationoptional - InstanceAssociationOutputLocation -
AutomationTargetParameterNameoptional - String -
MaxErrorsoptional - String -
MaxConcurrencyoptional - String -
ComplianceSeverityoptional - String -
SyncComplianceoptional - String -
WaitForSuccessTimeoutSecondsoptional - Integer -
ApplyOnlyAtCronIntervaloptional - Boolean -
CalendarNamesoptional - List
Explanation in CloudFormation Registry
The
AWS::SSM::Associationresource creates a State Manager association for your managed instances. A State Manager association defines the state that you want to maintain on your instances. For example, an association can specify that anti-virus software must be installed and running on your instances, or that certain ports must be closed. For static targets, the association specifies a schedule for when the configuration is reapplied. For dynamic targets, such as an AWS Resource Groups or an AWS Auto Scaling Group, State Manager applies the configuration when new instances are added to the group. The association also specifies actions to take when applying the configuration. For example, an association for anti-virus software might run once a day. If the software is not installed, then State Manager installs it. If the software is installed, but the service is not running, then the association might instruct State Manager to start the service.
Frequently asked questions
What is AWS Systems Manager Association?
AWS Systems Manager Association is a resource for Systems Manager of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Systems Manager Association?
For Terraform, the jakshaym1234/homelike, sasatake/aws-terraform-patterns and ScrumBlaster/app-terraform-live source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the cfn-modules/docs, cfn-modules/docs and bo67192/aws-windows-configman source code examples are useful. See the CloudFormation Example section for further details.
