I am creating a ssm document, association and aws_Iam_role_policy. The goal is an automation script that describes Ec2 instances.
Everything works but the association is failing for InvalidAutomationParameters. When I look at association execution targets in the aws consule I see no execution target found.
However this all works if I use the document created by my terraform and manually assign an association.
I’ve tried a few different versions using either “target” or “Instance Id” for automation_target_parameter_name
resource “aws_iam_role” “ssm-automation_roletest”{
name_prefix = “ssm_automation_roletest”
path = “/”
assume_role_policy = jsondecode({
“Version”: “2012-10-17”,
“Statement”: [
{
“Action”: “sts: AssumeRole”,
“Principal”: {
“Service”: “ssm.amazonaws.com”
},
“Effect”: “Allow”,
“Sid”: “”
}
]
})
}
resource “aws_iam_role_policy” “ssm_automation_roletest” {
role = aws_iam_role.ssm-automation_roletest.name
policy = jsonencode({
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [“ec2:"]
“Resource”: "”,
}
]
} )
}
resource “aws_ssm_association” “testabc” {
name = aws_ssm_document.test.name
schedule_expression = “cron(0 11 0 ? * * *)”
automation_target_parameter_name = “targets”
parameters = {
AutomationAssumeRole = aws_iam_role.ssm_automation_roletest.arn
}
targets {
key = “aws:NoOpAutomationTag”
values = [“AWS-NoOpAutomationTarget-Value”]
}
}