Templatefile with json file and aws ssm automation

Terraform Providers AWS
1

I used ssm Terraform module to create windows maintenance, I have created a task on one of this windows maintenance.

I have created a json file what it will help me to create a new ssm document.
The creations of the ssm document works fine, the document needs security_id and other values, I have tried to use templeatefile but still not working, the windows maintenance fails with error “The supplied parameters for invoking the specified Automation document are incorrect.
I have tried without local, just the resource but still not working.

Terraform code:

resource "aws_ssm_document" "t-document" {
  name          = "SGDocument"
  document_type = "Automation"
  document_format = "JSON"

  content    = templatefile("${path.module}/internet-SG.json.tpl",
    {
      SecurityGroupId      = local.SecurityGroupId 
      AutomationAssumeRole = local.AutomationAssumeRole
       
    })
}

Jeson file:

{
  "schemaVersion": "0.3",
  "parameters": {
    "SecurityGroupId": {
      "type": "String",
      "description": "(Required) The security group ID.",
      "allowedPattern": "^(sg-)([0-9a-f]){1,}$"
    },
    "AutomationAssumeRole": {
      "type": "String",
      "description": "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf.",
      "default": "",
      "allowedPattern": "^arn:aws(-cn|-us-gov)?:iam::\\d{12}:role\\/[\\w+=,.@_\\/-]+|^$"
    }
  },
  "mainSteps": [
    {
      "name": "ModifySecurityGroup",
      "action": "aws:executeScript",
      "onFailure": "Abort",
      
    }
  ]
}
2

After doing more research I found the correct way to pass the variables to the document.

{
  "schemaVersion": "0.3",
  "parameters": {
    "SecurityGroupId": {
      "type": "String",
      "description": "(Required) The security group ID.",
      "allowedPattern": "^(sg-)([0-9a-f]){1,}$"
    },
    "AutomationAssumeRole": {
      "type": "String",
      "description": "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf.",
      "default": "",
      "allowedPattern": "^arn:aws(-cn|-us-gov)?:iam::\\d{12}:role\\/[\\w+=,.@_\\/-]+|^$"
    }
  },
  "mainSteps": [
    {
      "name": "ModifySecurityGroup",
      "action": "aws:executeScript",
      "onFailure": "Abort",
      "isCritical": true,
      "isEnd": true,
      "timeoutSeconds": 600,
      "description": "## ModifySecurityGroup\nAdds a new rule to the security group allowing all traffic (0.0.0.0/0).\n## Inputs\n* SecurityGroupId: The security group ID.\n## Outputs\nThis step has no outputs.\n",
      "inputs": {
        "Runtime": "python3.7",
        "Handler": "modify_security_group_handler",
        "InputPayload": {
          "SecurityGroupId": "${SecurityGroupId}"
        },
        "Script": "import boto3\n\nec2_resource = boto3.resource(\"ec2\")\nec2_client = boto3.client(\"ec2\")\n\ndef modify_security_group_handler(event, context):\n    sg_id = event[\"SecurityGroupId\"]\n    sg_resource = ec2_resource.SecurityGroup(sg_id)\n    successful = True\n    errorMsg = \"\"\n    //more code
      }
  ]
}

in the document steps details I can see the value, the sg-id is correct, but when I run the maintenance windows still the error and it is the same "The supplied parameters for invoking the specified Automation document are incorrect."

image
image1252×1162 62 KB

3

All Working now.

Blockquote