Skip to content

Resource: awsSsmAssociation

Associates an SSM Document to an instance or EC2 tag.

Example Usage

Create an association for a specific instance

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssmAssociation.SsmAssociation(this, "example", {
  name: "${aws_ssm_document.example.name}",
  targets: [
    {
      key: "InstanceIds",
      values: ["${aws_instance.example.id}"],
    },
  ],
});

Create an association for all managed instances in an AWS account

To target all managed instances in an AWS account, set the key as "instanceIds" with values set as ["*"]. This example also illustrates how to use an Amazon owned SSM document named amazonCloudWatchManageAgent.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssmAssociation.SsmAssociation(this, "example", {
  name: "AmazonCloudWatch-ManageAgent",
  targets: [
    {
      key: "InstanceIds",
      values: ["*"],
    },
  ],
});

Create an association for a specific tag

This example shows how to target all managed instances that are assigned a tag key of environment and value of development.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssmAssociation.SsmAssociation(this, "example", {
  name: "AmazonCloudWatch-ManageAgent",
  targets: [
    {
      key: "tag:Environment",
      values: ["Development"],
    },
  ],
});

Create an association with a specific schedule

This example shows how to schedule an association in various ways.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssmAssociation.SsmAssociation(this, "example", {
  name: "${aws_ssm_document.example.name}",
  scheduleExpression: "cron(0 2 ? * SUN *)",
  targets: [
    {
      key: "InstanceIds",
      values: ["${aws_instance.example.id}"],
    },
  ],
});

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the SSM document to apply.
  • applyOnlyAtCronInterval - (Optional) By default, when you create a new or update associations, the system runs it immediately and then according to the schedule you specified. Enable this option if you do not want an association to run immediately after you create or update it. This parameter is not supported for rate expressions. Default: false.
  • associationName - (Optional) The descriptive name for the association.
  • documentVersion - (Optional) The document version you want to associate with the target(s). Can be a specific version or the default version.
  • instanceId - (Optional) The instance ID to apply an SSM document to. Use targets with key instanceIds for document schema versions 2.0 and above.
  • outputLocation - (Optional) An output location block. Output Location is documented below.
  • parameters - (Optional) A block of arbitrary string parameters to pass to the SSM document.
  • scheduleExpression - (Optional) A cron or rate expression that specifies when the association runs.
  • targets - (Optional) A block containing the targets of the SSM association. Targets are documented below. AWS currently supports a maximum of 5 targets.
  • complianceSeverity - (Optional) The compliance severity for the association. Can be one of the following: unspecified, low, medium, high or critical
  • maxConcurrency - (Optional) The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%.
  • maxErrors - (Optional) The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify a number, for example 10, or a percentage of the target set, for example 10%.
  • automationTargetParameterName - (Optional) Specify the target for the association. This target is required for associations that use an automation document and target resources by using rate controls. This should be set to the SSM document parameter that will define how your automation will branch out.
  • waitForSuccessTimeoutSeconds - (Optional) The number of seconds to wait for the association status to be success. If success status is not reached within the given time, create opration will fail.

Output Location (outputLocation) is an S3 bucket where you want to store the results of this association:

  • s3BucketName - (Required) The S3 bucket name.
  • s3KeyPrefix - (Optional) The S3 bucket prefix. Results stored in the root if not configured.
  • s3Region - (Optional) The S3 bucket region.

Targets specify what instance IDs or tags to apply the document to and has these keys:

  • key - (Required) Either instanceIds or tag:tagName to specify an EC2 tag.
  • values - (Required) A list of instance IDs or tag values. AWS currently limits this list size to one value.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - The ARN of the SSM association
  • associationId - The ID of the SSM association.
  • instanceId - The instance id that the SSM document was applied to.
  • name - The name of the SSM document to apply.
  • parameters - Additional parameters passed to the SSM document.

Import

SSM associations can be imported using the associationId, e.g.,

$ terraform import aws_ssm_association.test-association 10abcdef-0abc-1234-5678-90abcdef123456