Using terraform, unable to add SSM document to aws_cloudwatch_event_target

Question

I'm very new to Terraform and am trying use it to replicate what I've successfully created via the AWS console.

I'm trying to specify a "SSM Run Command" as a target for a Cloudwatch Rule and can get everything defined using the aws_cloudwatch_event_target resource except the "Document" field. The rule target and all other associated bits and pieces are all successfully created but when I edit the rule from the console, the document section is not filled out (screenshot below). Consequently the rule fails to fire.

target-as-shown-in-console

Looking at the Terraform documentation for aws_cloudwatch_event_target, I can't see any parameters to specify for the Document so I'm wondering if this is even possible? Which would be odd given every other parameter seems to be covered.

Below is the code I'm using to create the target - there is hard coded stuff in there but I'm just trying to get it to work at this point.

resource "aws_cloudwatch_event_target" "autogrow" {
    rule = "autogrow"
    arn =  "arn:aws:ssm:eu-west-1:999999999999:document/AWS-RunShellScript"
    role_arn = "arn:aws:iam::999999999999:role/ec2-cloudwatch"

    run_command_targets {
        key = "tag:InstanceIds"
        values = ["i-99999999999"]
    }

    input = <<INPUT
    {
    "commands": "/data/ssmscript.sh",
    "workingDirectory" : "/data",
    "executionTimeout" : "300"
    }
    INPUT
}

Is it possible to do what I'm trying to do via Terraform? It does work via the console but I'm wondering if the functionality just isn't in Terraform yet? I'd expect a "Document" parameter to be able to be specified but all you can specify is "arn" for the target.

Any help would be greatly appreciated!

Answer 1

I think what you need to do is create one of these: https://www.terraform.io/docs/providers/aws/r/ssm_document.html

This will create an SSM document in AWS for you, then once you have that you need to associate that document with your instances with an ssm_document_association.

https://www.terraform.io/docs/providers/aws/r/ssm_association.html

Once you have the document associated with your instances the event should be able to be triggered via cloudwatch.

Answer 2

You can create your own SSM Document or you can use AWS made Documents.

To get the contents of the document owned by AWS:

data "aws_ssm_document" "aws_doc" {
  name            = "AWS-RunShellScript"
  document_format = "JSON"
}

output "content" {
  value = "${data.aws_ssm_document.aws_doc.content}"
}

Reference: https://www.terraform.io/docs/providers/aws/d/ssm_document.html

Answer 3

I had the same problem of the document not being selected correctly when created via cloudformation.

What was I doing wrong?

• The ARN for the AWS Managed document I had was wrong

When I fixed the ARN for AWS-RunShellScript it started showing up in console after cloudformation created the resource

arn:aws:ssm:ap-southeast-2::document/AWS-RunShellScript

Most documentations I went through had an account ID in the ARN. Removing the account ID solved the problem.