AWS::SSM::Association
The AWS::SSM::Association resource creates a State Manager association for
your managed instances. A State Manager association defines the state that you want to
maintain on your instances. For example, an association can specify that anti-virus software
must be installed and running on your instances, or that certain ports must be closed. For
static targets, the association specifies a schedule for when the configuration is reapplied.
For dynamic targets, such as an AWS Resource Groups or an AWS Auto Scaling Group, State Manager
applies the configuration when new instances are added to the group. The association also
specifies actions to take when applying the configuration. For example, an association for
anti-virus software might run once a day. If the software is not installed, then State Manager
installs it. If the software is installed, but the service is not running, then the
association might instruct State Manager to start the service.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::SSM::Association", "Properties" : { "ApplyOnlyAtCronInterval" :Boolean, "AssociationName" :String, "AutomationTargetParameterName" :String, "CalendarNames" :[ String, ... ], "ComplianceSeverity" :String, "DocumentVersion" :String, "InstanceId" :String, "MaxConcurrency" :String, "MaxErrors" :String, "Name" :String, "OutputLocation" :InstanceAssociationOutputLocation, "Parameters" :Json, "ScheduleExpression" :String, "ScheduleOffset" :Integer, "SyncCompliance" :String, "Targets" :[ Target, ... ], "WaitForSuccessTimeoutSeconds" :Integer} }
YAML
Type: AWS::SSM::Association Properties: ApplyOnlyAtCronInterval:BooleanAssociationName:StringAutomationTargetParameterName:StringCalendarNames:- StringComplianceSeverity:StringDocumentVersion:StringInstanceId:StringMaxConcurrency:StringMaxErrors:StringName:StringOutputLocation:InstanceAssociationOutputLocationParameters:JsonScheduleExpression:StringScheduleOffset:IntegerSyncCompliance:StringTargets:- TargetWaitForSuccessTimeoutSeconds:Integer
Properties
ApplyOnlyAtCronInterval-
By default, when you create a new association, the system runs it immediately after it is created and then according to the schedule you specified. Specify this option if you don't want an association to run immediately after you create it. This parameter is not supported for rate expressions.
Required: No
Type: Boolean
Update requires: No interruption
AssociationName-
Specify a descriptive name for the association.
Required: No
Type: String
Pattern:
^[a-zA-Z0-9_\-.]{3,128}$Update requires: No interruption
AutomationTargetParameterName-
Choose the parameter that will define how your automation will branch out. This target is required for associations that use an Automation runbook and target resources by using rate controls. Automation is a capability of AWS Systems Manager.
Required: No
Type: String
Minimum:
1Maximum:
50Update requires: No interruption
CalendarNames-
The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that Change Calendar is open. For more information, see AWS Systems Manager Change Calendar.
Required: No
Type: List of String
Update requires: No interruption
ComplianceSeverity-
The severity level that is assigned to the association.
Required: No
Type: String
Allowed values:
CRITICAL | HIGH | LOW | MEDIUM | UNSPECIFIEDUpdate requires: No interruption
DocumentVersion-
The version of the SSM document to associate with the target.
Important Note the following important information.
State Manager doesn't support running associations that use a new version of a document if that document is shared from another account. State Manager always runs the
defaultversion of a document if shared from another account, even though the Systems Manager console shows that a new version was processed. If you want to run an association using a new version of a document shared form another account, you must set the document version todefault.DocumentVersionis not valid for documents owned by AWS, such asAWS-RunPatchBaselineorAWS-UpdateSSMAgent. If you specifyDocumentVersionfor an AWS document, the system returns the following error: "Error occurred during operation 'CreateAssociation'." (RequestToken: <token>, HandlerErrorCode: GeneralServiceException).
Required: No
Type: String
Pattern:
([$]LATEST|[$]DEFAULT|^[1-9][0-9]*$)Update requires: No interruption
InstanceId-
The ID of the instance that the SSM document is associated with. You must specify the
InstanceIdorTargetsproperty.Note InstanceIdhas been deprecated. To specify an instance ID for an association, use theTargetsparameter. If you use the parameterInstanceId, you cannot use the parametersAssociationName,DocumentVersion,MaxErrors,MaxConcurrency,OutputLocation, orScheduleExpression. To use these parameters, you must use theTargetsparameter.Required: Conditional
Type: String
Pattern:
(^i-(\w{8}|\w{17})$)|(^mi-\w{17}$)Update requires: No interruption
MaxConcurrency-
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while Systems Manager is running
MaxConcurrencyassociations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified forMaxConcurrency.Required: No
Type: String
Minimum:
1Maximum:
7Pattern:
^([1-9][0-9]*|[1-9][0-9]%|[1-9]%|100%)$Update requires: No interruption
MaxErrors-
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set
MaxErrorto 10%, then the system stops sending the request when the sixth error is received.Executions that are already running an association when
MaxErrorsis reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, setMaxConcurrencyto 1 so that executions proceed one at a time.Required: No
Type: String
Minimum:
1Maximum:
7Pattern:
^([1-9][0-9]*|[0]|[1-9][0-9]%|[0-9]%|100%)$Update requires: No interruption
Name-
The name of the SSM document that contains the configuration information for the instance. You can specify
CommandorAutomationdocuments. The documents can be AWS-predefined documents, documents you created, or a document that is shared with you from another account. For SSM documents that are shared with you from other AWS accounts, you must specify the complete SSM document ARN, in the following format:arn:partition:ssm:region:account-id:document/document-nameFor example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-DocumentFor AWS-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example,
AWS-ApplyPatchBaselineorMy-Document.Required: Yes
Type: String
Pattern:
^[a-zA-Z0-9_\-.:/]{3,128}$Update requires: No interruption
OutputLocation-
An Amazon Simple Storage Service (Amazon S3) bucket where you want to store the output details of the request.
Required: No
Type: InstanceAssociationOutputLocation
Update requires: No interruption
Parameters-
The parameters for the runtime configuration of the document.
Required: No
Type: Json
Update requires: No interruption
ScheduleExpression-
A cron expression that specifies a schedule when the association runs. The schedule runs in Coordinated Universal Time (UTC).
Required: No
Type: String
Minimum:
1Maximum:
256Update requires: No interruption
ScheduleOffset-
Number of days to wait after the scheduled day to run an association.
Required: No
Type: Integer
Minimum:
1Maximum:
6Update requires: No interruption
SyncCompliance-
The mode for generating association compliance. You can specify
AUTOorMANUAL. InAUTOmode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association isCOMPLIANT. If the association execution doesn't run successfully, the association isNON-COMPLIANT.In
MANUALmode, you must specify theAssociationIdas a parameter for the PutComplianceItems API action. In this case, compliance data is not managed by State Manager. It is managed by your direct call to the PutComplianceItems API action.By default, all associations use
AUTOmode.Required: No
Type: String
Allowed values:
AUTO | MANUALUpdate requires: No interruption
Targets-
The targets for the association. You must specify the
InstanceIdorTargetsproperty. You can target all instances in an AWS account by specifying theInstanceIdskey with a value of*. To view a JSON and a YAML example that targets all instances, see "Create an association for all managed instances in an AWS account" on the Examples page.Required: Conditional
Type: List of Target
Maximum:
5Update requires: No interruption
WaitForSuccessTimeoutSeconds-
The number of seconds the service should wait for the association status to show "Success" before proceeding with the stack execution. If the association status doesn't show "Success" after the specified number of seconds, then stack creation fails.
Required: No
Type: Integer
Update requires: No interruption
Return values
Fn::GetAtt
Examples
Create an association for a specific instance
The following example creates an association that uses the AWS-RunShellScript SSM document. The association runs a simple command on a specific instance.
JSON
{ "Resources": { "SpecificInstanceIdAssociation": { "Type": "AWS::SSM::Association", "Properties": { "Name": "AWS-RunShellScript", "Targets": [ { "Key": "InstanceIds", "Values": [ "i-1234567890abcdef0" ] } ], "Parameters": { "commands": [ "ls" ], "workingDirectory": [ "/" ] }, "WaitForSuccessTimeoutSeconds": 300 } } } }
YAML
--- Resources: SpecificInstanceIdAssociation: Type: AWS::SSM::Association Properties: Name: AWS-RunShellScript Targets: - Key: InstanceIds Values: - i-1234567890abcdef0 Parameters: commands: - ls workingDirectory: - "/" WaitForSuccessTimeoutSeconds: 300
Create an association for all managed instances in an AWS account
The following example creates an association that uses the AWS-UpdateSSMAgent SSM document. The association updates SSM Agent on all managed instances (instances configured for Systems Manager) in the user's AWS account according to the specified CRON schedule.
JSON
{ "Resources": { "AllInstanceIdsAssociation": { "Type": "AWS::SSM::Association", "Properties": { "AssociationName": "UpdateSSMAgent", "Name": "AWS-UpdateSSMAgent", "ScheduleExpression": "cron(0 2 ? * SUN *)", "Targets": [ { "Key": "InstanceIds", "Values": [ "*" ] } ], "WaitForSuccessTimeoutSeconds": 300 } } } }
YAML
--- Resources: AllInstanceIdsAssociation: Type: AWS::SSM::Association Properties: AssociationName: UpdateSSMAgent Name: AWS-UpdateSSMAgent ScheduleExpression: cron(0 2 ? * SUN *) Targets: - Key: InstanceIds Values: - "*" WaitForSuccessTimeoutSeconds: 300
Create an association for a specific tag
The following example creates an association that uses the AWS-UpdateSSMAgent SSM
document. The association updates SSM Agent on all managed instances that are assigned a
tag key of Environment and value of Production. The association
runs every seven days according to the specified rate expression.
JSON
{ "Resources": { "TaggedInstancesAssociation": { "Type": "AWS::SSM::Association", "Properties": { "AssociationName": "UpdateSSMAgent", "Name": "AWS-UpdateSSMAgent", "ScheduleExpression": "rate(7 days)", "Targets": [ { "Key": "tag:Environment", "Values": [ "Production" ] } ], "WaitForSuccessTimeoutSeconds": 300 } } } }
YAML
--- Resources: TaggedInstancesAssociation: Type: AWS::SSM::Association Properties: AssociationName: UpdateSSMAgent Name: AWS-UpdateSSMAgent ScheduleExpression: rate(7 days) Targets: - Key: tag:Environment Values: - Production WaitForSuccessTimeoutSeconds: 300
Create an association that associates an automation document with an instance
The following example creates an association that assigns the AWS-StopEC2Instance automation document to a specific instance.
This example specifies the following Amazon Resource Name (ARN):
arn:${AWS::Partition}:iam::aws:policy/AmazonEC2FullAccess. This policy
provides more than the required permissions to stop the instance. We recommend that you
use a policy with more restrictive permissions.
JSON
{ "Resources": { "AutomationExecutionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/", "ManagedPolicyArns": [ "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2FullAccess" ] } }, "AutomationAssociation": { "Type": "AWS::SSM::Association", "Properties": { "Name": "AWS-StopEC2Instance", "Parameters": { "AutomationAssumeRole": [ "AutomationExecutionRole.Arn" ] }, "Targets": [ { "Key": "ParameterValues", "Values": [ "i-1234567890abcdef0" ] } ], "AutomationTargetParameterName": "InstanceId" } } } }
YAML
--- Resources: AutomationExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: ssm.amazonaws.com Action: - sts:AssumeRole Path: / ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEC2FullAccess AutomationAssociation: Type: AWS::SSM::Association Properties: Name: AWS-StopEC2Instance Parameters: AutomationAssumeRole: - !GetAtt AutomationExecutionRole.Arn Targets: - Key: ParameterValues Values: - i-1234567890abcdef0 AutomationTargetParameterName: InstanceId
Create an association that uses rate controls and sends log output to Amazon S3
The following example creates an association that uses rate controls. The association attempts to update SSM Agent on only 20% of instances at one time. Systems Manager stops the association from running on any additional instances if the execution fails on 5% of the total number of instances. Systems Manager also logs the association output to Amazon S3.
JSON
{ "Resources": { "RateControlAssociation": { "Type": "AWS::SSM::Association", "Properties": { "Name": "AWS-UpdateSSMAgent", "Targets": [ { "Key": "InstanceIds", "Values": [ "*" ] } ], "MaxConcurrency": "20%", "MaxErrors": "5%" }, "OutputLocation": { "S3Location": { "OutputS3BucketName": "MyAssociationOutputBucket", "OutputS3KeyPrefix": "my-agent-update-output" } }, "WaitForSuccessTimeoutSeconds": 300 } } }
YAML
--- Resources: RateControlAssociation: Type: 'AWS::SSM::Association' Properties: Name: AWS-UpdateSSMAgent Targets: - Key: InstanceIds Values: - '*' MaxConcurrency: 20% MaxErrors: 5% OutputLocation: S3Location: OutputS3BucketName: MyAssociationOutputBucket OutputS3KeyPrefix: my-agent-update-output WaitForSuccessTimeoutSeconds: 300
Create an association that works with Ansible
The following example creates an association that uses Ansible and Systems Manager to deploy Nginx. This template copies the Ansible Playbook from a Github repo. The target is based on instance ID.
JSON
{ "Description": "Deploy Single EC2 Linux Instance", "Parameters": { "LatestAmiId": { "Type": "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>", "Default": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" }, "GitHubOwner": { "Type": "String" }, "GitHubRepo": { "Type": "String" }, "GitHubBranch": { "Type": "String" } }, "Resources": { "SSMAssocLogs": { "Type": "AWS::S3::Bucket" }, "SSMInstanceRole": { "Type": "AWS::IAM::Role", "Properties": { "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-ssm-${AWS::Region}/*", "arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*", "arn:aws:s3:::amazon-ssm-${AWS::Region}/*", "arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*", "arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*", "arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*" ], "Effect": "Allow" } ] }, "PolicyName": "ssm-custom-s3-policy" }, { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl", "s3:ListBucket" ], "Resource": [ "arn:${AWS::Partition}:s3:::${SSMAssocLogs}/*", "arn:${AWS::Partition}:s3:::${SSMAssocLogs}" ], "Effect": "Allow" } ] }, "PolicyName": "s3-instance-bucket-policy" } ], "Path": "/", "ManagedPolicyArns": [ "arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com", "ssm.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } } }, "SSMInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ "SSMInstanceRole" ] } }, "EC2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": "LatestAmiId", "InstanceType": "t3.small", "IamInstanceProfile": "SSMInstanceProfile" } }, "AnsibleAssociation": { "Type": "AWS::SSM::Association", "Properties": { "Name": "AWS-ApplyAnsiblePlaybooks", "WaitForSuccessTimeoutSeconds": 300, "Targets": [ { "Key": "InstanceIds", "Values": [ "EC2Instance" ] } ], "OutputLocation": { "S3Location": { "OutputS3BucketName": "SSMAssocLogs", "OutputS3KeyPrefix": "logs/" } }, "Parameters": { "SourceType": [ "GitHub" ], "SourceInfo": [ "{\"owner\":\"${GitHubOwner}\",\n\"repository\":\"${GitHubRepo}\",\n\"path\":\"\",\n\"getOptions\":\"branch:${GitHubBranch}\"}\n" ], "InstallDependencies": [ "True" ], "PlaybookFile": [ "playbook.yml" ], "ExtraVariables": [ "SSM=True" ], "Check": [ "False" ], "Verbose": [ "-v" ] } } } }, "Outputs": { "WebServerPublic": { "Value": "EC2Instance.PublicDnsName", "Description": "Public DNS for WebServer" } } }
YAML
--- Description: "Deploy Single EC2 Linux Instance" Parameters: # Using SSM Parameter Store to fetch the Latest AMI for Amazon Linux, eliminates the need for AMI Mappings LatestAmiId: Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>' Default: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" GitHubOwner: Type: 'String' GitHubRepo: Type: 'String' GitHubBranch: Type: 'String' Resources: SSMAssocLogs: Type: AWS::S3::Bucket SSMInstanceRole: Type : AWS::IAM::Role Properties: Policies: - PolicyDocument: Version: '2012-10-17' Statement: - Action: - s3:GetObject Resource: - !Sub 'arn:aws:s3:::aws-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*' - !Sub 'arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*' - !Sub 'arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*' Effect: Allow PolicyName: ssm-custom-s3-policy - PolicyDocument: Version: '2012-10-17' Statement: - Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl - s3:ListBucket Resource: - !Sub 'arn:${AWS::Partition}:s3:::${SSMAssocLogs}/*' - !Sub 'arn:${AWS::Partition}:s3:::${SSMAssocLogs}' Effect: Allow PolicyName: s3-instance-bucket-policy Path: / ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" - "ssm.amazonaws.com" Action: "sts:AssumeRole" SSMInstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Roles: - !Ref SSMInstanceRole EC2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !Ref LatestAmiId InstanceType: "t3.small" IamInstanceProfile: !Ref SSMInstanceProfile AnsibleAssociation: Type: AWS::SSM::Association Properties: # Here using the AWS-ApplyAnsiblePlaybooks Name: AWS-ApplyAnsiblePlaybooks WaitForSuccessTimeoutSeconds: 300 # Targeting Instance by InstanceId passed from the Logical ID of Instance being created # in CloudFormation Targets: - Key: InstanceIds Values: [ !Ref EC2Instance ] OutputLocation: S3Location: OutputS3BucketName: !Ref SSMAssocLogs OutputS3KeyPrefix: 'logs/' Parameters: # Getting an Ansible Playbook from a GitHub Location SourceType: - 'GitHub' # At a minimum must include the following GitHub repo information, if using a private repo # would want to include the GitHub Token option SourceInfo: - !Sub | {"owner":"${GitHubOwner}", "repository":"${GitHubRepo}", "path":"", "getOptions":"branch:${GitHubBranch}"} # Installing Ansible and its dependencies InstallDependencies: - 'True' # Playbook file we want to run PlaybookFile: - 'playbook.yml' ExtraVariables: - 'SSM=True' Check: - 'False' Verbose: - '-v' Outputs: WebServerPublic: Value: !GetAtt 'EC2Instance.PublicDnsName' Description: Public DNS for WebServer
Create an association that runs a bash script
The following example creates an association that runs a bash script. Target is based on tags.
JSON
{ "Description": "Deploy Single EC2 Linux Instance Install and Install Nginx by a State Manager Association", "Parameters": { "LatestAmiId": { "Type": "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>", "Default": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" } }, "Resources": { "SSMAssocLogs": { "Type": "AWS::S3::Bucket" }, "SSMInstanceRole": { "Type": "AWS::IAM::Role", "Properties": { "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-ssm-${AWS::Region}/*", "arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*", "arn:aws:s3:::amazon-ssm-${AWS::Region}/*", "arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*", "arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*", "arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*" ], "Effect": "Allow" } ] }, "PolicyName": "ssm-custom-s3-policy" }, { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl", "s3:ListBucket" ], "Resource": [ "arn:${AWS::Partition}:s3:::${SSMAssocLogs}/*", "arn:${AWS::Partition}:s3:::${SSMAssocLogs}" ], "Effect": "Allow" } ] }, "PolicyName": "s3-instance-bucket-policy" } ], "Path": "/", "ManagedPolicyArns": [ "arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com", "ssm.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } } }, "SSMInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ "SSMInstanceRole" ] } }, "EC2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": "LatestAmiId", "InstanceType": "t3.medium", "IamInstanceProfile": "SSMInstanceProfile", "Tags": [ { "Key": "nginx", "Value": "yes" } ] } }, "NginxAssociation": { "DependsOn": "EC2Instance", "Type": "AWS::SSM::Association", "Properties": { "Name": "AWS-RunShellScript", "WaitForSuccessTimeoutSeconds": 300, "Targets": [ { "Key": "tag:nginx", "Values": [ "yes" ] } ], "OutputLocation": { "S3Location": { "OutputS3BucketName": "SSMAssocLogs", "OutputS3KeyPrefix": "logs/" } }, "Parameters": { "commands": [ "sudo amazon-linux-extras install nginx1 -y\nsudo service nginx start\n" ] } } } }, "Outputs": { "WebServerPublic": { "Value": "EC2Instance.PublicDnsName", "Description": "Public DNS for WebServer" } } }
YAML
--- Description: "Deploy Single EC2 Linux Instance Install and Install Nginx by a State Manager Association" Parameters: LatestAmiId: Type: 'AWS::SSM::Parameter::Value*<AWS::EC2::Image::Id>' Default: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" Resources: SSMAssocLogs: Type: AWS::S3::Bucket # Role that allows SSM Agent to communicate with SSM and allows use of all features of SSM SSMInstanceRole: Type : AWS::IAM::Role Properties: Policies: - PolicyDocument: Version: '2012-10-17' Statement: - Action: - s3:GetObject Resource: - !Sub 'arn:aws:s3:::aws-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*' - !Sub 'arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*' - !Sub 'arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*' Effect: Allow PolicyName: ssm-custom-s3-policy - PolicyDocument: Version: '2012-10-17' Statement: - Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl - s3:ListBucket Resource: - !Sub 'arn:${AWS::Partition}:s3:::${SSMAssocLogs}/*' - !Sub 'arn:${AWS::Partition}:s3:::${SSMAssocLogs}' Effect: Allow PolicyName: s3-instance-bucket-policy Path: / ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" - "ssm.amazonaws.com" Action: "sts:AssumeRole" SSMInstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Roles: - !Ref SSMInstanceRole EC2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !Ref LatestAmiId InstanceType: "t3.medium" IamInstanceProfile: !Ref SSMInstanceProfile Tags: - Key: 'nginx' Value: 'yes' NginxAssociation: DependsOn: EC2Instance # CloudFormation Resource Type that creates State Manager Associations Type: AWS::SSM::Association Properties: # Command Document that this Association will run Name: AWS-RunShellScript WaitForSuccessTimeoutSeconds: 300 # Targeting Instance by Tags Targets: - Key: tag:nginx Values: - 'yes' # The passing in the S3 Bucket that is created in the template that logs will be sent to OutputLocation: S3Location: OutputS3BucketName: !Ref SSMAssocLogs OutputS3KeyPrefix: 'logs/' # Parameters for the AWS-RunShellScript, in this case commands to install nginx Parameters: commands: - | sudo amazon-linux-extras install nginx1 -y sudo service nginx start Outputs: WebServerPublic: Value: !GetAtt 'EC2Instance.PublicDnsName' Description: Public DNS for WebServer
Create an association that runs a bash script with Systems Manager Automation
The following example creates an assocation that runs a bash script using State Manager and Automation with multiple steps. Target is based on tags.
JSON
{ "Description": "Deploy Single EC2 Linux Instance", "Parameters": { "LatestAmiId": { "Type": "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>", "Default": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" } }, "Resources": { "SSMAssocLogs": { "Type": "AWS::S3::Bucket" }, "nginxInstallAutomation": { "Type": "AWS::SSM::Document", "Properties": { "DocumentType": "Automation", "Content": { "schemaVersion": "0.3", "description": "Updates AMI with Linux distribution packages and installs Nginx software", "assumeRole": "{{AutomationAssumeRole}}", "parameters": { "InstanceId": { "description": "ID of the Instance.", "type": "String" }, "AutomationAssumeRole": { "default": "", "description": "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf.", "type": "String" } }, "mainSteps": [ { "name": "updateOSSoftware", "action": "aws:runCommand", "maxAttempts": 3, "timeoutSeconds": 3600, "inputs": { "DocumentName": "AWS-RunShellScript", "InstanceIds": [ "{{InstanceId}}" ], "CloudWatchOutputConfig": { "CloudWatchOutputEnabled": "true" }, "Parameters": { "commands": [ "#!/bin/bash\nsudo yum update -y\nneeds-restarting -r\nif [ $? -eq 1 ]\nthen\n exit 194\nelse\n exit 0\nfi\n" ] } } }, { "name": "InstallNginx", "action": "aws:runCommand", "inputs": { "DocumentName": "AWS-RunShellScript", "InstanceIds": [ "{{InstanceId}}" ], "CloudWatchOutputConfig": { "CloudWatchOutputEnabled": "true" }, "Parameters": { "commands": [ "sudo amazon-linux-extras install nginx1 -y\nsudo service nginx start\n" ] } } }, { "name": "TestInstall", "action": "aws:runCommand", "maxAttempts": 3, "timeoutSeconds": 3600, "onFailure": "Abort", "inputs": { "DocumentName": "AWS-RunShellScript", "InstanceIds": [ "{{InstanceId}}" ], "Parameters": { "commands": [ "curl localhost\n" ] } } } ] } } }, "SSMExecutionRole": { "Type": "AWS::IAM::Role", "Properties": { "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "ssm:StartAssociationsOnce", "ssm:CreateAssociation", "ssm:CreateAssociationBatch", "ssm:UpdateAssociation" ], "Resource": "*", "Effect": "Allow" } ] }, "PolicyName": "ssm-association" } ], "Path": "/", "ManagedPolicyArns": [ "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSSMAutomationRole" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com", "ssm.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } } }, "SSMInstanceRole": { "Type": "AWS::IAM::Role", "Properties": { "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-ssm-${AWS::Region}/*", "arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*", "arn:aws:s3:::amazon-ssm-${AWS::Region}/*", "arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*", "arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*", "arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*" ], "Effect": "Allow" } ] }, "PolicyName": "ssm-custom-s3-policy" }, { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl", "s3:ListBucket" ], "Resource": [ "arn:${AWS::Partition}:s3:::${SSMAssocLogs}/*", "arn:${AWS::Partition}:s3:::${SSMAssocLogs}" ], "Effect": "Allow" } ] }, "PolicyName": "s3-instance-bucket-policy" } ], "Path": "/", "ManagedPolicyArns": [ "arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com", "ssm.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } } }, "SSMInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ "SSMInstanceRole" ] } }, "EC2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": "LatestAmiId", "InstanceType": "t3.medium", "IamInstanceProfile": "SSMInstanceProfile", "Tags": [ { "Key": "nginx", "Value": true } ] } }, "NginxAssociation": { "DependsOn": "EC2Instance", "Type": "AWS::SSM::Association", "Properties": { "Name": "nginxInstallAutomation", "WaitForSuccessTimeoutSeconds": 300, "OutputLocation": { "S3Location": { "OutputS3BucketName": "SSMAssocLogs", "OutputS3KeyPrefix": "logs/" } }, "AutomationTargetParameterName": "InstanceId", "Parameters": { "AutomationAssumeRole": [ "SSMExecutionRole.Arn" ] }, "Targets": [ { "Key": "tag:nginx", "Values": [ true ] } ] } } }, "Outputs": { "WebServerPublic": { "Value": "EC2Instance.PublicDnsName", "Description": "Public DNS for WebServer" } } }
YAML
--- Description: "Deploy Single EC2 Linux Instance" Parameters: LatestAmiId: Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>' Default: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" Resources: SSMAssocLogs: Type: AWS::S3::Bucket nginxInstallAutomation: Type: AWS::SSM::Document Properties: DocumentType: Automation Content: schemaVersion: "0.3" description: "Updates AMI with Linux distribution packages and installs Nginx software" assumeRole: "{{AutomationAssumeRole}}" parameters: InstanceId: description: "ID of the Instance." type: "String" AutomationAssumeRole: default: "" description: "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf." type: "String" mainSteps: - name: "updateOSSoftware" action: "aws:runCommand" maxAttempts: 3 timeoutSeconds: 3600 inputs: DocumentName: "AWS-RunShellScript" InstanceIds: - "{{InstanceId}}" CloudWatchOutputConfig: CloudWatchOutputEnabled: "true" Parameters: commands: - | #!/bin/bash sudo yum update -y needs-restarting -r if [ $? -eq 1 ] then exit 194 else exit 0 fi - name: "InstallNginx" action: "aws:runCommand" inputs: DocumentName: "AWS-RunShellScript" InstanceIds: - "{{InstanceId}}" CloudWatchOutputConfig: CloudWatchOutputEnabled: "true" Parameters: commands: - | sudo amazon-linux-extras install nginx1 -y sudo service nginx start - name: "TestInstall" action: "aws:runCommand" maxAttempts: 3 timeoutSeconds: 3600 onFailure: "Abort" inputs: DocumentName: "AWS-RunShellScript" InstanceIds: - "{{InstanceId}}" Parameters: commands: - | curl localhost SSMExecutionRole: Type : AWS::IAM::Role Properties: Policies: - PolicyDocument: Version: '2012-10-17' Statement: - Action: - ssm:StartAssociationsOnce - ssm:CreateAssociation - ssm:CreateAssociationBatch - ssm:UpdateAssociation Resource: '*' Effect: Allow PolicyName: ssm-association Path: / ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSSMAutomationRole' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" - "ssm.amazonaws.com" Action: "sts:AssumeRole" SSMInstanceRole: Type : AWS::IAM::Role Properties: Policies: - PolicyDocument: Version: '2012-10-17' Statement: - Action: - s3:GetObject Resource: - !Sub 'arn:aws:s3:::aws-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*' - !Sub 'arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*' - !Sub 'arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*' Effect: Allow PolicyName: ssm-custom-s3-policy - PolicyDocument: Version: '2012-10-17' Statement: - Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl - s3:ListBucket Resource: - !Sub 'arn:${AWS::Partition}:s3:::${SSMAssocLogs}/*' - !Sub 'arn:${AWS::Partition}:s3:::${SSMAssocLogs}' Effect: Allow PolicyName: s3-instance-bucket-policy Path: / ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" - "ssm.amazonaws.com" Action: "sts:AssumeRole" SSMInstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Roles: - !Ref SSMInstanceRole EC2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !Ref LatestAmiId InstanceType: "t3.medium" IamInstanceProfile: !Ref SSMInstanceProfile Tags: - Key: nginx Value: Yes NginxAssociation: DependsOn: EC2Instance Type: AWS::SSM::Association Properties: Name: !Ref nginxInstallAutomation WaitForSuccessTimeoutSeconds: 300 OutputLocation: S3Location: OutputS3BucketName: !Ref SSMAssocLogs OutputS3KeyPrefix: 'logs/' AutomationTargetParameterName: InstanceId Parameters: AutomationAssumeRole: - !GetAtt 'SSMExecutionRole.Arn' Targets: - Key: tag:nginx Values: - Yes Outputs: WebServerPublic: Value: !GetAtt 'EC2Instance.PublicDnsName' Description: Public DNS for WebServer
Create an association that joins targets to a Windows Active Directory domain
The following example creates an association that joins targets to a Windows Active Directory domain by using State Manager. Target is based on tags.
JSON
{ "Description": "Deploy single windows EC2 Instance and join domain with SSM Association", "Parameters": { "DomainAdminPassword": { "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", "Description": "Password for the domain admin user. Must be at least 8 characters, containing letters, numbers, and symbols.", "MaxLength": "32", "MinLength": "8", "NoEcho": "true", "Type": "String" }, "DomainAdminUser": { "AllowedPattern": "[a-zA-Z0-9]*", "Default": "Admin", "Description": "User name for the account that will be used as domain administrator. This is separate from the default \"Administrator\" account.", "MaxLength": "25", "MinLength": "5", "Type": "String" }, "DomainDNSName": { "AllowedPattern": "[a-zA-Z0-9\\-]+\\..+", "Default": "example.com", "Description": "Fully qualified domain name (FQDN).", "MaxLength": "255", "MinLength": "2", "Type": "String" }, "DomainMemberSGID": { "Description": "ID of the domain member security group (e.g., sg-7f16e910).", "Type": "AWS::EC2::SecurityGroup::Id" }, "DomainNetBIOSName": { "AllowedPattern": "[a-zA-Z0-9\\-]+", "Default": "EXAMPLE", "Description": "NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows.", "MaxLength": "15", "MinLength": "1", "Type": "String" }, "EC2InstanceType": { "AllowedValues": [ "t3.nano", "t3.micro", "t3.small", "t3.medium", "t3.large", "t3.xlarge", "t3.2xlarge", "m5.large", "m5.xlarge", "m5.2xlarge" ], "Default": "m5.large", "Description": "Amazon EC2 instance type", "Type": "String" }, "LatestAmiId": { "Type": "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>", "Default": "/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base" }, "SubnetID": { "Description": "ID of a Subnet.", "Type": "AWS::EC2::Subnet::Id" } }, "Resources": { "DSCBucket": { "Type": "AWS::S3::Bucket", "Properties": { "LifecycleConfiguration": { "Rules": [ { "Id": "DeleteAfter30Days", "ExpirationInDays": 30, "Status": "Enabled", "Prefix": "logs/" } ] } } }, "DomainJoinSecrets": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Name": "DomainJoinSecrets-${AWS::StackName}", "Description": "Secrets to join AD domain", "SecretString": "{\"username\":\"${DomainNetBIOSName}\\\\${DomainAdminUser}\",\"password\":\"${DomainAdminPassword}\"}" } }, "LambdaSSMRole": { "Type": "AWS::IAM::Role", "Properties": { "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "${DSCBucket.Arn}", "${DSCBucket.Arn}/*" ] } ] }, "PolicyName": "write-mof-s3" } ], "Path": "/", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }, "ManagedPolicyArns": [ "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "WriteMOFFunction": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "ZipFile": "var AWS = require('aws-sdk'), s3 = new AWS.S3(); const response = require(\"cfn-response\"); exports.handler = async (event, context) => {\n console.log(JSON.stringify(event));\n if (event.RequestType === 'Delete') {\n await postResponse(event, context, response.SUCCESS, {})\n return;\n }\n function postResponse(event, context, status, data){\n return new Promise((resolve, reject) => {\n setTimeout(() => response.send(event, context, status, data), 5000)\n });\n }\n await s3.putObject({\n Body: event.ResourceProperties.Body,\n Bucket: event.ResourceProperties.Bucket,\n Key: event.ResourceProperties.Key\n }).promise();\n await postResponse(event, context, response.SUCCESS, {});\n};\n" }, "Handler": "index.handler", "Role": "LambdaSSMRole.Arn", "Runtime": "nodejs10.x", "Timeout": 10 } }, "WriteDomainJoinMOF": { "Type": "Custom::WriteMOFFile", "Properties": { "ServiceToken": "WriteMOFFunction.Arn", "Bucket": "DSCBucket", "Key": "DomainJoin-${AWS::StackName}.mof", "Body": "/*\n@TargetNode='localhost'\n*/\ninstance of MSFT_Credential as $MSFT_Credential1ref\n{\nPassword = \"managementgovernancesample\";\n UserName = \"${DomainJoinSecrets}\";\n\n};\ninstance of DSC_Computer as $DSC_Computer1ref\n{\nResourceID = \"[Computer]JoinDomain\";\n Credential = $MSFT_Credential1ref;\n DomainName = \"{tag:DomainToJoin}\";\n Name = \"{tag:Name}\";\n ModuleName = \"ComputerManagementDsc\";\n ModuleVersion = \"8.0.0\";\n ConfigurationName = \"DomainJoin\";\n};\ninstance of OMI_ConfigurationDocument\n {\n Version=\"2.0.0\";\n MinimumCompatibleVersion = \"1.0.0\";\n CompatibleVersionAdditionalProperties= {\"Omi_BaseResource:ConfigurationName\"};\n Name=\"DomainJoin\";\n }; \n" } }, "SSMInstanceRole": { "Type": "AWS::IAM::Role", "Properties": { "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-ssm-${AWS::Region}/*", "arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*", "arn:aws:s3:::amazon-ssm-${AWS::Region}/*", "arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*", "arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*", "arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*" ], "Effect": "Allow" } ] }, "PolicyName": "ssm-custom-s3-policy" }, { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": [ "DomainJoinSecrets" ] } ] }, "PolicyName": "ssm-secrets-policy" }, { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl", "s3:ListBucket" ], "Resource": [ "arn:${AWS::Partition}:s3:::${DSCBucket}/*", "arn:${AWS::Partition}:s3:::${DSCBucket}" ], "Effect": "Allow" } ] }, "PolicyName": "s3-instance-bucket-policy" } ], "Path": "/", "ManagedPolicyArns": [ "arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ReadOnlyAccess" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com", "ssm.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } } }, "SSMInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ "SSMInstanceRole" ] } }, "WINEC2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": "LatestAmiId", "InstanceType": "EC2InstanceType", "IamInstanceProfile": "SSMInstanceProfile", "NetworkInterfaces": [ { "DeleteOnTermination": true, "DeviceIndex": "0", "SubnetId": "SubnetID", "GroupSet": [ "DomainMemberSGID" ] } ], "Tags": [ { "Key": "Name", "Value": "WindowsBox0" }, { "Key": "DomainToJoin", "Value": "DomainDNSName" } ] } }, "JoinDomainAssociation": { "DependsOn": [ "WINEC2Instance", "WriteDomainJoinMOF" ], "Type": "AWS::SSM::Association", "Properties": { "WaitForSuccessTimeoutSeconds": 300, "Name": "AWS-ApplyDSCMofs", "Targets": [ { "Key": "tag:DomainToJoin", "Values": [ "DomainDNSName" ] } ], "OutputLocation": { "S3Location": { "OutputS3BucketName": "DSCBucket", "OutputS3KeyPrefix": "logs/" } }, "ScheduleExpression": "cron(30 23 * * ? *)", "MaxErrors": 1, "MaxConcurrency": 1, "Parameters": { "MofsToApply": [ "s3:${DSCBucket}:DomainJoin-${AWS::StackName}.mof" ], "ServicePath": [ "default" ], "MofOperationMode": [ "Apply" ], "ComplianceType": [ "Custom:DomainJoinSample" ], "ModuleSourceBucketName": [ "NONE" ], "AllowPSGalleryModuleSource": [ "True" ], "RebootBehavior": [ "AfterMof" ], "UseComputerNameForReporting": [ "False" ], "EnableVerboseLogging": [ "False" ], "EnableDebugLogging": [ "False" ] } } } } }
YAML
--- Description: "Deploy single windows EC2 Instance and join domain with SSM Association" Parameters: DomainAdminPassword: AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* Description: Password for the domain admin user. Must be at least 8 characters, containing letters, numbers, and symbols. MaxLength: '32' MinLength: '8' NoEcho: 'true' Type: String DomainAdminUser: AllowedPattern: '[a-zA-Z0-9]*' Default: Admin Description: User name for the account that will be used as domain administrator. This is separate from the default "Administrator" account. MaxLength: '25' MinLength: '5' Type: String DomainDNSName: AllowedPattern: '[a-zA-Z0-9\-]+\..+' Default: example.com Description: Fully qualified domain name (FQDN). MaxLength: '255' MinLength: '2' Type: String DomainMemberSGID: Description: ID of the domain member security group (e.g., sg-7f16e910). Type: AWS::EC2::SecurityGroup::Id DomainNetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: EXAMPLE Description: NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows. MaxLength: '15' MinLength: '1' Type: String EC2InstanceType: AllowedValues: - t3.nano - t3.micro - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m5.large - m5.xlarge - m5.2xlarge Default: m5.large Description: Amazon EC2 instance type Type: String LatestAmiId: Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>' Default: "/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base" SubnetID: Description: ID of a Subnet. Type: AWS::EC2::Subnet::Id Resources: DSCBucket: Type: AWS::S3::Bucket Properties: LifecycleConfiguration: Rules: - Id: DeleteAfter30Days ExpirationInDays: 30 Status: Enabled Prefix: 'logs/' DomainJoinSecrets: Type: AWS::SecretsManager::Secret Properties: Name: !Sub 'DomainJoinSecrets-${AWS::StackName}' Description: Secrets to join AD domain SecretString: !Sub '{"username":"${DomainNetBIOSName}\\${DomainAdminUser}","password":"${DomainAdminPassword}"}' LambdaSSMRole: Type: AWS::IAM::Role Properties: Policies: - PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:PutObject Resource: - !Sub "${DSCBucket.Arn}" - !Sub "${DSCBucket.Arn}/*" PolicyName: write-mof-s3 Path: / AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' WriteMOFFunction: Type: AWS::Lambda::Function Properties: Code: ZipFile: > var AWS = require('aws-sdk'), s3 = new AWS.S3(); const response = require("cfn-response"); exports.handler = async (event, context) => { console.log(JSON.stringify(event)); if (event.RequestType === 'Delete') { await postResponse(event, context, response.SUCCESS, {}) return; } function postResponse(event, context, status, data){ return new Promise((resolve, reject) => { setTimeout(() => response.send(event, context, status, data), 5000) }); } await s3.putObject({ Body: event.ResourceProperties.Body, Bucket: event.ResourceProperties.Bucket, Key: event.ResourceProperties.Key }).promise(); await postResponse(event, context, response.SUCCESS, {}); }; Handler: index.handler Role: !GetAtt LambdaSSMRole.Arn Runtime: nodejs10.x Timeout: 10 WriteDomainJoinMOF: Type: Custom::WriteMOFFile Properties: ServiceToken: !GetAtt WriteMOFFunction.Arn Bucket: !Ref DSCBucket Key: !Sub "DomainJoin-${AWS::StackName}.mof" Body: !Sub | /* @TargetNode='localhost' */ instance of MSFT_Credential as $MSFT_Credential1ref { Password = "managementgovernancesample"; UserName = "${DomainJoinSecrets}"; }; instance of DSC_Computer as $DSC_Computer1ref { ResourceID = "[Computer]JoinDomain"; Credential = $MSFT_Credential1ref; DomainName = "{tag:DomainToJoin}"; Name = "{tag:Name}"; ModuleName = "ComputerManagementDsc"; ModuleVersion = "8.0.0"; ConfigurationName = "DomainJoin"; }; instance of OMI_ConfigurationDocument { Version="2.0.0"; MinimumCompatibleVersion = "1.0.0"; CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"}; Name="DomainJoin"; }; SSMInstanceRole: Type : AWS::IAM::Role Properties: Policies: - PolicyDocument: Version: '2012-10-17' Statement: - Action: - s3:GetObject Resource: - !Sub 'arn:aws:s3:::aws-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*' - !Sub 'arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*' - !Sub 'arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*' Effect: Allow PolicyName: ssm-custom-s3-policy - PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - secretsmanager:GetSecretValue - secretsmanager:DescribeSecret Resource: - !Ref 'DomainJoinSecrets' PolicyName: ssm-secrets-policy - PolicyDocument: Version: '2012-10-17' Statement: - Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl - s3:ListBucket Resource: - !Sub 'arn:${AWS::Partition}:s3:::${DSCBucket}/*' - !Sub 'arn:${AWS::Partition}:s3:::${DSCBucket}' Effect: Allow PolicyName: s3-instance-bucket-policy Path: / ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ReadOnlyAccess' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" - "ssm.amazonaws.com" Action: "sts:AssumeRole" SSMInstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Roles: - !Ref SSMInstanceRole WINEC2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !Ref LatestAmiId InstanceType: !Ref EC2InstanceType IamInstanceProfile: !Ref SSMInstanceProfile NetworkInterfaces: - DeleteOnTermination: true DeviceIndex: '0' SubnetId: !Ref 'SubnetID' GroupSet: - !Ref DomainMemberSGID Tags: - Key: "Name" Value: "WindowsBox0" - Key: "DomainToJoin" Value: !Ref "DomainDNSName" JoinDomainAssociation: DependsOn: - WINEC2Instance - WriteDomainJoinMOF Type: AWS::SSM::Association Properties: WaitForSuccessTimeoutSeconds: 300 Name: AWS-ApplyDSCMofs Targets: - Key: "tag:DomainToJoin" Values: - !Ref "DomainDNSName" OutputLocation: S3Location: OutputS3BucketName: !Ref DSCBucket OutputS3KeyPrefix: 'logs/' ScheduleExpression: "cron(30 23 * * ? *)" MaxErrors: 1 MaxConcurrency: 1 Parameters: MofsToApply: - !Sub "s3:${DSCBucket}:DomainJoin-${AWS::StackName}.mof" ServicePath: - default MofOperationMode: - Apply ComplianceType: - Custom:DomainJoinSample ModuleSourceBucketName: - "NONE" AllowPSGalleryModuleSource: - "True" RebootBehavior: - "AfterMof" UseComputerNameForReporting: - "False" EnableVerboseLogging: - "False" EnableDebugLogging: - "False"
Create an association that joins targets to a Windows Active Directory domain and uses Systems Manager Automation
The following example creates an association that joins targets to a Windows Active Directory domain by using State Manager and Automation. Target is based on tags.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Deploy single windows EC2 Instance and join domain with SSM Association", "Parameters": { "DomainAdminPassword": { "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", "Description": "Password for the domain admin user. Must be at least 8 characters, containing letters, numbers, and symbols.", "MaxLength": "32", "MinLength": "8", "NoEcho": "true", "Type": "String" }, "DomainAdminUser": { "AllowedPattern": "[a-zA-Z0-9]*", "Default": "Admin", "Description": "User name for the account that will be used as domain administrator. This is separate from the default \"Administrator\" account.", "MaxLength": "25", "MinLength": "5", "Type": "String" }, "DomainDNSName": { "AllowedPattern": "[a-zA-Z0-9\\-]+\\..+", "Default": "example.com", "Description": "Fully qualified domain name (FQDN).", "MaxLength": "255", "MinLength": "2", "Type": "String" }, "DomainMemberSGID": { "Description": "ID of the domain member security group (e.g., sg-7f16e910).", "Type": "AWS::EC2::SecurityGroup::Id" }, "DomainNetBIOSName": { "AllowedPattern": "[a-zA-Z0-9\\-]+", "Default": "EXAMPLE", "Description": "NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows.", "MaxLength": "15", "MinLength": "1", "Type": "String" }, "EC2InstanceType": { "AllowedValues": [ "t3.nano", "t3.micro", "t3.small", "t3.medium", "t3.large", "t3.xlarge", "t3.2xlarge", "m5.large", "m5.xlarge", "m5.2xlarge" ], "Default": "m5.large", "Description": "Amazon EC2 instance type", "Type": "String" }, "LatestAmiId": { "Type": "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>", "Default": "/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base" }, "SubnetID": { "Description": "ID of a Subnet.", "Type": "AWS::EC2::Subnet::Id" } }, "Resources": { "DSCBucket": { "Type": "AWS::S3::Bucket", "Properties": { "LifecycleConfiguration": { "Rules": [ { "Id": "DeleteAfter30Days", "ExpirationInDays": 30, "Status": "Enabled", "Prefix": "logs/" } ] } } }, "DomainJoinSecrets": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Name": "DomainJoinSecrets-${AWS::StackName}", "Description": "Secrets to join AD domain", "SecretString": "{\"username\":\"${DomainAdminUser}\",\"password\":\"${DomainAdminPassword}\"}" } }, "LambdaSSMRole": { "Type": "AWS::IAM::Role", "Properties": { "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "${DSCBucket.Arn}", "${DSCBucket.Arn}/*" ] } ] }, "PolicyName": "write-mof-s3" } ], "Path": "/", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }, "ManagedPolicyArns": [ "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "WriteScriptFunction": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "ZipFile": "var AWS = require('aws-sdk'), s3 = new AWS.S3(); const response = require(\"cfn-response\"); exports.handler = async (event, context) => {\n console.log(JSON.stringify(event));\n if (event.RequestType === 'Delete') {\n await postResponse(event, context, response.SUCCESS, {})\n return;\n }\n function postResponse(event, context, status, data){\n return new Promise((resolve, reject) => {\n setTimeout(() => response.send(event, context, status, data), 5000)\n });\n }\n await s3.putObject({\n Body: event.ResourceProperties.Body,\n Bucket: event.ResourceProperties.Bucket,\n Key: event.ResourceProperties.Key\n }).promise();\n await postResponse(event, context, response.SUCCESS, {});\n};\n" }, "Handler": "index.handler", "Role": "LambdaSSMRole.Arn", "Runtime": "nodejs10.x", "Timeout": 10 } }, "WriteDomainJoinScript": { "Type": "Custom::WriteScript", "Properties": { "ServiceToken": "WriteScriptFunction.Arn", "Bucket": "DSCBucket", "Key": "DomainJoin.ps1", "Body": "[CmdletBinding()]\n# Incoming Parameters for Script, CloudFormation\\SSM Parameters being passed in\nparam(\n [Parameter(Mandatory=$true)]\n [string]$DomainNetBIOSName,\n\n [Parameter(Mandatory=$true)]\n [string]$DomainDNSName,\n\n [Parameter(Mandatory=$true)]\n [string]$AdminSecret\n)\n\n# Formatting AD Admin User to proper format for JoinDomain DSC Resources in this Script\n$DomainAdmin = 'Domain\\User' -replace 'Domain',$DomainNetBIOSName -replace 'User',$UserName\n$Admin = ConvertFrom-Json -InputObject (Get-SECSecretValue -SecretId $AdminSecret).SecretString\n$AdminUser = $DomainNetBIOSName + '\\' + $Admin.UserName\n# Creating Credential Object for Administrator\n$Credentials = (New-Object PSCredential($AdminUser,(ConvertTo-SecureString $Admin.Password -AsPlainText -Force)))\n# Getting the DSC Cert Encryption Thumbprint to Secure the MOF File\n$DscCertThumbprint = (get-childitem -path cert:\\LocalMachine\\My | where { $_.subject -eq \"CN=SampleDscEncryptCert\" }).Thumbprint\n# Getting the Name Tag of the Instance\n$NameTag = (Get-EC2Tag -Filter @{ Name=\"resource-id\";Values=(Invoke-RestMethod -Method Get -Uri http://169.254.169.254/latest/meta-data/instance-id)}| Where-Object { $_.Key -eq \"Name\" })\n$NewName = $NameTag.Value\n\n# Creating Configuration Data Block that has the Certificate Information for DSC Configuration Processing\n$ConfigurationData = @{\n AllNodes = @(\n @{\n NodeName=\"*\"\n CertificateFile = \"C:\\awssample\\publickeys\\SamplePublicKey.cer\"\n Thumbprint = $DscCertThumbprint\n PSDscAllowDomainUser = $true\n },\n @{\n NodeName = 'localhost'\n }\n )\n}\n\nConfiguration DomainJoin {\n param(\n [PSCredential] $Credentials\n )\n\n Import-Module -Name PSDesiredStateConfiguration\n Import-Module -Name ComputerManagementDsc\n \n Import-DscResource -Module PSDesiredStateConfiguration\n Import-DscResource -Module ComputerManagementDsc\n\n Node 'localhost' {\n\n Computer JoinDomain {\n Name = $NewName\n DomainName = $DomainDNSName\n Credential = $Credentials\n }\n }\n}\n\nDomainJoin -OutputPath 'C:\\awssample\\DomainJoin' -ConfigurationData $ConfigurationData -Credentials $Credentials\n" } }, "WriteInstallModuleScript": { "Type": "Custom::WriteScript", "Properties": { "ServiceToken": "WriteScriptFunction.Arn", "Bucket": "DSCBucket", "Key": "install-modules.ps1", "Body": "[CmdletBinding()]\nparam()\n\n\"Setting up Powershell Gallery to Install DSC Modules\"\nInstall-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force\nSet-PSRepository -Name PSGallery -InstallationPolicy Trusted\n\n\"Installing the needed Powershell DSC modules for this Quick Start\"\nInstall-Module -Name ComputerManagementDsc\nInstall-Module -Name PSDscResources\n\n\"Creating Directory for DSC Public Cert\"\nNew-Item -Path C:\\awssample\\publickeys -ItemType directory -Force\n\n\"Setting up DSC Certificate to Encrypt Credentials in MOF File\"\n$cert = New-SelfSignedCertificate -Type DocumentEncryptionCertLegacyCsp -DnsName 'SampleDscEncryptCert' -HashAlgorithm SHA256\n# Exporting the public key certificate\n$cert | Export-Certificate -FilePath \"C:\\awssample\\publickeys\\SamplePublicKey.cer\" -Force\n" } }, "WriteLCMConfigScript": { "Type": "Custom::WriteScript", "Properties": { "ServiceToken": "WriteScriptFunction.Arn", "Bucket": "DSCBucket", "Key": "LCM-Config.ps1", "Body": "# This block sets the LCM configuration to what we need for QS\n[DSCLocalConfigurationManager()]\nconfiguration LCMConfig\n{\n Node 'localhost' {\n Settings {\n RefreshMode = 'Push'\n ActionAfterReboot = 'StopConfiguration' \n RebootNodeIfNeeded = $false\n CertificateId = $DscCertThumbprint \n }\n }\n}\n\n$DscCertThumbprint = [string](get-childitem -path cert:\\LocalMachine\\My | where { $_.subject -eq \"CN=SampleDscEncryptCert\" }).Thumbprint\n \n#Generates MOF File for LCM\nLCMConfig -OutputPath 'C:\\awssample\\LCMConfig'\n \n# Sets LCM Configuration to MOF generated in previous command\nSet-DscLocalConfigurationManager -Path 'C:\\awssample\\LCMConfig' \n" } }, "DomainJoinAutomation": { "Type": "AWS::SSM::Document", "Properties": { "DocumentType": "Automation", "Content": { "schemaVersion": "0.3", "description": "Join a Windows Domain", "assumeRole": "{{AutomationAssumeRole}}", "parameters": { "InstanceId": { "description": "ID of the Instance.", "type": "StringList" }, "DomainDNSName": { "default": "example.com", "description": "Fully qualified domain name (FQDN) of the forest root domain e.g. example.com", "type": "String" }, "DomainNetBIOSName": { "default": "example", "description": "NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows e.g. EXAMPLE", "type": "String" }, "AdminSecrets": { "description": "AWS Secrets Parameter Name that has Password and User name for a domain administrator.", "type": "String" }, "S3BucketName": { "description": "S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).", "type": "String" }, "AutomationAssumeRole": { "default": "", "description": "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf.", "type": "String" } }, "mainSteps": [ { "name": "InstallDSCModules", "action": "aws:runCommand", "inputs": { "DocumentName": "AWS-RunRemoteScript", "InstanceIds": [ "{{InstanceId}}" ], "CloudWatchOutputConfig": { "CloudWatchOutputEnabled": "true", "CloudWatchLogGroupName": "/ssm/${AWS::StackName}" }, "Parameters": { "sourceType": "S3", "sourceInfo": "{\"path\": \"https://{{S3BucketName}}.s3.amazonaws.com/install-modules.ps1\"}", "commandLine": "./install-modules.ps1" } } }, { "name": "ConfigureLCM", "action": "aws:runCommand", "inputs": { "DocumentName": "AWS-RunRemoteScript", "InstanceIds": [ "{{InstanceId}}" ], "CloudWatchOutputConfig": { "CloudWatchOutputEnabled": "true", "CloudWatchLogGroupName": "/ssm/${AWS::StackName}" }, "Parameters": { "sourceType": "S3", "sourceInfo": "{\"path\": \"https://{{S3BucketName}}.s3.amazonaws.com/LCM-Config.ps1\"}", "commandLine": "./LCM-Config.ps1" } } }, { "name": "GenerateDomainJoinMof", "action": "aws:runCommand", "inputs": { "DocumentName": "AWS-RunRemoteScript", "InstanceIds": [ "{{InstanceId}}" ], "CloudWatchOutputConfig": { "CloudWatchOutputEnabled": "true", "CloudWatchLogGroupName": "/ssm/${AWS::StackName}" }, "Parameters": { "sourceType": "S3", "sourceInfo": "{\"path\": \"https://{{S3BucketName}}.s3.amazonaws.com/DomainJoin.ps1\"}", "commandLine": "./DomainJoin.ps1 -DomainNetBIOSName {{DomainNetBIOSName}} -DomainDNSName {{DomainDNSName}} -AdminSecret {{AdminSecrets}}" } } }, { "name": "DomainJoin", "action": "aws:runCommand", "inputs": { "DocumentName": "AWS-RunPowerShellScript", "InstanceIds": [ "{{InstanceId}}" ], "CloudWatchOutputConfig": { "CloudWatchOutputEnabled": "true", "CloudWatchLogGroupName": "/ssm/${AWS::StackName}" }, "Parameters": { "commands": [ "function DscStatusCheck () {\n $LCMState = (Get-DscLocalConfigurationManager).LCMState\n if ($LCMState -eq 'PendingConfiguration' -Or $LCMState -eq 'PendingReboot') {\n 'returning 3010, should continue after reboot'\n exit 3010\n } else {\n 'Completed'\n }\n}\n\nStart-DscConfiguration 'C:\\awssample\\DomainJoin' -Wait -Verbose -Force\n\nDscStatusCheck\n" ] } } } ] } } }, "SSMExecutionRole": { "Type": "AWS::IAM::Role", "Properties": { "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "ssm:StartAssociationsOnce", "ssm:CreateAssociation", "ssm:CreateAssociationBatch", "ssm:UpdateAssociation" ], "Resource": "*", "Effect": "Allow" } ] }, "PolicyName": "ssm-association" } ], "Path": "/", "ManagedPolicyArns": [ "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSSMAutomationRole" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com", "ssm.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } } }, "SSMInstanceRole": { "Type": "AWS::IAM::Role", "Properties": { "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-ssm-${AWS::Region}/*", "arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*", "arn:aws:s3:::amazon-ssm-${AWS::Region}/*", "arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*", "arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*", "arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*" ], "Effect": "Allow" } ] }, "PolicyName": "ssm-custom-s3-policy" }, { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": [ "DomainJoinSecrets" ] } ] }, "PolicyName": "ssm-secrets-policy" }, { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl", "s3:ListBucket" ], "Resource": [ "arn:${AWS::Partition}:s3:::${DSCBucket}/*", "arn:${AWS::Partition}:s3:::${DSCBucket}" ], "Effect": "Allow" } ] }, "PolicyName": "s3-instance-bucket-policy" } ], "Path": "/", "ManagedPolicyArns": [ "arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com", "ssm.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } } }, "SSMInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ "SSMInstanceRole" ] } }, "WINEC2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": "LatestAmiId", "InstanceType": "EC2InstanceType", "IamInstanceProfile": "SSMInstanceProfile", "NetworkInterfaces": [ { "DeleteOnTermination": true, "DeviceIndex": "0", "SubnetId": "SubnetID", "GroupSet": [ "DomainMemberSGID" ] } ], "Tags": [ { "Key": "Name", "Value": "WindowsBox1" } ] } }, "DomainAssociation": { "Type": "AWS::SSM::Association", "Properties": { "AssociationName": "DomainJoin", "Name": "DomainJoinAutomation", "WaitForSuccessTimeoutSeconds": 600, "AutomationTargetParameterName": "InstanceId", "Targets": [ { "Key": "ParameterValues", "Values": [ "WINEC2Instance" ] } ], "OutputLocation": { "S3Location": { "OutputS3BucketName": "DSCBucket", "OutputS3KeyPrefix": "logs/" } }, "Parameters": { "DomainDNSName": [ "DomainDNSName" ], "DomainNetBIOSName": [ "DomainNetBIOSName" ], "AdminSecrets": [ "DomainJoinSecrets" ], "S3BucketName": [ "DSCBucket" ], "AutomationAssumeRole": [ "SSMExecutionRole.Arn" ] } } } } }
YAML
--- Description: "Deploy single windows EC2 Instance and join domain with SSM Association" Parameters: DomainAdminPassword: AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* Description: Password for the domain admin user. Must be at least 8 characters, containing letters, numbers, and symbols. MaxLength: '32' MinLength: '8' NoEcho: 'true' Type: String DomainAdminUser: AllowedPattern: '[a-zA-Z0-9]*' Default: Admin Description: User name for the account that will be used as domain administrator. This is separate from the default "Administrator" account. MaxLength: '25' MinLength: '5' Type: String DomainDNSName: AllowedPattern: '[a-zA-Z0-9\-]+\..+' Default: example.com Description: Fully qualified domain name (FQDN). MaxLength: '255' MinLength: '2' Type: String DomainMemberSGID: Description: ID of the domain member security group (e.g., sg-7f16e910). Type: AWS::EC2::SecurityGroup::Id DomainNetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: EXAMPLE Description: NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows. MaxLength: '15' MinLength: '1' Type: String EC2InstanceType: AllowedValues: - t3.nano - t3.micro - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m5.large - m5.xlarge - m5.2xlarge Default: m5.large Description: Amazon EC2 instance type Type: String LatestAmiId: Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>' Default: "/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base" SubnetID: Description: ID of a Subnet. Type: AWS::EC2::Subnet::Id Resources: DSCBucket: Type: AWS::S3::Bucket Properties: LifecycleConfiguration: Rules: - Id: DeleteAfter30Days ExpirationInDays: 30 Status: Enabled Prefix: 'logs/' DomainJoinSecrets: Type: AWS::SecretsManager::Secret Properties: Name: !Sub 'DomainJoinSecrets-${AWS::StackName}' Description: Secrets to join AD domain SecretString: !Sub '{"username":"${DomainAdminUser}","password":"${DomainAdminPassword}"}' LambdaSSMRole: Type: AWS::IAM::Role Properties: Policies: - PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:PutObject Resource: - !Sub "${DSCBucket.Arn}" - !Sub "${DSCBucket.Arn}/*" PolicyName: write-mof-s3 Path: / AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' WriteScriptFunction: Type: AWS::Lambda::Function Properties: Code: ZipFile: > var AWS = require('aws-sdk'), s3 = new AWS.S3(); const response = require("cfn-response"); exports.handler = async (event, context) => { console.log(JSON.stringify(event)); if (event.RequestType === 'Delete') { await postResponse(event, context, response.SUCCESS, {}) return; } function postResponse(event, context, status, data){ return new Promise((resolve, reject) => { setTimeout(() => response.send(event, context, status, data), 5000) }); } await s3.putObject({ Body: event.ResourceProperties.Body, Bucket: event.ResourceProperties.Bucket, Key: event.ResourceProperties.Key }).promise(); await postResponse(event, context, response.SUCCESS, {}); }; Handler: index.handler Role: !GetAtt LambdaSSMRole.Arn Runtime: nodejs10.x Timeout: 10 WriteDomainJoinScript: Type: Custom::WriteScript Properties: ServiceToken: !GetAtt WriteScriptFunction.Arn Bucket: !Ref DSCBucket Key: "DomainJoin.ps1" Body: | [CmdletBinding()] # Incoming Parameters for Script, CloudFormation\SSM Parameters being passed in param( [Parameter(Mandatory=$true)] [string]$DomainNetBIOSName, [Parameter(Mandatory=$true)] [string]$DomainDNSName, [Parameter(Mandatory=$true)] [string]$AdminSecret ) # Formatting AD Admin User to proper format for JoinDomain DSC Resources in this Script $DomainAdmin = 'Domain\User' -replace 'Domain',$DomainNetBIOSName -replace 'User',$UserName $Admin = ConvertFrom-Json -InputObject (Get-SECSecretValue -SecretId $AdminSecret).SecretString $AdminUser = $DomainNetBIOSName + '\' + $Admin.UserName # Creating Credential Object for Administrator $Credentials = (New-Object PSCredential($AdminUser,(ConvertTo-SecureString $Admin.Password -AsPlainText -Force))) # Getting the DSC Cert Encryption Thumbprint to Secure the MOF File $DscCertThumbprint = (get-childitem -path cert:\LocalMachine\My | where { $_.subject -eq "CN=SampleDscEncryptCert" }).Thumbprint # Getting the Name Tag of the Instance $NameTag = (Get-EC2Tag -Filter @{ Name="resource-id";Values=(Invoke-RestMethod -Method Get -Uri http://169.254.169.254/latest/meta-data/instance-id)}| Where-Object { $_.Key -eq "Name" }) $NewName = $NameTag.Value # Creating Configuration Data Block that has the Certificate Information for DSC Configuration Processing $ConfigurationData = @{ AllNodes = @( @{ NodeName="*" CertificateFile = "C:\awssample\publickeys\SamplePublicKey.cer" Thumbprint = $DscCertThumbprint PSDscAllowDomainUser = $true }, @{ NodeName = 'localhost' } ) } Configuration DomainJoin { param( [PSCredential] $Credentials ) Import-Module -Name PSDesiredStateConfiguration Import-Module -Name ComputerManagementDsc Import-DscResource -Module PSDesiredStateConfiguration Import-DscResource -Module ComputerManagementDsc Node 'localhost' { Computer JoinDomain { Name = $NewName DomainName = $DomainDNSName Credential = $Credentials } } } DomainJoin -OutputPath 'C:\awssample\DomainJoin' -ConfigurationData $ConfigurationData -Credentials $Credentials WriteInstallModuleScript: Type: Custom::WriteScript Properties: ServiceToken: !GetAtt WriteScriptFunction.Arn Bucket: !Ref DSCBucket Key: "install-modules.ps1" Body: | [CmdletBinding()] param() "Setting up Powershell Gallery to Install DSC Modules" Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force Set-PSRepository -Name PSGallery -InstallationPolicy Trusted "Installing the needed Powershell DSC modules for this Quick Start" Install-Module -Name ComputerManagementDsc Install-Module -Name PSDscResources "Creating Directory for DSC Public Cert" New-Item -Path C:\awssample\publickeys -ItemType directory -Force "Setting up DSC Certificate to Encrypt Credentials in MOF File" $cert = New-SelfSignedCertificate -Type DocumentEncryptionCertLegacyCsp -DnsName 'SampleDscEncryptCert' -HashAlgorithm SHA256 # Exporting the public key certificate $cert | Export-Certificate -FilePath "C:\awssample\publickeys\SamplePublicKey.cer" -Force WriteLCMConfigScript: Type: Custom::WriteScript Properties: ServiceToken: !GetAtt WriteScriptFunction.Arn Bucket: !Ref DSCBucket Key: "LCM-Config.ps1" Body: | # This block sets the LCM configuration to what we need for QS [DSCLocalConfigurationManager()] configuration LCMConfig { Node 'localhost' { Settings { RefreshMode = 'Push' ActionAfterReboot = 'StopConfiguration' RebootNodeIfNeeded = $false CertificateId = $DscCertThumbprint } } } $DscCertThumbprint = [string](get-childitem -path cert:\LocalMachine\My | where { $_.subject -eq "CN=SampleDscEncryptCert" }).Thumbprint #Generates MOF File for LCM LCMConfig -OutputPath 'C:\awssample\LCMConfig' # Sets LCM Configuration to MOF generated in previous command Set-DscLocalConfigurationManager -Path 'C:\awssample\LCMConfig' DomainJoinAutomation: Type: AWS::SSM::Document Properties: DocumentType: Automation Content: schemaVersion: "0.3" description: "Join a Windows Domain" # Role that is utilized to perform the steps within the Automation Document. assumeRole: "{{AutomationAssumeRole}}" # Gathering parameters needed to configure DCs in the Quick Start parameters: InstanceId: description: "ID of the Instance." type: "StringList" DomainDNSName: default: "example.com" description: "Fully qualified domain name (FQDN) of the forest root domain e.g. example.com" type: "String" DomainNetBIOSName: default: "example" description: "NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows e.g. EXAMPLE" type: "String" AdminSecrets: description: "AWS Secrets Parameter Name that has Password and User name for a domain administrator." type: "String" S3BucketName: description: "S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-)." type: "String" AutomationAssumeRole: default: "" description: "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf." type: "String" mainSteps: # This step Demonstrates how to run a local script on an Instance. It can be defined or pointed to a local script. - name: "InstallDSCModules" action: "aws:runCommand" inputs: DocumentName: "AWS-RunRemoteScript" InstanceIds: - "{{InstanceId}}" CloudWatchOutputConfig: CloudWatchOutputEnabled: "true" CloudWatchLogGroupName: !Sub '/ssm/${AWS::StackName}' Parameters: sourceType: "S3" sourceInfo: '{"path": "https://{{S3BucketName}}.s3.amazonaws.com/install-modules.ps1"}' commandLine: "./install-modules.ps1" - name: "ConfigureLCM" action: "aws:runCommand" inputs: DocumentName: "AWS-RunRemoteScript" InstanceIds: - "{{InstanceId}}" CloudWatchOutputConfig: CloudWatchOutputEnabled: "true" CloudWatchLogGroupName: !Sub '/ssm/${AWS::StackName}' Parameters: sourceType: "S3" sourceInfo: '{"path": "https://{{S3BucketName}}.s3.amazonaws.com/LCM-Config.ps1"}' commandLine: "./LCM-Config.ps1" - name: "GenerateDomainJoinMof" action: "aws:runCommand" inputs: DocumentName: "AWS-RunRemoteScript" InstanceIds: - "{{InstanceId}}" CloudWatchOutputConfig: CloudWatchOutputEnabled: "true" CloudWatchLogGroupName: !Sub '/ssm/${AWS::StackName}' Parameters: sourceType: "S3" sourceInfo: '{"path": "https://{{S3BucketName}}.s3.amazonaws.com/DomainJoin.ps1"}' commandLine: "./DomainJoin.ps1 -DomainNetBIOSName {{DomainNetBIOSName}} -DomainDNSName {{DomainDNSName}} -AdminSecret {{AdminSecrets}}" - name: "DomainJoin" action: aws:runCommand inputs: DocumentName: AWS-RunPowerShellScript InstanceIds: - "{{InstanceId}}" CloudWatchOutputConfig: CloudWatchOutputEnabled: "true" CloudWatchLogGroupName: !Sub '/ssm/${AWS::StackName}' Parameters: commands: - | function DscStatusCheck () { $LCMState = (Get-DscLocalConfigurationManager).LCMState if ($LCMState -eq 'PendingConfiguration' -Or $LCMState -eq 'PendingReboot') { 'returning 3010, should continue after reboot' exit 3010 } else { 'Completed' } } Start-DscConfiguration 'C:\awssample\DomainJoin' -Wait -Verbose -Force DscStatusCheck SSMExecutionRole: Type : AWS::IAM::Role Properties: Policies: - PolicyDocument: Version: '2012-10-17' Statement: - Action: - ssm:StartAssociationsOnce - ssm:CreateAssociation - ssm:CreateAssociationBatch - ssm:UpdateAssociation Resource: '*' Effect: Allow PolicyName: ssm-association Path: / ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSSMAutomationRole' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" - "ssm.amazonaws.com" Action: "sts:AssumeRole" SSMInstanceRole: Type : AWS::IAM::Role Properties: Policies: - PolicyDocument: Version: '2012-10-17' Statement: - Action: - s3:GetObject Resource: - !Sub 'arn:aws:s3:::aws-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*' - !Sub 'arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*' - !Sub 'arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*' Effect: Allow PolicyName: ssm-custom-s3-policy - PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - secretsmanager:GetSecretValue - secretsmanager:DescribeSecret Resource: - !Ref 'DomainJoinSecrets' PolicyName: ssm-secrets-policy - PolicyDocument: Version: '2012-10-17' Statement: - Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl - s3:ListBucket Resource: - !Sub 'arn:${AWS::Partition}:s3:::${DSCBucket}/*' - !Sub 'arn:${AWS::Partition}:s3:::${DSCBucket}' Effect: Allow PolicyName: s3-instance-bucket-policy Path: / ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" - "ssm.amazonaws.com" Action: "sts:AssumeRole" SSMInstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Roles: - !Ref SSMInstanceRole WINEC2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !Ref LatestAmiId InstanceType: !Ref EC2InstanceType IamInstanceProfile: !Ref SSMInstanceProfile NetworkInterfaces: - DeleteOnTermination: true DeviceIndex: '0' SubnetId: !Ref 'SubnetID' GroupSet: - !Ref DomainMemberSGID Tags: - Key: "Name" Value: "WindowsBox1" DomainAssociation: Type: AWS::SSM::Association Properties: AssociationName: DomainJoin # We are using the AWS-ApplyDSCMofs Document Name: !Ref DomainJoinAutomation WaitForSuccessTimeoutSeconds: 600 AutomationTargetParameterName: InstanceId Targets: - Key: ParameterValues Values: - !Ref WINEC2Instance OutputLocation: S3Location: OutputS3BucketName: !Ref DSCBucket OutputS3KeyPrefix: 'logs/' Parameters: DomainDNSName: - !Ref DomainDNSName DomainNetBIOSName: - !Ref DomainNetBIOSName AdminSecrets: - !Ref DomainJoinSecrets S3BucketName: - !Ref DSCBucket AutomationAssumeRole: - !GetAtt 'SSMExecutionRole.Arn'
See also
