调用SSM文档的Terraform

Question

有人能帮我一下吗？我正在尝试创建自动化来定期停止ec2实例。我知道如何使用数据源：

    data "aws_ssm_document" "ssm_doc" {
      name            = "AWS-StopEC2Instance"
      document_format = "JSON"
    }

当我尝试创建关联时：

    resource "aws_ssm_association" "example" {
      name = ssm_doc
      
    
      targets {
        key    = "InstanceIds"
        values = [aws_instance.ex.id]
      }
    }

当我运行这段代码时，我得到了错误：Error creating SSM association: ValidationException: The assume role is invalid.

有没有人可以帮助我，告诉我如何通过这个角色？

Answer 1

根据文档aws_ssm_association，此资源没有特定于iam role的配置。所以错误可能在其他地方。

从documentation Troubleshooting Systems Manager Automation

无效假定角色运行自动化时，假定角色要么在runbook中提供，要么作为runbook的参数值传递。如果未正确指定或配置假定角色，则可能会发生不同类型的错误。

您需要签入您正在导入的ssm_doc，它基本上只是一个cloudformation模板，因此您必须更正那里的角色。

Method 2: Use IAM to configure roles for Automation

Answer 2

AWS-StopEC2Instance接受AutomationAssumeRole参数。您必须为SSM提供执行代码所需的角色。例如：

resource "aws_iam_role" "ssm" {
  path               = "/"
  assume_role_policy = <<EOL
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": ["ec2.amazonaws.com", "ssm.amazonaws.com"]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOL

  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"]

  inline_policy {
    name = "my_inline_policy"

    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Action   = ["iam:PassRole"]
          Effect   = "Allow"
          Resource = "*"
        },
      ]
    })
  }
}

此外，aws_ssm_association.example中的targets块适用于Command和Policy或速率控制Automation的SSM文档类型。对于简单的Automation执行，不需要targets：

resource "aws_ssm_association" "example" {

  name = "AWS-StopEC2Instance"
  
  parameters = {
      AutomationAssumeRole = aws_iam_role.ssm.arn
      instanceIds = aws_instance.ex.id
  }  
}