cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

AWS::SSM::Document - Name - No replacement Update

Open jk2l opened this issue 4 years ago • 12 comments

Extended feature request of the new feature released 11hr ago: https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/115

Current behaviour:

  • When SSM Document updated, it will trigger a replacement
  • If we use hardcode Name, stack update will fail with the message "GoldenAMIAutomationDoc AWS::SSM::Document UPDATE_FAILED CloudFormation cannot update a stack when a custom-named resource requires replacing. Rename GoldenAmiBuidler and update the stack again."

Expected behaviour:

  • Originally described in the ticket: a new version created and on the success, it should update the current version to Default.
  • For reference can also look into how AWS::SSM::Parameter or AWS::ECS::TaskDefinition is done, it will update and create a new version instead of replacing the document completely.

Currently, I have to create/manage a custom resource just to do this behaviour but maintaining the Custom resource is quite time-consuming for me and I wish I can replace my custom resource to be using native AWS resources only.

The key part of this request is we can have versioning of the AWS SSM Document that we can also reference back into.

As a use case, I have to follow a very strict security audit process (the operation team do not have security clearance to touch production environment. Everything is 100% manage by CloudFormation. or it will need to escalate to system admin that have access which can also costly to do) and the SSM Doc native implementation by CloudFormation is very badly design because it lost the versioning reference which fails auditing process.

Currently, I am using SSM for the following:

  • AMI Builder
  • System patches
  • AWS Inspector
  • Some installation and automation

Refrences: https://docs.aws.amazon.com/cli/latest/reference/ssm/update-document.html https://docs.aws.amazon.com/cli/latest/reference/ssm/update-document-default-version.html

jk2l avatar Jan 11 '20 10:01 jk2l

The current implementation of AWS::SSM::Document is mostly useless. If the name of a resource changes when its content changes, it cannot be referenced anywhere, hence cannot be used in any automation. I've seen people in my org deleting an ssm-docs stack and deploying it again, just to keep the document names.

udondan avatar Mar 08 '20 09:03 udondan

To add to this aws ssm update-document (in contrast with what the name would indicate), always creates a new version for that document (even when specifying --document-version).

If the SSM team does not plan to support deleting old versions, CloudFromation could mimic this behaviour (and in addition set the default version).

Another approach would to implement something similar as discussed in https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-cloudformation/pull/4 for ResourceProviders.

benbridts avatar Mar 08 '20 17:03 benbridts

I don't think deleting document versions is supported by the API. You only can delete the whole document.

Also overriding a version is not possible. As you said, when updating a document, it creates a new version.

udondan avatar Mar 08 '20 17:03 udondan

Like you said. It doesn't support delete or update right now. If the SSM team has plans to add delete functionality in the future (like IAM manage policies), it might be an idea to reflect that in the CloudFormation resources too

benbridts avatar Mar 08 '20 18:03 benbridts

delete or not doesn't really matter tbh. look at ECS task definition, you can't delete a version after create. but it works fine with cloudformation fine with the hardcoded name.

using a hardcoded name is quite important for working with multiple environment and team. the name itself shouldn't get change at all so it won't break other team's using my SSM document

the main key thing is to allow hardcoding name that can be referred from anywhere. this is more important if I want to build an SSM document manage that needs to be used by other SSM document.

e.g. I can manage an EBS snapshot SSM with automation tagging. then this document is used by other teams to manage their own EBS snapshot with schedule. if the SSM name keep changing just a simple update, it will break every single script out there when they try to refrence the document name.

I end up spent a week wrote a custom resources name to handle updating version instead of replacement document which should be something support out of the box by Cfn implementation

jk2l avatar Mar 08 '20 23:03 jk2l

I just published my custom resource to manage SSM documents. It's made for CDK but I added documentation how to use it in plain old CloudFormation as well - https://github.com/udondan/cdk-ssm-document

udondan avatar Mar 14 '20 15:03 udondan

Agreed. I'm going through this now with AWS::Config::RemediationConfiguration which uses hard coded names

The SSM documentation is lacking and so its a trial and error approach to get them working. A bug in my SSM document requires manual intervention to delete the document and recreate it

bgardner-noggin avatar Aug 28 '20 07:08 bgardner-noggin

In case anyone is also wrestling with this, my organization was planning to use the Document names in IAM to define access. We were able to get a functional workaround using custom tagging, and allowing Cloudformation to generate and apply the name.

For example, we have Documents that define some custom attributes for session access. Here's the IAM defining that:

{
 "Action": [
   "ssm:StartSession"
 ],
 "Resource": [
   "arn:aws:ssm:*:*:document/*"
 ],
 "Condition": {
   "StringEquals": {"ssm:resourceTag/CustomTag": "CustomValue"}
 },
 "Effect": "Allow"
},

Slightly less elegant, but seems to work well for us. Hope this may come in handy for anyone in the same spot!

jackdcasey avatar Feb 10 '21 19:02 jackdcasey

It looks like this PR may resolve this issue - https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-ssm/pull/173

The documentation for AWS::SSM::Document has been updated to reflect the UpdateMethod property - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html#cfn-ssm-document-updatemethod

kyle-kluever avatar Jun 15 '22 16:06 kyle-kluever

I can confirm that using updateMethod: 'NewVersion' worked for me with the SSM-SessionManagerRunShell document that used to fail with posted error.

damonmaria avatar Jun 19 '22 02:06 damonmaria

Yep, looking very nice. I just migrated 97 of our documents to the updated AWS::SSM::Document and tested document updates. Looking good. 👍🏼 I'm going to deprecate my custom CDK construct now.

udondan avatar Jun 29 '22 13:06 udondan

Yep, looking very nice. I just migrated 97 of our documents to the updated AWS::SSM::Document and tested document updates. Looking good. 👍🏼 I'm going to deprecate my custom CDK construct now.

I just finished converting documents to AWS::SSM::Document this morning and retired the custom resource I wrote for this. 👍

kyle-kluever avatar Jun 29 '22 13:06 kyle-kluever

Nice! I guess this ticket should be closed and go to Shipped?

tdmalone avatar Sep 30 '22 07:09 tdmalone

this appears to be resolved! if it's not the case, please re-open this with more details

TheDanBlanco avatar Nov 16 '23 18:11 TheDanBlanco