aws_ssm_association Resource
Use the aws_ssm_association
InSpec audit resource to test properties of a ssm association.
For additional information, including details on parameters and properties, see the AWS documentation on SSM Associations.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
An aws_ssm_association
resource block uses the parameter to select a ssm association.
describe aws_ssm_association(association_id: 'association-id-1234') do
it { should exist }
end
describe aws_ssm_association(name: 'document-name', instance_id: 'instance-id') do
it { should exist }
end
Parameters
association_id
OR name AND instance_id (name and instance_id are required together)This resource accepts the association_id, document name and instance id. If not using association_id, name and instance id must both be provided as parameters This can be passed either as a string or as a
association_id: 'value'
key-value entry in a hash.
Properties
name
- The name of the Systems Manager document.
instance_id
- Provides the id of the instance.
association_version
- Provides the version of the association.
date
- The date when the association was made.
last_update_association_date
- The date when the association was last updated.
status
- The association status.
overview
- Provides information about the association.
document_version
- Provides the document version used in the association.
automation_target_parameter_name
- Specify the target for the association. This target is required for associations that use an Automation document and target resources by using rate controls.
parameters
- A description of the parameters for a document.
association_id
- Provides the ID of the association.
targets
- Provides the instances targeted by the request to create an association.
schedule_expression
- A cron expression that specifies a schedule when the association runs.
output_location
- An S3 bucket where you want to store the output details of the request.
last_execution_date
- The date on which the association was last run.
last_successful_execution_date
- The last date on which the association was successfully run.
association_name
- Provides the name of the association.
max_errors
- The number of errors that are allowed before the system stops sending requests to run the association on additional targets.
max_concurrency
- The maximum number of targets allowed to run the association at the same time.
compliance_severity
- The severity level that is assigned to the association.
sync_compliance
- The mode for generating association compliance. You can specify AUTO or MANUAL.
apply_only_at_cron_interval
- By default, when you create a new associations, the system runs it immediately after it is created and then according to the schedule you specified. Specify this option if you don’t want an association to run immediately after you create it.
For a comprehensive list of properties available, see the API reference documentation
Examples
Check the Name of a SSM Association.
describe aws_ssm_association(association_id: 'association-id-1234') do
its('name') { should eq 'association-name-1234' }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
describe aws_ssm_association(association_id: 'association-id-1234') do
it { should exist }
end
describe aws_ssm_association(association_id: 'association-id-6789') do
it { should_not exist }
end
AWS Permissions
Your Principal will need the SSM:Client:DescribeAssociationResult
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon Systems Manager.