terraform ssm association issue

[hashibot]

This issue was originally opened by @fdavier as hashicorp/terraform#16988. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

v0.11.1

Terraform Configuration Files

I added "aws_ssm_document" and "aws_ssm_association" after existing instance ressource:
My hope is to be able to launch commands to update/install additional features some linux instances after their creation

resource "aws_instance" "gw0" {
  ami = "ami-d33ecdab"
  key_name = "infav10-devHub"
  instance_type = "m4.large"
  subnet_id = "${aws_subnet.public0.id}"
  associate_public_ip_address = true
  vpc_security_group_ids = ["${aws_security_group.gtw_security_group.id}"]
  private_ip = "10.0.2.11"

  root_block_device {
   volume_type = "gp2"
  }
  
  tags {
    Name = "${var.prefix_tag}-Gateway-0"
  }
      iam_instance_profile = "${aws_iam_instance_profile.gw-instance-profile.name}"
}
resource "aws_eip" "gw0" {
  vpc = true
  instance = "${aws_instance.gw0.id}"
  associate_with_private_ip = "10.0.2.11"
}

resource "aws_ssm_document" "gw_document" {
  name          = "gw_document"
  document_type = "Command"

  content = <<DOC
 {
   "schemaVersion":"2.0",
   "description":"Sample document",
   "mainSteps":[
      {
         "action":"aws:runPowerShellScript",
         "name":"runPowerShellScript",
         "inputs":{
            "runCommand":[
               "hostname"
            ]
         }
      }
   ]
}
DOC
}

resource "aws_ssm_association" "gw0" {
  name        = "gw_document"
  instance_id = "${aws_instance.gw0.id}"
}

Debug Output

2017-12-26T09:43:38.674+0100 [DEBUG] plugin.terraform.exe: local-exec-provisione
r (internal) 2017/12/26 09:43:38 [DEBUG] plugin: waiting for all plugin processe
s to complete...
Error: Error applying plan:

1 error(s) occurred:

* aws_ssm_association.gw0: 1 error(s) occurred:

* aws_ssm_associati2017-12-26T09:43:38.701+0100 [DEBUG] plugin: plugin process e
xited: path=C:\tools\terraform\infa-hub\.terraform\plugins\windows_amd64\terrafo
rm-provider-aws_v0.1.4_x4.exe
on.gw0: [ERROR] Error c2017/12/26 09:43:38 [ERR] yamux: Failed to read stream da
ta: read tcp 127.0.0.1:54622->127.0.0.1:10000: wsarecv: Une connexion existante
a dû être fermée par l'hôte distant.
reat2017/12/26 09:43:38 [ERR] yamux: Failed to write header: write tcp 127.0.0.1
:54622->127.0.0.1:10000: use of closed network connection
2017-12-26T09:43:38.704+0100 [WARN ] plugin: error closing client during Kill: e
rr="unexpected EOF"
ing2017-12-26T09:43:38.705+0100 [DEBUG] plugin: plugin process exited: path=C:\t
ools\terraform\terraform.exe
 SSM association: InvalidDocument: Document schema version, 2.0, is not supporte
d by association that is created with instance id
        status code: 400, request id: ddef467a-ea18-11e7-988e-75f688c18213

Expected Behavior

expect that Association is done and 'hostname' command executed on existing ec2 linux instance

Actual Behavior

Don't execute, see crash output, ssm association don't work

Steps to Reproduce

Please list the full steps required to reproduce the issue, for example:

1. terraform init
2. terraform plan
3. terraform apply

Important Factoids

References

[mjseid]

Same issue here: works if I try to attach a document with schema 1.2, but fails for schema 2.0 or 2.2

I was able to work around this by using "targets" to specify instance-id vs using the instance parameter directly.

[bflad]

This error is being returned from the SSM API: InvalidDocument: Document schema version, 2.0, is not supported by association that is created with instance id

Does it work with targets on schema version 2.0 or 2.2? e.g.

resource "aws_ssm_association" "example" {
  # ... other configuration ...
  targets {
    key    = "InstanceIds"
    values = "${aws_instance.example.id}"
  }
}

[mjseid]

Yep, that way works with the newer schema versions.

If we could update the docs to note the instance-id parameter doesn't work for newer schema's that should help others from hitting the same issue.

[bflad]

Thanks for the quick reply @mjseid -- submitted #4328 to update the resource documentation and example.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!