I am currently using an AWS Lambda to initiate a maintenance window, but have found that the Execution Timeout is default set to 3600 (1hour), when this is used on a larger scale 1 hour tends to drag on a bit. I am attempted to lower the timeout to 900 (15mins), but although executionTimeout: ["900"] is accepted when I run the lambda, The maintenance window is created and I get the error in the execution tasks: FAILED: "The specified parameters are incomplete or invalid."
here is the snippet of code I am attempting:
reg_taskmw_res = ssm_client.register_task_with_maintenance_window(
WindowId=window_id,
Targets=[
{
'Key': 'WindowTargetIds',
'Values': [
reg_targetmw_res['WindowTargetId']
]
},
],
TaskArn='AWS-RunPatchBaseline',
TaskType='RUN_COMMAND',
TaskInvocationParameters={
'RunCommand': {
'DocumentHash': DocHash,
'DocumentHashType': 'Sha256',
'Parameters': {
'Operation': ['Scan'],
'executionTimeout': ['900']
},
'TimeoutSeconds': 60
},
},
Priority=123,
MaxConcurrency='3',
MaxErrors='3'
)
If I don't use the executionTimeout the maintenance window works, but with a 3600 timeout. I have tried multiple ways of doing this and search for ages to no avail. Thanks for all your help!
It turns out the built-in AWS-RunPatchBaseline document doesn't allow you to configure a custom execution timeout at this time (surprisingly). The timeout it does allow you to configure is the delivery timeout, but the execution timeout is hard coded and you can't alter it. So to use a different execution timeout, you have to make your own custom document which allows you to set this. I asked the same question to AWS support and got this answer:
The AWS-provided AWS-RunPatchBaseline document doesn't have executionTimeout built-in as a configurable parameter, and is hardcoded with 7200 minutes:
[AWS-RunPatchBaseline ## Line 34-37 ##] "action": "aws:runPowerShellScript", "name": "PatchWindows", "inputs": { "timeoutSeconds": 7200,
What you can do here is create your own custom document and add the parameter yourself, which will allow you to configure an Execution Timeout in addition to the Delivery Timeout which is what the console entry is used for. To do this, you can create a new custom document based on the existing one [1], then add the following modifications:
Insert this at line 5:
"executionTimeout": { "type": "String", "default": "900", "description": "(Optional) The time in seconds for a command to complete before it is considered to have failed. Default is 900 (15 mins). Maximum is 172800 (48 hours).", "allowedPattern": "([1-9][0-9]{0,4})|(1[0-6][0-9]{4})|(17[0-1][0-9]{3})|(172[0-7][0-9]{2})|(172800)" },Replace the timeoutSeconds input:
Existing:
"action": "aws:runPowerShellScript", "name": "PatchWindows", "inputs": { "timeoutSeconds": 7200,New
"action": "aws:runPowerShellScript", "name": "PatchWindows", "inputs": { "timeoutSeconds": "{{executionTimeout}}",I tested this and it accepts the executionTimeout parameter. I hope this helps!
References: [1] Copy a Document - https://docs.aws.amazon.com/systems-manager/latest/userguide/copy-document.html