Search code examples
amazon-web-servicesamazon-cloudwatchssmamazon-systems-manageramazon-cloudwatch-events

CloudWatch Events Rule not finding EC2 targets using tags


I have a CloudWatch Event Rule that will trigger an SSM Run Command Document. The targets will be identified using tags. My resources are defined according to the following CloudFormation template:

SSMRunCommandDocument:
  Type: AWS::SSM::Document
  Properties:
    DocumentType: 'Command'
    Content:
      schemaVersion: '2.2'
      description: "Some description"
      mainSteps:
        - action: "aws:runShellScript"
          name: runShellScript
          inputs:
            runCommand:
              - !Sub |
                  #!/bin/bash -e
                  echo "Hello StackOverflow!" > test.log
    Tags:
      - Key: Name
        Value: EC2Name
      - Key: Environment
        Value: DEV
CloudWatchEventRule:
  Type: AWS::Events::Rule
  Properties:
    Description: "The ARN from the eventbridge role resource"
    EventPattern: 
      source:
        - "aws.autoscaling"
      detail-type:
        - "EC2 Instance-terminate Lifecycle Action"
      detail:
        AutoScalingGroupName:
          - !Ref 'MyAutoScalingGroup'
    State: "ENABLED"
    Targets:
      - Id: "Some target ID."
        Arn: !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:document/${SSMRunCommandDocument}"
        RoleArn: "The ARN from the eventbridge role resource"
        RunCommandParameters:
          RunCommandTargets:
            - Key: "tag: Name"
              Values:
                - EC2Name
            - Key: "tag: Environment"
              Values:
                - DEV

And I have the following role, from which the ARN is used in the CloudFormation template above:

AutoScalingLifecycleHookEventRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Sid: ''
          Effect: Allow
          Principal:
            Service:
              - events.amazonaws.com
          Action: 'sts:AssumeRole'
    Description: "The role that will be used by AWS EventBridge to start an SSM Run Command document."
AutoScalingLifecycleHookEventManagedPolicy:
  Type: AWS::IAM::ManagedPolicy
  Properties:
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Action:
            - 'ssm:StartAutomationExecution'
          Resource:
            - "arn:*:ssm:*:*:automation-definition/AWS-RunShellScript*"
          Effect: Allow
        - Action:
            - "iam:PassRole"
          Resource:
            - "arn:*:ssm:*:*:role/*"
          Effect: Allow
        - Action:
            - 'ssm:*'
          Resource:
            - "arn:*:ssm:*:*:*"
          Effect: Allow
        - Action:
            - "ssm:SendCommand"
          Resource:
            - !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*"
            - !Sub "arn:aws:ssm:${AWS::Region}:*:document/*"
          Effect: Allow
    Roles:
      - !Ref AutoScalingLifecycleHookEventRole

Manually, I can trigger a RunCommand using the same tags that are specified in the CloudFormation template just fine. But when the RunCommand is triggered by an Event Rule, the history on the RunCommand page tells us that no targets were found this time:

enter image description here

What permissions or configurations am I missing?


Solution

  • It turns out that a space in the tag: tag-key field should not be there:

    RunCommandParameters:
      RunCommandTargets:
        - Key: "tag:Name"
          Values:
            - EC2Name
        - Key: "tag:Environment"
          Values:
            - DEV