Search code examples
amazon-web-servicesterraformssm

How to create an AWS SSM Document Package using Terraform

Using Terraform, I am trying to create an AWS SSM Document Package for Chrome so I can install it on various EC2 instances I have. I define these steps via terraform:

  1. Upload zip containing Chrome installer plus install and uninstall powershell scripts.
  2. Add that ZIP to an SSM package.

However, when I execute terraform apply I receive the following error...

Error updating SSM document: InvalidParameterValueException: AttachmentSource not provided in the input request. status code: 400, request id: 8d89da70-64de-4edb-95cd-b5f52207794c

The contents of my main.tf are as follows:

# 1. Add package zip to s3
resource "aws_s3_bucket_object" "windows_chrome_executable" {
  bucket = "mybucket"
  key    = "ssm_document_packages/GoogleChromeStandaloneEnterprise64.msi.zip"
  source = "./software-packages/GoogleChromeStandaloneEnterprise64.msi.zip"

  etag = md5("./software-packages/GoogleChromeStandaloneEnterprise64.msi.zip")
}

# 2. Create AWS SSM Document Package using zip.
resource "aws_ssm_document" "ssm_document_package_windows_chrome" {
  name          = "windows_chrome"
  document_type = "Package"

  attachments_source {
    key = "SourceUrl"
    values = ["/path/to/mybucket"]
  }

  content = <<DOC
  {
    "schemaVersion": "2.0",
    "version": "1.0.0",
    "packages": {
        "windows": {
            "_any": {
                "x86_64": {
                    "file": "GoogleChromeStandaloneEnterprise64.msi.zip"
                }
            }
        }
    },
    "files": {
        "GoogleChromeStandaloneEnterprise64.msi.zip": {
            "checksums": {
                "sha256": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
            }
        }
    }
  }
DOC
}

If I change the file from a zip to a vanilla msi I do not receive the error message, however, when I navigate to the package in the AWS console it tells me that the install.ps1 and uninstall.ps1 files are missing (since obviously they weren't included).

Has anyone experienced the above error and do you know how to resolve it? Or does anyone have reference to a detailed example of how to do this?

Thank you.

Solution

  • I realized that in the above example there was no way terraform could identify a dependency between the two resources i.e. the s3 object needs to be created before the aws_ssm_document. Thus, I added in the following explicit dependency inside the aws_ssm_document:

      depends_on = [
    aws_s3_bucket_object.windows_chrome_executable
  ]