I have a simple aws Systems Manager Automation that is designed to rotate the local windows password for systems located at externalized sites. During Step 7 of the automation, AWS calls and executes a powershell command document that validates that the rotated password and outputs a string value of either True or False in JSON format. This string value is then passed back into the automation and sent to cloudwatch.
I am having an issue where the True or False value passed into the automation in step 7 via the validPassword variable is not getting resolved when passed into Step 8. Instead, only the Automation variable identifier is passed ({{CheckNewPassword.validPassword}})".
Does anyone know why this is this happening? I assume it has something to do with the command document not producing output in a format that Systems Manager likes.
Any assistance would be appreciated
Step 7 Output
{
"validPassword": "True"
}
{"Status":"Success","ResponseCode":0,"Output":"{
\"validPassword\": \"True\"
}
","CommandId":"6419ba15-b0f3-4af4-86a2-c4693639fc9e"}
Step 8 Input Passed from Step 7
{"passwordValid":"{{CheckNewPassword.validPassword}}","siteCode":"LBZ1-20","num_failedValidation":1}
AWS Automation Document -- Step 7 and 8
- name: CheckNewPassword
action: 'aws:runCommand'
inputs:
DocumentName: SPIN_CheckPass
InstanceIds:
- '{{nodeID}}'
Parameters:
password:
- '{{GenerateNewPassword.newPassword}}'
outputs:
- Name: validPassword
Selector: validPassword
Type: String
- Name: dataType
Selector: dataType
Type: String
- name: RecordPasswordStatus
action: 'aws:invokeLambdaFunction'
inputs:
InvocationType: RequestResponse
FunctionName: SPIN-CheckPassMetric
InputPayload:
passwordValid: '{{CheckNewPassword.validPassword}}'
siteCode: '{{siteCode}}'
num_failedValidation: 1
AWS Command Document (SPIN_CheckPass)
{
"schemaVersion": "2.2",
"description": "Check Rotated Password",
"parameters": {
"password": {
"type": "String",
"description": "The new password used in the password rotation."
}
},
"mainSteps": [
{
"action": "aws:runPowerShellScript",
"name": "rotatePassword",
"inputs": {
"runCommand": [
"function checkPass {",
" param (",
" $password",
" )",
" $username = 'admin'",
" $password = $password",
" $computer = $env:COMPUTERNAME",
" Add-Type -AssemblyName System.DirectoryServices.AccountManagement",
" $obj = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine',$computer)",
" [String] $result = $obj.ValidateCredentials($username, $password)",
"",
" $json = ",
" @{",
" validPassword = $result",
" } | ConvertTo-Json",
"",
"return $json",
"}",
"checkPass('{{password}}')"
],
"runAsElevated": true
}
}
]
}
I've tried changing the datatype of the validPassword variable to a bool, and Ive tried changing the format of the command document from JSON to YAML both of which have not worked.
Ive also attempted to capture another output element from the command document into a variable which also results in the variable name not resulting in inputs for subsequent Steps.
AWS Support confirmed that this is a bug they are now tracking.