AWS Systems Manager includes several powerful features which can help you manage fleets of Amazon EC2 instances. In this chapter, we’ll take a look at AWS Systems Manager Run Command, Automation, and State Manager which are all built upon an common object known as Systems Manager (SSM) documents. Since SSM documents are a common thread between all these features, it makes sense to dive into them first. So we’ll look at what documents are and how to work with them, and then we’ll see how they are used with Run Command, Automation, and State Manager.
Finally, we’ll end the chapter with an exercise that shows you how to start an automation that builds an updated Windows AMI.
Note
The previous chapter covered AWS Systems Manager basics which also included an important prerequisite, the IAM instance profile. By default, AWS Systems Manager isn’t able to do anything with your EC2 Instances, so to enable connectivity between the AWS Systems Manager and the Amazon SSM Agent on your EC2 instances, you’ll need that IAM instance profile discussed in the previous chapter, with the correct IAM role attached.
AWS Systems Manager (SSM) Documents
Before we dive into Run Command, Automation, and State Manager, let’s go over AWS Systems Manager (SSM) documents. SSM documents are a JSON based object used by the various features within AWS Systems Manager and define how actions are performed by Systems Manager.
There are a good number of predefined documents provided by Amazon which can help you manage your fleet of Amazon EC2 instances and perform all sorts of activities. SSM documents also have the ability to use parameters which allow you to pass configuration settings at runtime. Let’s talk about the different document types and then look at how to work with these documents using either the AWS Systems Manager Console or PowerShell.
SSM Document Types
SSM documents come in a few different types which correspond to specific Systems Manager features. Document types can include command documents, policy documents, and automation documents which we’ll be learning about later in this chapter.
A printed list of document types might never be up to date since Systems Manager, like many AWS Services, grows and has new feature added. These features might introduce new document types or use existing ones. As new features are added, you can always take a look at the “AWS Systems Manager User Guide” https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs.html which gives you information on the various document types.
Command Documents
Command documents define the commands that the SSM Agent should run on a targeted instance. Both Run Command and State Manager use these types of documents. The command document AWS-RunPowerShellScript, for example, allows you to execute PowerShell commands on one or more instances in your fleet.
Policy Documents
Policy documents are used by State Manager to enforce policies on your targeted instances. A policy is basically a configuration that you define, and Systems Manager makes sure that your instances match that configuration. An example use of policy documents would be to configure newly launched instances to match a standard configuration, optimize instances in an Auto Scaling group with a certain configuration, or even join Windows instances to a domain.
Automation Documents
Automation documents are used by Systems Manager Automation, a feature that you can use to automate systems management workflows. One popular use of Systems Manager Automation is to create custom AMIs by defining steps that can launch the latest Windows AMI from Amazon, add your custom software to it, update it, and then create a new AMI from that updated instance.
Working with Documents in the AWS Systems Manager Console
We can see that the Content tab shows us a document version (not to be confused with the schema version), along with a blob of JSON.
The JSON content defines parameters and actions for the document and include a schema version. This schema version is important since the document schema might change with newer versions of Systems Manager to support new features. So if you’re looking at two documents and notice the formats are different, look at the document type and the schema version.
AWS Systems Manager Document Schema Versions
Document Type | Uses Schema Versions |
---|---|
Command | 1.2, 2.0, 2.2 |
Automation | 0.3 |
Policy | 2.0 |
Each schema version may have a different structure, support different features, and may use different section names in the content. You can read more about these document schemas and their features on the “AWS Systems Manager User Guide” https://docs.aws.amazon.com/systems-manager/latest/userguide/document-schemas-features.html .
Working with Documents Using PowerShell
While the AWS Systems Manager Console provides a rich GUI interface to browse and work with documents, often we’ll want a programmatic way to automate our work with PowerShell scripts.
Listing SSM Documents
Listing SSM Documents with Document Filters
Getting an SSM Document Object
Creating a New SSM Document
Run Command
Run Command is one of the oldest and original AWS Systems Manager features. It’s both powerful and secure, giving you the ability to run commands on your Amazon EC2 Instances and on-premises computers. A Run command document simply includes the details and instructions needed for the Amazon SSM Agent to perform actions on your behalf. As we’ll learn later, Automation, State Manager, and other Systems Manager features build upon Run Command as a foundation. You’ll find there are many documents predefined and published by Amazon. We also saw how you can create your own documents to meet your specific needs. You might want to use Run Command to enable server roles, install applications, perform routine maintenance, or even troubleshoot issues.
Note
The following sections require your EC2 Windows Instance have an IAM instance profile with the appropriate roles and trust in order for AWS Systems Manager to function. If you skipped the previous chapters on IAM and Systems Manager Basics, it might be a good idea to go back and review those. Without the IAM instance profile, the Amazon SSM Agent on your EC2 instances won’t be able to communicate with the backend services.
Run Command Using the AWS Systems Manager Console
This is where we define which instances (or targets) we want to run the command on. We can use two methods for selecting targets. We can use a tag, and any instances with that tag will be selected, or we can manually choose manually using instance ID, activation ID, Amazon SSM Agent version, IAM role name, platform, or even resource type.
In the other parameters section, we can optionally enter a comment or set the timeout for the command. We’ll also find a rate control section, which gives us options to limit the number of concurrent targets (this is useful if we are to throttle our command and have only a few run the command at a time). Error threshold also gives us the ability to stop running the command if we get a set number of errors (or percentage).
From here, we also get output options which can enable writing command output to an S3 bucket, CloudWatch Logs, and even trigger an SNS notification that we can use to kick off other workflows or connect to other AWS services.
Finally, there’s a Run button at the bottom of the page that runs the command. Once running, we can view the status of the command from the console, and eventually when it’s done running, we can look at the output.
Run Command Using PowerShell
Since this is a PowerShell book, let’s take a deeper look at how we can use Run Command from our PowerShell scripts. There’s one particular command document that we should look at, and that’s AWS-RunPowerShellScript. As the name implies, this document lets you run PowerShell scripts on your target instances. If you want to run shell commands on Linux, there’s a document for that too!
Now we can run this command document using the console just as we learned a little bit ago, but let’s look at how we can run it using PowerShell.
We can see that the only required parameter is the one named commands. This is a string list (or array) of PowerShell commands. There are also two optional parameters, workingDirectory and executionTimeout. Working directory is simply the path to a working directory on your instance. So if you want your script to start in a specific directory, you will set that here. Execution timeout has a default value of 1 hour, which means if your script is going to run longer than an hour, you’ll need to set this accordingly; otherwise, execution of the command might timeout. The maximum timeout you can set is 48 hours.
Sending an SSM Command
Now, let’s send an SSM command that tells the Amazon SSM Agent to run some PowerShell script using, you guessed it, the AWS-RunPowerShellScript document.
Handling Run Command Output
If output is longer than 2500 characters, it’ll be truncated. You’ll know it was truncated because Systems Manager adds ---Output truncated--- as the last entry in the output to let you know. You can get the full output in a couple of ways, either by using an S3 bucket or with CloudWatch Logs. Both of these methods require that your IAM instance profile have the appropriate access roles to allow writing to the S3 bucket or CloudWatch Logs depending on which you choose to use.
Sending Output to an S3 Bucket
Sending Output to CloudWatch Logs
AWS Systems Manager Automation
AWS Systems Manager Automation executes automation workflows that string together actions to perform a more complex task. Automation uses SSM Documents much like Run Command, and those documents can perform a wide variety of activities such as creating a new instance, stopping that instance, updating it with the latest drivers or patches, and then creating an AMI from that newly updated instance.
User Access to Automation
If you are using an IAM user account, group, or role with administrator permissions, then you should be able to use the Automation service without any access issues; otherwise, you’ll need to grant your account, group, or role access to the Automation service. You can grant access using an AWS managed policy named AmazonSSMFullAccess.
Automation Roles
Much like Run Command, Automation needs an instance profile for any instances that you are launching or targeting with an Automation. Creating that instance profile is covered in the previous chapter under prerequisites. Remember, if you’re using CloudWatch, SNS, or other AWS services with Automation, you’ll also need to grant your instance profile access to those services. The “AWS Systems Manager User Guide” also contains information on how to configure those needed roles and even provides a CloudFormation template to get you started. See “Configuring Access for Systems Manager Automation” at https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup-user.html .
Listing Automation Documents
To see the details for each document, look at “Systems Manager Automation Documents Reference” located within the “Systems Manager User Guide” https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents-reference-details.html .
Starting an Automation Execution
Creates a CloudFormation Stack
Changes the Instances State to stopped
Invokes a Lambda function that changes the Instance Size
Changes the Instance State to Running
Deletes the CloudFormation Stack
See the “Systems Manager User Guide” for details on each automation document; for example, the details on AWS-ResizeInstance can be found at https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-aws-resizeinstance.html .
Getting Automation Execution Status
AWS Systems Manager State Manager
Managing a fleet of instances, whether they are in the cloud or on-premises can be challenging. State Manager can help you define policies and enforce those policies to ensure your systems remain in the state you desire. Remember those documents we were talking about? Well State Manager allows you to associate those documents with your instances. You can add a schedule to do things like keep software up to date or perform some routine maintenance task.
Creating an Association
Cron Expression Values for Systems Manager
Field | Wildcards | Possible Values |
---|---|---|
Minutes | , - * / | 0–59 |
Hours | , - * / | 0–23 |
Day of the Month | , - * ? / L W | 1–31 |
Month | , - * / | 1–12 or JAN–DEC |
Day of the Week | , - * ? / L | 1–7 or SUN–SAT |
Year | , - * / | 1970–2199 |
Cron Field Positions for Systems Manager
Minutes | Hours | Day of the Month | Month | Day of the Week | Year |
---|---|---|---|---|---|
* | * | * | * | * | * |
Cron Examples for Systems Manager
Expression | Meaning |
---|---|
cron(0/15 * * * ? *) | Every 15 minutes |
cron(0/30 * * * ? *) | Every 30 minutes |
cron(0 0/1 * * ? *) | Every hour |
cron(30 5 ? * * *) | Every day at 5:30 a.m. |
Rate Examples for Systems Manager
Expression | Meaning |
---|---|
rate(30 minutes) | Every 30 minutes |
rate(1 hour) | Every hour |
rate(14 days) | Every 14 days |
To learn more about “Cron and Rate Expressions for Systems Manager,” check out the user guide at https://docs.aws.amazon.com/systems-manager/latest/userguide/reference-cron-and-rate-expressions.html .
Exercise 16.1: Build a Windows AMI Using Automation
Amazon provides a great number of Windows AMIs that are maintained monthly and kept up to date. There are cases where you may want to build your own customized AMI and keep it up to date with the latest patches and AWS software. In this exercise, we are going to use AWS Systems Manager Automation to take an AMI as input and build us a new AMI.
Create an IAM Instance Profile
We’ll create an IAM instance profile. If you already have one created, feel free to skip this and substitute your instance profile throughout the exercise.
Finding the Latest Windows Server 2019 AMI
Configure the Automation Document Parameters
Kick Off the Automation Document
When our automation is complete, we’ll find a new AMI that has been created which contains the latest AWS Drivers and Software, along with the latest Microsoft Updates.
Summary
In this chapter, we learned about SSM documents and how they are used with AWS Systems Manager Run Command, Automation, and State Manager. We went through the steps of taking an AMI and running it through an automation workflow that updated the operating system and AWS software. In the next chapter, we’ll wrap up our look at AWS Systems Managers with some of the remaining features we haven’t covered yet including Patch Manager.