---
schemaVersion: '0.3'
description: Composite document for Quick Setup Managing Instances association.
This document ensures IAM role for instance profile is created in account
with all required policies
assumeRole: "{{AutomationAssumeRole}}"
parameters:
AutomationAssumeRole:
type: String
InstanceId:
type: String
IsPolicyAttachAllowed:
type: String
ProvidedInstanceProfileName:
type: String
default: ''
mainSteps:
- name: getExistingRoleName
action: aws:executeScript
inputs:
Runtime: python3.6
Handler: getInstanceProfileName
InputPayload:
InstanceId: "{{InstanceId}}"
Script: |-
import boto3
def getInstanceProfileName(events, context):
ec2_client = boto3.client("ec2")
response = ec2_client.describe_instances(InstanceIds=[events["InstanceId"]])
if 'IamInstanceProfile' in response['Reservations'][0]['Instances'][0]:
return {'RoleName': response['Reservations'][0]['Instances'][0]['IamInstanceProfile']['Arn'].split('instance-profile/')[1]}
return {'RoleName': 'NoRoleFound'}
outputs:
- Name: existingInstanceProfileRoleName
Selector: "$.Payload.RoleName"
Type: String
nextStep: branchIfProfileExists
- name: branchIfProfileExists
action: aws:branch
inputs:
Choices:
- NextStep: checkIfProvidedInstanceProfileName
Variable: "{{getExistingRoleName.existingInstanceProfileRoleName}}"
StringEquals: NoRoleFound
Default: checkIfPolicyAttachAllowed
- name: checkIfPolicyAttachAllowed
action: aws:branch
inputs:
Choices:
- NextStep: getRoleFromInstanceProfile
Variable: "{{IsPolicyAttachAllowed}}"
StringEquals: 'true'
Default: createRoleIfNotExists
- name: getRoleFromInstanceProfile
action: aws:executeAwsApi
inputs:
Service: iam
Api: GetInstanceProfile
InstanceProfileName: "{{getExistingRoleName.existingInstanceProfileRoleName}}"
outputs:
- Name: existingRoleName
Selector: "$.InstanceProfile.Roles[0].RoleName"
Type: String
nextStep: attachAmazonSSMManagedInstanceCoreToExistingRole
- name: attachAmazonSSMManagedInstanceCoreToExistingRole
action: aws:executeAwsApi
inputs:
Service: iam
Api: AttachRolePolicy
RoleName: "{{getRoleFromInstanceProfile.existingRoleName}}"
PolicyArn: arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
nextStep: attachCloudWatchAgentServerPolicyToExistingRole
- inputs:
RoleName: "{{getRoleFromInstanceProfile.existingRoleName}}"
PolicyArn: arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
Service: iam
Api: AttachRolePolicy
name: attachCloudWatchAgentServerPolicyToExistingRole
action: aws:executeAwsApi
nextStep: attachCloudWatchConfigS3BucketPolicyToExistingRole
- inputs:
RoleName: "{{getRoleFromInstanceProfile.existingRoleName}}"
PolicyArn: <Include ARN for S3 IAM policy here>
Service: iam
Api: AttachRolePolicy
name: attachCloudWatchConfigS3BucketPolicyToExistingRole
action: aws:executeAwsApi
nextStep: attachAmazonSSMPatchAssociationToExistingRole
- name: attachAmazonSSMPatchAssociationToExistingRole
action: aws:executeAwsApi
inputs:
Service: iam
Api: AttachRolePolicy
RoleName: "{{getRoleFromInstanceProfile.existingRoleName}}"
PolicyArn: arn:aws:iam::aws:policy/AmazonSSMPatchAssociation
isEnd: true
- name: checkIfProvidedInstanceProfileName
action: aws:branch
inputs:
Choices:
- NextStep: createRoleIfNotExists
Variable: "{{ProvidedInstanceProfileName}}"
StringEquals: ''
Default: executeAttachProvidedInstanceProfileName
- name: executeAttachProvidedInstanceProfileName
action: aws:executeAutomation
maxAttempts: 20
timeoutSeconds: 2
inputs:
DocumentName: AWS-AttachIAMToInstance
RuntimeParameters:
RoleName: "{{ProvidedInstanceProfileName}}"
ForceReplace: false
AutomationAssumeRole: "{{ AutomationAssumeRole }}"
InstanceId: "{{ InstanceId }}"
isEnd: true
- name: createRoleIfNotExists
action: aws:executeAwsApi
inputs:
Service: iam
Api: CreateRole
Path: "/"
RoleName: AmazonSSMRoleForInstancesQuickSetup
AssumeRolePolicyDocument: '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
Description: EC2 role for SSM for Quick-Setup
description: Create AmazonSSMRoleForInstancesQuickSetup Role For SSM Quick Setup
onFailure: Continue
nextStep: assertRoleForInstanceProfileExists
- name: assertRoleForInstanceProfileExists
action: aws:assertAwsResourceProperty
inputs:
Service: iam
Api: GetRole
PropertySelector: "$.Role.RoleName"
DesiredValues:
- AmazonSSMRoleForInstancesQuickSetup
RoleName: AmazonSSMRoleForInstancesQuickSetup
nextStep: attachAmazonSSMManagedInstanceCoreToRole
- name: attachAmazonSSMManagedInstanceCoreToRole
action: aws:executeAwsApi
inputs:
Service: iam
Api: AttachRolePolicy
RoleName: AmazonSSMRoleForInstancesQuickSetup
PolicyArn: arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
nextStep: attachCloudWatchAgentServerPolicyToRole
- inputs:
RoleName: AmazonSSMRoleForInstancesQuickSetup
PolicyArn: arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
Service: iam
Api: AttachRolePolicy
name: attachCloudWatchAgentServerPolicyToRole
action: aws:executeAwsApi
nextStep: attachCloudWatchConfigS3BucketPolicyToRole
- inputs:
RoleName: AmazonSSMRoleForInstancesQuickSetup
PolicyArn: !Ref CloudWatchConfigS3BucketPolicy
Service: iam
Api: AttachRolePolicy
name: attachCloudWatchConfigS3BucketPolicyToRole
action: aws:executeAwsApi
nextStep: attachAmazonSSMPatchAssociationToRole
- name: attachAmazonSSMPatchAssociationToRole
action: aws:executeAwsApi
inputs:
Service: iam
Api: AttachRolePolicy
RoleName: AmazonSSMRoleForInstancesQuickSetup
PolicyArn: arn:aws:iam::aws:policy/AmazonSSMPatchAssociation
nextStep: createInstanceProfileIfNotExists
- name: createInstanceProfileIfNotExists
action: aws:executeAwsApi
inputs:
InstanceProfileName: AmazonSSMRoleForInstancesQuickSetup
Service: iam
Api: CreateInstanceProfile
onFailure: Continue
nextStep: addRoleToInstanceProfile
- name: addRoleToInstanceProfile
action: aws:executeAwsApi
inputs:
InstanceProfileName: AmazonSSMRoleForInstancesQuickSetup
RoleName: AmazonSSMRoleForInstancesQuickSetup
Service: iam
Api: AddRoleToInstanceProfile
onFailure: Continue
nextStep: executeAttachIAMToInstance
- name: executeAttachIAMToInstance
action: aws:executeAutomation
maxAttempts: 20
timeoutSeconds: 2
inputs:
DocumentName: AWS-AttachIAMToInstance
RuntimeParameters:
RoleName: AmazonSSMRoleForInstancesQuickSetup
ForceReplace: false
AutomationAssumeRole: "{{ AutomationAssumeRole }}"
InstanceId: "{{ InstanceId }}"
isEnd: true