AWS CloudFormation Automated Patching

0

Hi i have drafted the below cloudformation template and i endup with an error "template format error: Unrecognized parameter type: List AWS::EC2::i-0d2d51ddccb0a3109" kindly help me to fix the issue { "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "InstanceIds": { "Type": "List AWS::EC2::i-0d2d51ddccb0a3109", "Description": "List of EC2 instance IDs to patch." } }, "Resources": { "PatchBaseline": { "Type": "AWS::SSM::PatchBaseline", "Properties": { "Name": "MyPatchBaseline", "OperatingSystem": "WINDOWS", "ApprovalRules": { "PatchRules": [ { "PatchFilterGroup": [ { "Key": "PRODUCT", "Values": [ "WindowsServer2019" ] } ] }, { "ApproveAfterDays": 7 }, { "ComplianceLevel": "CRITICAL" } ] }, "GlobalFilters": { "PatchFilters": [ { "Key": "PRODUCT", "Values": [ "WindowsServer2019" ] } ] }, "ApprovedPatchesEnableNonSecurity": true } }, "MaintenanceWindow": { "Type": "AWS::SSM::MaintenanceWindow", "Properties": { "Name": "MyMaintenanceWindow", "Schedule": "cron(0 2 ? * SUN *)", "Duration": 3, "Cutoff": 1, "AllowUnassociatedTargets": false } }, "MaintenanceWindowTarget": { "Type": "AWS::SSM::MaintenanceWindowTarget", "Properties": { "Name": "MyMaintenanceWindowTarget", "WindowId": { "Ref": "MaintenanceWindow" }, "ResourceType": "INSTANCE", "Targets": [ { "Key": "InstanceIds", "Values": { "Ref": "InstanceIds" } } ], "OwnerInformation": "Patch Windows instances" } }, "MaintenanceWindowTask": { "Type": "AWS::SSM::MaintenanceWindowTask", "Properties": { "Name": "MyMaintenanceWindowTask", "TaskArn": "AWS-RunPatchBaseline", "ServiceRoleArn": { "Fn::GetAtt": [ "MaintenanceWindowRole", "Arn" ] }, "TaskInvocationParameters": { "MaintenanceWindowId": { "Ref": "MaintenanceWindow" }, "TaskParameters": { "Operation": [ "Scan", "Install" ] } }, "Priority": 1, "MaxConcurrency": "1", "MaxErrors": "1", "Targets": [ { "Key": "WindowTargetIds", "Values": [ { "Ref": "MaintenanceWindowTarget" } ] } ] } }, "MaintenanceWindowRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Policies": [ { "PolicyName": "MaintenanceWindowPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:UpdateInstanceInformation", "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:GetCommandInvocation", "ec2messages:AcknowledgeMessage", "s3:PutObject" ], "Resource": "*" } ] } } ] } }, "PatchingLogsBucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": "my-patching-logs-bucket", "AccessControl": "Private" } }, "PatchingLogsRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Policies": [ { "PolicyName": "PatchingLogsPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": { "Fn::Sub": "arn:aws:s3:::${PatchingLogsBucket}/*" } } ] } } ] } }, "PatchingLogsLambda": { "Type": "AWS::Lambda::Function", "Properties": { "FunctionName": "PatchingLogsFunction", "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "PatchingLogsRole", "Arn" ] }, "Runtime": "python3.8", "Code": { "S3Bucket": "your-lambda-code-bucket", "S3Key": "your-lambda-code-key.zip" }, "Environment": { "Variables": { "S3_BUCKET": { "Ref": "PatchingLogsBucket" } } } } } }, "Outputs": { "MaintenanceWindowId": { "Description": "ID of the created Maintenance Window", "Value": { "Ref": "MaintenanceWindow" } } } }

Manoj
gefragt vor 6 Monaten186 Aufrufe
1 Antwort
0

Hello.

Judging from the contents of the error, the problem seems to be the type of "InstanceIds" in "Parameters".
As stated in the document below, the type "List AWS::EC2::i-0d2d51ddccb0a3109" does not exist.
So, what you want to do would be a template like the one below.
The part marked AWS::EC2::Instance::Id is an AWS-specific parameter, so please use it as is without changing it.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html#parameters-section-structure-properties

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Parameters": {
		"InstanceIds": {
			"Type": "List<AWS::EC2::Instance::Id>",
			"Description": "List of EC2 instance IDs to patch."
		}
	},
	"Resources": {
		"PatchBaseline": {
			"Type": "AWS::SSM::PatchBaseline",
			"Properties": {
				"Name": "MyPatchBaseline",
				"OperatingSystem": "WINDOWS",
				"ApprovalRules": {
					"PatchRules": [
						{
							"PatchFilterGroup": [
								{
									"Key": "PRODUCT",
									"Values": [
										"WindowsServer2019"
									]
								}
							]
						},
						{
							"ApproveAfterDays": 7
						},
						{
							"ComplianceLevel": "CRITICAL"
						}
					]
				},
				"GlobalFilters": {
					"PatchFilters": [
						{
							"Key": "PRODUCT",
							"Values": [
								"WindowsServer2019"
							]
						}
					]
				},
				"ApprovedPatchesEnableNonSecurity": true
			}
		},
		"MaintenanceWindow": {
			"Type": "AWS::SSM::MaintenanceWindow",
			"Properties": {
				"Name": "MyMaintenanceWindow",
				"Schedule": "cron(0 2 ? * SUN *)",
				"Duration": 3,
				"Cutoff": 1,
				"AllowUnassociatedTargets": false
			}
		},
		"MaintenanceWindowTarget": {
			"Type": "AWS::SSM::MaintenanceWindowTarget",
			"Properties": {
				"Name": "MyMaintenanceWindowTarget",
				"WindowId": {
					"Ref": "MaintenanceWindow"
				},
				"ResourceType": "INSTANCE",
				"Targets": [
					{
						"Key": "InstanceIds",
						"Values": {
							"Ref": "InstanceIds"
						}
					}
				],
				"OwnerInformation": "Patch Windows instances"
			}
		},
		"MaintenanceWindowTask": {
			"Type": "AWS::SSM::MaintenanceWindowTask",
			"Properties": {
				"Name": "MyMaintenanceWindowTask",
				"TaskArn": "AWS-RunPatchBaseline",
				"ServiceRoleArn": {
					"Fn::GetAtt": [
						"MaintenanceWindowRole",
						"Arn"
					]
				},
				"TaskInvocationParameters": {
					"MaintenanceWindowId": {
						"Ref": "MaintenanceWindow"
					},
					"TaskParameters": {
						"Operation": [
							"Scan",
							"Install"
						]
					}
				},
				"Priority": 1,
				"MaxConcurrency": "1",
				"MaxErrors": "1",
				"Targets": [
					{
						"Key": "WindowTargetIds",
						"Values": [
							{
								"Ref": "MaintenanceWindowTarget"
							}
						]
					}
				]
			}
		},
		"MaintenanceWindowRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": "ssm.amazonaws.com"
							},
							"Action": "sts:AssumeRole"
						}
					]
				},
				"Policies": [
					{
						"PolicyName": "MaintenanceWindowPolicy",
						"PolicyDocument": {
							"Version": "2012-10-17",
							"Statement": [
								{
									"Effect": "Allow",
									"Action": [
										"ssm:UpdateInstanceInformation",
										"ssm:ListCommands",
										"ssm:ListCommandInvocations",
										"ssm:GetCommandInvocation",
										"ec2messages:AcknowledgeMessage",
										"s3:PutObject"
									],
									"Resource": "*"
								}
							]
						}
					}
				]
			}
		},
		"PatchingLogsBucket": {
			"Type": "AWS::S3::Bucket",
			"Properties": {
				"BucketName": "my-patching-logs-bucket",
				"AccessControl": "Private"
			}
		},
		"PatchingLogsRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": "lambda.amazonaws.com"
							},
							"Action": "sts:AssumeRole"
						}
					]
				},
				"Policies": [
					{
						"PolicyName": "PatchingLogsPolicy",
						"PolicyDocument": {
							"Version": "2012-10-17",
							"Statement": [
								{
									"Effect": "Allow",
									"Action": [
										"s3:PutObject"
									],
									"Resource": {
										"Fn::Sub": "arn:aws:s3:::${PatchingLogsBucket}/*"
									}
								}
							]
						}
					}
				]
			}
		},
		"PatchingLogsLambda": {
			"Type": "AWS::Lambda::Function",
			"Properties": {
				"FunctionName": "PatchingLogsFunction",
				"Handler": "index.handler",
				"Role": {
					"Fn::GetAtt": [
						"PatchingLogsRole",
						"Arn"
					]
				},
				"Runtime": "python3.8",
				"Code": {
					"S3Bucket": "your-lambda-code-bucket",
					"S3Key": "your-lambda-code-key.zip"
				},
				"Environment": {
					"Variables": {
						"S3_BUCKET": {
							"Ref": "PatchingLogsBucket"
						}
					}
				}
			}
		}
	},
	"Outputs": {
		"MaintenanceWindowId": {
			"Description": "ID of the created Maintenance Window",
			"Value": {
				"Ref": "MaintenanceWindow"
			}
		}
	}
}
profile picture
EXPERTE
beantwortet vor 6 Monaten
profile pictureAWS
EXPERTE
überprüft vor 6 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen