Modify SSM Document using CDK

Question

I want to share the ssm document with another account via CDK lib.
I am able to do the same via console and aws-cli.
below is the command for aws-cli2
aws ssm --profile=dsc-dev modify-document-permission \
    --name  'myRunbookCDK' \
    --permission-type Share \
    --account-ids-to-add '111111111111'
But there seems to be nothing similar in CDK . could you pls confirm if we can achieve the same via CDK and how?

Answer

Hello! I understand that you'd like to modify the permissions of the AWS Systems Manager document created using CDK. CDK uses AWS CloudFormation to provision the resources defined in code. Currently, when a SSM document is defined using the CfnDocument construct the resource is provisioned using the AWS::SSM::Document resource type. Currently, this resource type doesn't support updating the permissions of a document. As a result, modifying permissions of a document is not supported via CDK.

That being said, I have created a feature request for supporting permission management via the AWS::SSM:Document resource type. This request can be tracked here.

In the meantime, it is possible to leverage CustomResources construct to perform the ModifyDocumentPermission API call and manage permissions for the SSM document via the same CDK application. An example for using custom-resources is available here.

Please let us know if you have any questions.

That being said, I have created a feature request for supporting permission management via the [AWS::SSM:Document](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html) resource type. This request can be tracked [here](https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1217).

In the meantime, it is possible to leverage [CustomResources](https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_custom-resources.AwsCustomResource.html) construct to perform the [ModifyDocumentPermission](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_ModifyDocumentPermission.html) API call and manage permissions for the SSM document via the same CDK application. An example for using custom-resources is available [here](https://github.com/aws-samples/aws-cdk-examples/tree/master/typescript/custom-resource-provider).

Please let us know if you have any questions.

Modify SSM Document using CDK

관련 콘텐츠