This is the second time I have encountered strange behavior with Cfn and State Manager Associations. Previously, I have been able to create an Association using Cfn that ran an Automation and Rate Targeted multiple tag values. Cfn was able to build this, but it's not a thing you can do, which led to a strange debugging journey. It would create, but couldn't update, and only ever threw a "General Service Error".
Today, I am creating an Association using this Cloudformation template code. Installer is an Automation created earlier in the stack, SsmAssociationSchedule refers to a parameter containing a cron expression:
StateManagerAssociation:
Type: AWS::SSM::Association
Properties:
ApplyOnlyAtCronInterval: true
AutomationTargetParameterName: InstanceId
ComplianceSeverity: HIGH
Name: !Ref Installer
MaxConcurrency: 12
MaxErrors: 33%
ScheduleExpression: !Ref SsmAssociationSchedule
SyncCompliance: AUTO
Targets:
- Key: ResourceGroup
Values:
- Ref: MyResourceGroup
The issue is specifically with the config ApplyOnlyAtCronInterval: true
. I can create the above Association and will work as intended. If I start from scratch, I can set ApplyOnlyAtCronInterval: false
and it will create and work as intended.
However, if I take one of the above cited examples, and attempt to update the stack, flipping this boolean, either directly in the template or through a parameter, the update on the Association fails, and once again all I have to go on is my old friend "General Service Error".
Resource handler returned message: "Error occurred during operation 'UpdateAssociation'." (RequestToken: 7e9f12f1-1181-39af-a778-85db72413723, HandlerErrorCode: GeneralServiceException)
I have tried creating an Association with false and switching to true, and vice versa. I have done with hardcoded booleans and with CF template parameters.
I can, of course, go into the console and check or uncheck the ApplyOnlyAtCronInterval
box without crashing the console. Curious if anyone can explain what's going on here, and/or suggest a work-around?
**EDIT: I'm finding this to be more broadly behavior with SSM Associations. I can create them with Cfn, but any attempt to update them via the Stack fails with General Service Error. As such I have tried using UpdateReplacePolicy to force it to delete, but that param is not available on Associations.
**EDIT2: This only happens with custom Automations. It is not an issue with AWS Managed Automations. I've put together a simple CF template that recreates the issue and opened a support case. I'll report here if they shed any light