- Mais recentes
- Mais votos
- Mais comentários
Hello mbklein,
Thank you for reaching out with your query.
Below are the common possible reasons for this issue:
- No defined maintenance window targets
- No resource id is present.
- When required policies are not correct.
For tasks which require unique identifiers for input. if there are no targets, the task will report back that there are no invocations to execute, as there were no inputs.
To troubleshoot the issue, I performed this scenario in my internal lab and was able to successfully perform below mentioned tasks.
AUTOMATION task using the AWS-StartEC2Instance document
RUN_COMMAND task using the AWS-RunShellScript document
AUTOMATION task using the AWS-StopEC2Instance document
Please refer to the steps I performed below:
Scenario1: When instances are already in stopped state
- Create a tag for your instance i.e. (Name = Department Value = Dev)
- Create a Resource Group [1], for group type select "Tag based"
- For resource types select "AWS::EC2::Instance"
- Next select the tag key (Department) and value (Dev)
After the Resource Group is created, you can create a Maintenance Window and register the target with the Maintenance Window
- On Maintenance Window go to “Actions” > “Register targets”
- Select "Choose a resource group"
- Select the Resource group you created earlier
- Then click on “Register Target”
- Then click on "Actions" dropdown ->"Register Automation task
- Next under Automation document-> "AWS-StartEC2Instance"
- Under Targets choose "Selecting registered target groups" and then select the Windows target ID
- For Input parameters > "InstanceIDs" input parameter, Add all instance IDs separated by comma which you have mentioned in resource group. for example : i-abc********, i-def********
- For Input parameters > "AutomationAssumeRole" input parameter, input the role that you have configured for Automation
Below is the AutomationAssumeRole policy I used in my lab: AutomationAssumeRole:
Trust Entity
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com " }, "Action": "sts:AssumeRole" } ] }
Inline Permission Policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:DescribeInstanceStatus" ], "Resource": "*" } ] }
For IAM service role :
- To create IAM service role, Please follow below steps
- Go on IAM Dashboard and click on create Roles
- Under "Select trusted entity" click on "Custom trust policy" and add below mentioned policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com ", "ssm.amazonaws.com " ] }, "Action": "sts:AssumeRole" } ] }
- Click on next
- In Permissions add below three policies
Note: a) and b) are AWS Managed policies. You can easily search for them but for c) you need to create inline policy
a) AmazonSSMMaintenanceWindowRole
b) AmazonSSMFullAccess
c) IAMPassRolePolicy: For IAMPassRolePolicy add below mentioned inline policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ssm.amazonaws.com "
}
}
}
]
}
You can also follow the AWS video tutorial to know more about Maintenance windows or IAM service role. [+]https://www.youtube.com/watch?v=aR02m1Xsz1E&t=113s
- Please repeat above steps for AWS-StopEC2Instance document and AWS-RunShellScript document.
Scenario 2: When Instances are already in running state
The above steps allowed me to successfully execute all the three above mentioned document in a Maintenance Window in both the scenarios.
Additionally, After following above steps if issue still exists then I would request you to open a case under our support team for further troubleshooting as we need to check all the associated resources to troubleshoot it further.
References
[1] https://docs.aws.amazon.com/ARG/latest/userguide/resource-groups.html
Thank you for pointing this out. Add all instance IDs separated by comma which you have mentioned in resource group. for example : i-abc********, i-def********
Conteúdo relevante
- AWS OFICIALAtualizada há 3 anos
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 2 meses
Thank you for these steps. I notice there's one incomplete sentence that looks kind of important:
What is the value that's supposed to go in the InstanceIDs input parameter when targeting a resource group?