By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS CloudFormation Automated Patching

0

Hi i have drafted the below cloudformation template and i endup with an error "template format error: Unrecognized parameter type: List AWS::EC2::i-0d2d51ddccb0a3109" kindly help me to fix the issue { "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "InstanceIds": { "Type": "List AWS::EC2::i-0d2d51ddccb0a3109", "Description": "List of EC2 instance IDs to patch." } }, "Resources": { "PatchBaseline": { "Type": "AWS::SSM::PatchBaseline", "Properties": { "Name": "MyPatchBaseline", "OperatingSystem": "WINDOWS", "ApprovalRules": { "PatchRules": [ { "PatchFilterGroup": [ { "Key": "PRODUCT", "Values": [ "WindowsServer2019" ] } ] }, { "ApproveAfterDays": 7 }, { "ComplianceLevel": "CRITICAL" } ] }, "GlobalFilters": { "PatchFilters": [ { "Key": "PRODUCT", "Values": [ "WindowsServer2019" ] } ] }, "ApprovedPatchesEnableNonSecurity": true } }, "MaintenanceWindow": { "Type": "AWS::SSM::MaintenanceWindow", "Properties": { "Name": "MyMaintenanceWindow", "Schedule": "cron(0 2 ? * SUN *)", "Duration": 3, "Cutoff": 1, "AllowUnassociatedTargets": false } }, "MaintenanceWindowTarget": { "Type": "AWS::SSM::MaintenanceWindowTarget", "Properties": { "Name": "MyMaintenanceWindowTarget", "WindowId": { "Ref": "MaintenanceWindow" }, "ResourceType": "INSTANCE", "Targets": [ { "Key": "InstanceIds", "Values": { "Ref": "InstanceIds" } } ], "OwnerInformation": "Patch Windows instances" } }, "MaintenanceWindowTask": { "Type": "AWS::SSM::MaintenanceWindowTask", "Properties": { "Name": "MyMaintenanceWindowTask", "TaskArn": "AWS-RunPatchBaseline", "ServiceRoleArn": { "Fn::GetAtt": [ "MaintenanceWindowRole", "Arn" ] }, "TaskInvocationParameters": { "MaintenanceWindowId": { "Ref": "MaintenanceWindow" }, "TaskParameters": { "Operation": [ "Scan", "Install" ] } }, "Priority": 1, "MaxConcurrency": "1", "MaxErrors": "1", "Targets": [ { "Key": "WindowTargetIds", "Values": [ { "Ref": "MaintenanceWindowTarget" } ] } ] } }, "MaintenanceWindowRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Policies": [ { "PolicyName": "MaintenanceWindowPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:UpdateInstanceInformation", "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:GetCommandInvocation", "ec2messages:AcknowledgeMessage", "s3:PutObject" ], "Resource": "*" } ] } } ] } }, "PatchingLogsBucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": "my-patching-logs-bucket", "AccessControl": "Private" } }, "PatchingLogsRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Policies": [ { "PolicyName": "PatchingLogsPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": { "Fn::Sub": "arn:aws:s3:::${PatchingLogsBucket}/*" } } ] } } ] } }, "PatchingLogsLambda": { "Type": "AWS::Lambda::Function", "Properties": { "FunctionName": "PatchingLogsFunction", "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "PatchingLogsRole", "Arn" ] }, "Runtime": "python3.8", "Code": { "S3Bucket": "your-lambda-code-bucket", "S3Key": "your-lambda-code-key.zip" }, "Environment": { "Variables": { "S3_BUCKET": { "Ref": "PatchingLogsBucket" } } } } } }, "Outputs": { "MaintenanceWindowId": { "Description": "ID of the created Maintenance Window", "Value": { "Ref": "MaintenanceWindow" } } } }

Topics
Management & Governance
Tags
AWS CloudFormationAWS Systems Manager
Language
English
Manoj
asked 5 months ago177 views
1 Answer
0

Hello.

Judging from the contents of the error, the problem seems to be the type of "InstanceIds" in "Parameters".
As stated in the document below, the type "List AWS::EC2::i-0d2d51ddccb0a3109" does not exist.
So, what you want to do would be a template like the one below.
The part marked AWS::EC2::Instance::Id is an AWS-specific parameter, so please use it as is without changing it.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html#parameters-section-structure-properties

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Parameters": {
		"InstanceIds": {
			"Type": "List<AWS::EC2::Instance::Id>",
			"Description": "List of EC2 instance IDs to patch."
		}
	},
	"Resources": {
		"PatchBaseline": {
			"Type": "AWS::SSM::PatchBaseline",
			"Properties": {
				"Name": "MyPatchBaseline",
				"OperatingSystem": "WINDOWS",
				"ApprovalRules": {
					"PatchRules": [
						{
							"PatchFilterGroup": [
								{
									"Key": "PRODUCT",
									"Values": [
										"WindowsServer2019"
									]
								}
							]
						},
						{
							"ApproveAfterDays": 7
						},
						{
							"ComplianceLevel": "CRITICAL"
						}
					]
				},
				"GlobalFilters": {
					"PatchFilters": [
						{
							"Key": "PRODUCT",
							"Values": [
								"WindowsServer2019"
							]
						}
					]
				},
				"ApprovedPatchesEnableNonSecurity": true
			}
		},
		"MaintenanceWindow": {
			"Type": "AWS::SSM::MaintenanceWindow",
			"Properties": {
				"Name": "MyMaintenanceWindow",
				"Schedule": "cron(0 2 ? * SUN *)",
				"Duration": 3,
				"Cutoff": 1,
				"AllowUnassociatedTargets": false
			}
		},
		"MaintenanceWindowTarget": {
			"Type": "AWS::SSM::MaintenanceWindowTarget",
			"Properties": {
				"Name": "MyMaintenanceWindowTarget",
				"WindowId": {
					"Ref": "MaintenanceWindow"
				},
				"ResourceType": "INSTANCE",
				"Targets": [
					{
						"Key": "InstanceIds",
						"Values": {
							"Ref": "InstanceIds"
						}
					}
				],
				"OwnerInformation": "Patch Windows instances"
			}
		},
		"MaintenanceWindowTask": {
			"Type": "AWS::SSM::MaintenanceWindowTask",
			"Properties": {
				"Name": "MyMaintenanceWindowTask",
				"TaskArn": "AWS-RunPatchBaseline",
				"ServiceRoleArn": {
					"Fn::GetAtt": [
						"MaintenanceWindowRole",
						"Arn"
					]
				},
				"TaskInvocationParameters": {
					"MaintenanceWindowId": {
						"Ref": "MaintenanceWindow"
					},
					"TaskParameters": {
						"Operation": [
							"Scan",
							"Install"
						]
					}
				},
				"Priority": 1,
				"MaxConcurrency": "1",
				"MaxErrors": "1",
				"Targets": [
					{
						"Key": "WindowTargetIds",
						"Values": [
							{
								"Ref": "MaintenanceWindowTarget"
							}
						]
					}
				]
			}
		},
		"MaintenanceWindowRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": "ssm.amazonaws.com"
							},
							"Action": "sts:AssumeRole"
						}
					]
				},
				"Policies": [
					{
						"PolicyName": "MaintenanceWindowPolicy",
						"PolicyDocument": {
							"Version": "2012-10-17",
							"Statement": [
								{
									"Effect": "Allow",
									"Action": [
										"ssm:UpdateInstanceInformation",
										"ssm:ListCommands",
										"ssm:ListCommandInvocations",
										"ssm:GetCommandInvocation",
										"ec2messages:AcknowledgeMessage",
										"s3:PutObject"
									],
									"Resource": "*"
								}
							]
						}
					}
				]
			}
		},
		"PatchingLogsBucket": {
			"Type": "AWS::S3::Bucket",
			"Properties": {
				"BucketName": "my-patching-logs-bucket",
				"AccessControl": "Private"
			}
		},
		"PatchingLogsRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": "lambda.amazonaws.com"
							},
							"Action": "sts:AssumeRole"
						}
					]
				},
				"Policies": [
					{
						"PolicyName": "PatchingLogsPolicy",
						"PolicyDocument": {
							"Version": "2012-10-17",
							"Statement": [
								{
									"Effect": "Allow",
									"Action": [
										"s3:PutObject"
									],
									"Resource": {
										"Fn::Sub": "arn:aws:s3:::${PatchingLogsBucket}/*"
									}
								}
							]
						}
					}
				]
			}
		},
		"PatchingLogsLambda": {
			"Type": "AWS::Lambda::Function",
			"Properties": {
				"FunctionName": "PatchingLogsFunction",
				"Handler": "index.handler",
				"Role": {
					"Fn::GetAtt": [
						"PatchingLogsRole",
						"Arn"
					]
				},
				"Runtime": "python3.8",
				"Code": {
					"S3Bucket": "your-lambda-code-bucket",
					"S3Key": "your-lambda-code-key.zip"
				},
				"Environment": {
					"Variables": {
						"S3_BUCKET": {
							"Ref": "PatchingLogsBucket"
						}
					}
				}
			}
		}
	},
	"Outputs": {
		"MaintenanceWindowId": {
			"Description": "ID of the created Maintenance Window",
			"Value": {
				"Ref": "MaintenanceWindow"
			}
		}
	}
}
profile picture
EXPERT
Riku_Kobayashi
answered 5 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content