aws_ssm_document addomainjoin error

Question

I am struggling to get EC2 instances deployed via an ASG joined to the domain.

I get the following error each time

*New-SSMAssociation : Document schema version, 2.2, is not supported by association that is created with instance id*

I have tried various schema versions detailed [Here](https://docs.aws.amazon.com/systems-manager/latest/userguide/document-schemas-features.html) however all fail with the same error

**SSMdoc.tf**

```
resource "aws_ssm_document" "ad-join-domain" {
  name          = "ad-join-domain"
  document_type = "Command"
  content = jsonencode(
    {
      "schemaVersion" = "2.2"
      "description"   = "aws:domainJoin"
      "parameters" : {
        "directoryId" : {
          "description" : "(Required) The ID of the directory.",
          "type" : "String"
        },
        "directoryName" : {
          "description" : "(Required) The name of the domain.",
          "type" : "String"
        },
        "dnsIpAddresses" : {
          "description" : "(Required) The IP addresses of the DNS servers for your directory.",
          "type" : "StringList"
        },
      },
      "mainSteps" = [
        {
          "action" = "aws:domainJoin",
          "name"   = "domainJoin",
          "inputs" = {
            "directoryId" : data.aws_directory_service_directory.adgems.id,
            "directoryName" : data.aws_directory_service_directory.adgems.name,
            "dnsIpAddresses" : [data.aws_directory_service_directory.adgems.dns_ip_addresses]
          }
        }
      ]
    }
  )
}
```

template.tf

```
data "template_file" "ad-join-template" {
  template = <
    Set-DefaultAWSRegion -Region eu-west-2
    Set-Variable -name instance_id -value (Invoke-Restmethod -uri http://169.254.169.254/latest/meta-data/instance-id)
    New-SSMAssociation -InstanceId $instance_id -Name "${aws_ssm_document.ad-join-domain.name}"
  
  EOF
}
```

The template is then referenced in the ASG Launch Template user_data section. Getting onto the instance I can see the script/logs and have confirmed the variables set (instance id for example).

Full error message from the PS running below

```
New-SSMAssociation : Document schema version, 2.2, is not supported by association that is created with instance id
At C:\Windows\system32\config\systemprofile\AppData\Local\Temp\EC2Launch228430162\UserScript.ps1:3 char:5
+     New-SSMAssociation -InstanceId $instance_id -Name "ad-join-domain ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...sociationCmdlet:NewSSMAssociationCmdlet) [New-SSMAs
   sociation], InvalidOperationException
    + FullyQualifiedErrorId : Amazon.SimpleSystemsManagement.Model.InvalidDocumentException,Amazon.PowerShell.Cmdlets.
   SSM.NewSSMAssociationCmdlet
```

Accepted Answer

Hello,

I noticed that you are using `New-SSMAssociation` with the parameter `-InstanceId`.
However, documents that use schema version 2.0 or later must use `-Target` instead of `-InstanceId`

Quoting the ![SSM API](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreateAssociation.html#systemsmanager-CreateAssociation-request-InstanceId):
> `InstanceId` has been deprecated. To specify a managed node ID for an association, use the `Targets` parameter. Requests that include the parameter `InstanceID` with Systems Manager documents (SSM documents) that use schema version 2.0 or later will fail. In addition, if you use the parameter `InstanceId`, you can't use the parameters `AssociationName`, `DocumentVersion`, `MaxErrors`, `MaxConcurrency`, `OutputLocation`, or `ScheduleExpression`. To use these parameters, you must use the `Targets` parameter.

You can replace `-InstanceId ` with:
> `-Target Key=InstanceIds,Values=$instance_id`

Please refer to the following links for more details:
https://docs.aws.amazon.com/powershell/latest/reference/items/New-SSMAssociation.html  
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/SSM/TTarget.html

aws_ssm_document addomainjoin error

Relevant content