I cannot update a State Manager Association Created By Cfn?


This is the second time I have encountered strange behavior with Cfn and State Manager Associations. Previously, I have been able to create an Association using Cfn that ran an Automation and Rate Targeted multiple tag values. Cfn was able to build this, but it's not a thing you can do, which led to a strange debugging journey. It would create, but couldn't update, and only ever threw a "General Service Error".

Today, I am creating an Association using this Cloudformation template code. Installer is an Automation created earlier in the stack, SsmAssociationSchedule refers to a parameter containing a cron expression:

    Type: AWS::SSM::Association
      ApplyOnlyAtCronInterval: true
      AutomationTargetParameterName: InstanceId
      ComplianceSeverity: HIGH
      Name: !Ref Installer 
      MaxConcurrency: 12
      MaxErrors: 33%
      ScheduleExpression: !Ref SsmAssociationSchedule
      SyncCompliance: AUTO
        - Key: ResourceGroup
            - Ref: MyResourceGroup

The issue is specifically with the config ApplyOnlyAtCronInterval: true. I can create the above Association and will work as intended. If I start from scratch, I can set ApplyOnlyAtCronInterval: false and it will create and work as intended.

However, if I take one of the above cited examples, and attempt to update the stack, flipping this boolean, either directly in the template or through a parameter, the update on the Association fails, and once again all I have to go on is my old friend "General Service Error".

Resource handler returned message: "Error occurred during operation 'UpdateAssociation'." (RequestToken: 7e9f12f1-1181-39af-a778-85db72413723, HandlerErrorCode: GeneralServiceException)

I have tried creating an Association with false and switching to true, and vice versa. I have done with hardcoded booleans and with CF template parameters.

I can, of course, go into the console and check or uncheck the ApplyOnlyAtCronInterval box without crashing the console. Curious if anyone can explain what's going on here, and/or suggest a work-around?

**EDIT: I'm finding this to be more broadly behavior with SSM Associations. I can create them with Cfn, but any attempt to update them via the Stack fails with General Service Error. As such I have tried using UpdateReplacePolicy to force it to delete, but that param is not available on Associations.

**EDIT2: This only happens with custom Automations. It is not an issue with AWS Managed Automations. I've put together a simple CF template that recreates the issue and opened a support case. I'll report here if they shed any light

asked 2 years ago1460 views
1 Answer


I was able to reproduce this issue and got the error "Resource handler returned message: "Error occurred during operation 'UpdateAssociation'". However, taking a look at the UpdateAssociation call in CloudTrail reveals a more detailed error message - "ValidationException: Must respecify parameters when updating automation associations to enable rate control".

The solution is to specify the rate controls namely MaxConcurrency and MaxErrors during the update. An example is below;

    Type: 'AWS::SSM::Association'
      Name: AWS-UpdateSSMAgent
        - Key: InstanceIds
            - '*'
      MaxConcurrency: 20%
      MaxErrors: 5%
    OutputS3BucketName: MyAssociationOutputBucket
    OutputS3KeyPrefix: my-agent-update-output
WaitForSuccessTimeoutSeconds: 300

I recommend checking the UpdateAssociation call in CloudTrail for a more detailed error message. For troubleshooting which is specific to your case/stack, we require non-public information and request that a support case is created which you have already actioned.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions