Systems Manager documents are an integral part of the Systems Manager service. They are at the heart of all the automation possible through SSM via JSON or YAML runbooks, which define steps to perform on a managed instance. In this lab, we’ll create a document that carries out some tasks on a managed instance and will also use an SSM parameter, which offers scalable, hierarchal storage for configurations and secrets, allowing encryption.
Successfully complete this lab by achieving the following learning objectives:
- Log in to the AWS Management Console and Navigate to Systems Manager
- Log in to the AWS Management Console using the credentials provided.
- Navigate to the Systems Manager console.
- On the left-hand menu, under Application Management, select Parameter Store.
- Create SSM Parameter to Use in SSM Document
- Click Create parameter.
- Provide the parameter the name "mysql-pass". Optionally, provide a description.
- Under Tier, select the Standard radio button.
- Under Types, select String.
- In the value input box below, enter a string value for your parameter.
- Leave the Tags field as its default.
- Click Create Parameter. This SSM parameter will be referenced in the SSM document provided later.
Note: SSM documents do not allow using secure string passwords. You’ll need an SSM API call to fetch any encrypted parameter, decrypt it, and then pass it as a parameter to an SSM document.
- Create SSM Command Document
- In the left-hand menu, under Shared Resources, click Documents.
- Click Create command or session.
- Give your document a name.
- Leave the Target type dropdown field blank, which sets its value to
/(meaning to target all applicable resources).
- You can also choose to select the particular resource you’re going to run this document against. In our case, we’ll run it against an EC2 instance; however, we’ll leave the target at its default value.
- Set the Document type to Command document.
- Enter the Provided SSM Command Document Schema
- Under the Content section, choose the radio button for JSON and paste in the SSM Command document schema provided on the lab page.
- Leave the Document tags section as its default.
- Click Create document.
- Execute the SSM Document
- Select the Owned by me tab, and click the document you created.
- Click Run command to execute your document.
- Leave Document version as Default.
- For Targets, select Choose instances manually.
- Select the listed AmazonLinux-Instance EC2 SSM managed instance.
- Uncheck the Enable writing to an S3 bucket option.
- Leave everything else as default, and click Run.
- After clicking Run, you’ll be taken to the Run Command page to track the progress/status of Run Command executing the document.
- Use SSM Session to Connect to the Managed Instance and Verify
Navigate to the Session Manager page, click Start Session, select the AmazonLinux-Instance, and start a shell session with it to verify the document was successfully applied against the instance.
The SSM document in question installs MariaDB database server, starts its service, sets a password, queries the database, and outputs a file with the database names in it to
sudo cat /root/db_output.txt
If verifying via SSM Session Manager:
You’ll be logged in to the shell session via Session Manager as sudo-enabled user
If the file
db_output.txtdoesn’t exist or is empty it means that something did not go right. <br/>
In which case check
You can become
sudo su - rootor just append
sudobefore commands for verification.