Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: aws_ssm_association with Simple Execution fails to update #41251

Open
coding-ia opened this issue Feb 5, 2025 · 1 comment
Open

[Bug]: aws_ssm_association with Simple Execution fails to update #41251

coding-ia opened this issue Feb 5, 2025 · 1 comment
Labels
bug Addresses a defect in current functionality. service/ssm Issues and PRs that pertain to the ssm service.

Comments

@coding-ia
Copy link

Terraform Core Version

1.10.5

AWS Provider Version

5.85.0

Affected Resource(s)

aws_ssm_association

Expected Behavior

Should be able to update the resource without error.

Actual Behavior

Get error output when updating the resource. Creating and deleting the resource work fine.

Relevant Error/Panic Output Snippet

aws_ssm_association.example: Modifying... [id=dca48025-91f4-4c0f-b339-3a78d5f16f54]
╷
│ Error: updating SSM Association (dca48025-91f4-4c0f-b339-3a78d5f16f54): operation error SSM: UpdateAssociation, https response error StatusCode: 400, RequestID: bb59877d-73bd-4469-806b-ae08289f5a07, api error ValidationException: Must specify both Automation Target Parameter Name and Targets
│
│   with aws_ssm_association.example,
│   on main.tf line 14, in resource "aws_ssm_association" "example":
│   14: resource "aws_ssm_association" "example" {

Terraform Configuration Files

The below creates the SSM association with simple execution properly:

resource "aws_ssm_association" "example" {
  apply_only_at_cron_interval = false
  association_name            = "Test"
  compliance_severity         = "UNSPECIFIED"
  document_version            = "$DEFAULT"
  name                        = "TagRunbook"
  parameters = {
    "AutomationAssumeRole" = "arn:aws:iam::211125334931:role/Example-Role"
    "InstanceId"           = "i-0002c56c7aeefba8f"
    "TagKey"               = "TestTag"
    "TagValue"             = "123abc456"
  }
}

Afterwards, examining the resource with terraform show, the targets are populated on the resource by AWS automatically and the automation_target_parameter_name remains empty.

# aws_ssm_association.example:
resource "aws_ssm_association" "example" {
    apply_only_at_cron_interval      = false
    arn                              = "arn:aws:ssm:us-east-2:211125334931:association/dca48025-91f4-4c0f-b339-3a78d5f16f54"
    association_id                   = "dca48025-91f4-4c0f-b339-3a78d5f16f54"
    association_name                 = "Test"
    automation_target_parameter_name = null
    compliance_severity              = "UNSPECIFIED"
    document_version                 = "1"
    id                               = "dca48025-91f4-4c0f-b339-3a78d5f16f54"
    instance_id                      = null
    max_concurrency                  = null
    max_errors                       = null
    name                             = "TagRunbook"
    parameters                       = {
        "AutomationAssumeRole" = "arn:aws:iam::211125334931:role/Example-Role"
        "InstanceId"           = "i-0002c56c7aeefba8f"
        "TagKey"               = "TestTag"
        "TagValue"             = "123abc456"
    }
    schedule_expression              = null
    sync_compliance                  = null
    tags                             = {}
    tags_all                         = {}

    targets {
        key    = "aws:NoOpAutomationTag"
        values = [
            "AWS-NoOpAutomationTarget-Value",
        ]
    }
}

Steps to Reproduce

Create aws_ssm_association as shown in the config above so that an SSM association with simple execution is created. Try updating an attribute; for example change 'document_version = "1"'. Run terraform apply and you will get an update error.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

I believe the combination of automation_target_parameter_name being null and the automatic addition of the targets by AWS on the resource causes the issue with the update.

Here is the line that sets the targets on the update. I did an experiment by adding a null check for AutomationTargetParameterName to skip setting the targets. After applying the change on a local test environment the error is resolved and the resource is updated.

Would you like to implement a fix?

None
@coding-ia coding-ia added the bug Addresses a defect in current functionality. label Feb 5, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 5, 2025

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/ssm Issues and PRs that pertain to the ssm service. needs-triage Waiting for first response or review from a maintainer. labels Feb 5, 2025
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/ssm Issues and PRs that pertain to the ssm service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@justinretzolk @coding-ia