LinuxInstallerParams parameter issue with more than one tag

[davidecelano]

Hi, using the official package when I try to apply the association to a subset of instances with the rate control and having LinuxInstallerParams = --tags="Country,123456" the execution fails with error InvalidAutomationParameters

Looking in CloudTrail I have this error

_"eventSource": "ssm.amazonaws.com",
"eventName": "StartAutomationExecution",
"awsRegion": "eu-west-1",
"sourceIPAddress": "ssm.amazonaws.com",
"userAgent": "ssm.amazonaws.com",
"errorCode": "InvalidAutomationExecutionParametersException",
"errorMessage": "Parameter type error. The value supplied for LinuxInstallerParams is not a valid String.",_

If I modify the parameter removing a tag LinuxInstallerParams = --tags="Country"

then the execution works. I've also tried replacing "" with '' and also without quotes but doesn't solve the issue.

[ffalor]

Something like this --tags="Washington/DC_USA,Production" should work. Is this through the CLI or the UI? I've only tested via the UI.

[davidecelano]

Something like this --tags="Washington/DC_USA,Production" should work. Is this through the CLI or the UI? I've only tested via the UI.

This is via UI. As stated in my post, using that kind of string with more than one tag separated by a comma returns the error described.

[ffalor]

I see what you're referring to and I have the same issue. It seems like an issue with AWS.

If you create/update the association via the cli it seems to work... here is the command I used without issue. Is this a possible workaround for you? If not, perhaps AWS support can assist.

aws ssm create-association \
    --name "CrowdStrike-FalconSensorDeploy" \
    --targets "Key=InstanceIds,Values=*" \
    --parameters 'AutomationAssumeRole=arn:aws:iam::111111111:role/crowdstrike-ssm-assume-role, LinuxInstallerParams="--tags=Washington/DC_USA,Production --apd=true"' \
    --association-name "crowdstrike-falcon-sensor-deploy" \
    --automation-target-parameter-name "InstanceIds" \
    --region "us-east-2"

[davidecelano]

Yes creating the association via command line works and runs, but if you want to edit later any unrelated field from UI then will fail again, so seems that something become corrupt when working from the UI. When I explained the issue to the AWS support they told me to ask to the author of the SSM document, but at this point I have no clue.

[ffalor]

I noticed editing the UI and hit save the , is removed for some reason. I don't think this is our ssm document since I can see the UI doing odd things on save. Plus it works fine when created via CLI.

I'll try to see if I can bubble this issue up to the team that owns ssm. Until then it looks like the workaround is to use something like terraform or the cli which can do updates and creations.

I recently added terraform code that can be used to manage every resource needed for deployment across any number of regions.

It does the following:

• Stores your Falcon API credentials in SSM Parameter Store or Secrets Manager depending on the value of secret_storage_method.
• Creates an IAM Role that allows the automation document to read the Falcon API credentials from SSM Parameter Store or Secrets Manager depending on the value of secret_storage_method.
• Creates an AWS State Manager association that, by default, runs every 30 minutes and targets every instance in a region. The scheduled occurance can be changed by setting cron_schedule_expression.

Sorry I am not unable to resolve your issue right now, but I'll try to get an answer and will report back when I do.

[ffalor]

AWS Support is aware of this bug, I am waiting on the fix.