AWS::SSM::AutomationExecution

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap

https://aws.amazon.com/cloudformation/

Creative Commons Attribution Share Alike 4.0 International

1.11k stars 54 forks source link

AWS::SSM::AutomationExecution #805

Open raphsack opened 3 years ago

raphsack commented 3 years ago

AWS::SSM::AutomationExecution

Details

Scope: new resource type, providing the ability to invoke an SSM Automation from CloudFormation.

Expected behavior: just as with the Console or API, allow invoking a Document (that could be created within the same template or pre-existing).

benbridts commented 3 years ago

@raphsack to clarify: you're looking for a way to start an execution of an automation, not to define it (for that there's AWS:SSM::Document, although that is still missing some things).

In that case, I think a better name for the resource would be AWS::SSM::AutomationExecution, to differentiate it from the AutomationDocument

raphsack commented 3 years ago

Good point @benbridts, appreciate it and tweaked accordingly :)

jk2l commented 3 years ago

Do you mean to execute this as custom resource? i don't see the reason of executing automation via CloudFormation. Cfn don't trigger update if there is no state change for the property. on top of it, it should also support the CREATE/UPDATE/DELETE actions. which doesn't seem to align with "run execution"

benbridts commented 3 years ago

You might want to run something once the first time your template is deployed (similar to user data in ec2). Or you could pass data to it in the parameters that might change (eg. if you want to run something everytime an EC2 is started, you could !Ref the instance in the Parameters)

Create and update could both start a new run, delete is tricky, because there is no DeleteExecution action. I don't think that should necessarily be a blocker for it to be a resource.

I've built something similar for CodeBuild. you can see the resource provider here..

jk2l commented 3 years ago

I guess it doesn't hurt to have additional custom resource provider beside lambda. But it do feel overlapping with what lambda custom resource is already doing

benbridts commented 3 years ago

I think the use case can be slightly different from custom resources (and I recommend moving to Resource Types for most of the Custom Resources use cases).

You can definitely solve the same thing in multiple ways, for context here are some differences (from the top of my head, so don't hold me to any):

Lambda:

Can do anything in a lot of programming languages
15 minute runtime
Logs to CloudWatch

Codebuild:
Mostly bash / shell scripts
8h runtime
Logs to CloudWatch and/or S3

SSM:
- Mostly pre-build documents/commands (but some support for eg. python)
- 12h+ runtime
- Logs to CloudWatch and/or S3

raphsack commented 3 years ago

Being able to trigger a scripted workflow in SSM as part of a deployment is the ask here.

While everything is possible (CW Events, Custom Resources to name two), each has their limitations and hence the request :)

jk2l commented 3 years ago

Natively it doesn't support but integrate with Lambda, you definitely can perform SSM automation as custom resource