[Feature Request] Support updating additionalArguments with aws:configurePackage

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).

https://aws.amazon.com/systems-manager/

Apache License 2.0

1.04k stars 323 forks source link

[Feature Request] Support updating additionalArguments with aws:configurePackage #366

Open jkasarherou opened 3 years ago

jkasarherou commented 3 years ago

Hello, I am using Distributor and aws:configurePackage and I want to update my association additionalArguments. The problem is that if the association only changes the additionalArguments the installation will be skipped with a message like:

$PACKAGE_ARN $VERSION is already installed

First I was forcing the package to Uninstall then Install to apply the changes, but it is a bit cumbersome to do from my Terraform code. I figured out that you can use the undocumented validate step, so I added a custom validate.sh to the package zip file to check if arguments have drifted. This approach worked because the installationCheck will fail and force a reinstall but this feels hacky. Am I missing something? It would be nice to have a way to handle this case properly.

linziye-amazon commented 3 years ago

Do you mind sharing what you added to the validate.sh file?

jkasarherou commented 3 years ago

The validate.sh file is dependent on the package I install (falcon-sensor):

#!/bin/bash

get_output () {
    echo $(/opt/CrowdStrike/falconctl -g --${1})
}

validate_param () {
    local param_name=$1
    local value=$2
    if [[ $(get_output ${param_name}) =~ =${value}\. ]]; then
        return 0
    fi
    echo "$param_name mismatch"
    return 1
}

validate_param tags ${SSM_tag}

connor-tyndall commented 2 years ago

@jkasarherou Did you ever figure this out by chance? We are trying to use distributor and AWS-ConfigureAWSPackage to install multiple packages. However, how can we get it to check that the service is in fact running before checking the installation state file local on the instances? When we see "is already installed", that could be a false positive if the package was uninstalled outside of SSM.

jkasarherou commented 2 years ago

@connor-tyndall I would suggest you try adding a validate.sh script in your package. This let you run custom steps to verify the actual state on the system, so in your case verify that the service is running/installed.

connor-tyndall commented 2 years ago

@jkasarherou I'm curious how you came across this find of using a validate.sh script since this is basically undocumented?

jkasarherou commented 2 years ago

@connor-tyndall I was looking into the source code and stumble across this https://github.com/aws/amazon-ssm-agent/blob/dfafad1eba3ab41eb0de566fba4810d422af5001/agent/plugins/configurepackage/ssminstaller/ssminstaller.go#L93 then I tried crafting a package with a validate.sh