VishnuKarthikRavindran
commented
3 years ago Hi @corybolar, We tried reproducing this on our end with both tags and resource groups added to the AWS-RunShellScript association while creating. The association started executing for all the tagged instances as per our expectation. We would like to know more about the repro steps and also instance ids to deep dive into this issue. Please feel free to open a support ticket in AWS Console if you want to share these details through a ticket. https://docs.aws.amazon.com/awssupport/latest/user/case-management.html#creating-a-support-case.
Thanks, Vishnu Karthik.R
When an SSM State Manager Association is setup via tags or resource groups, the agent on the instance does not find the association and therefore does not run it unless manually triggered or the rate/cron expression is reached.
This may be caused by the ListAssociations and ListInstanceAssociations querying only for InstanceIds rather than doing a deep lookup of the relevant tags/resource groups to determine if the instance is part of the association.
https://github.com/aws/amazon-ssm-agent/blob/dfafad1eba3ab41eb0de566fba4810d422af5001/agent/ssm/service.go#L132
Strangely, the AWS-GatherSoftwareInventory association that can be setup manually through the wizard in the console appears to function correctly if setup to match based on tags or resource groups.