[New Resource]: Enable Default Host Management Configuration DHMC

[tazmaniq2]

Description

AWS announced the ability to enable AWS Systems Manager by default across all EC2 instances in an account with a single action, using Default Host Management Configuration (DHMC) but currently is unsupported by Terraform provider. It would be helpful to add it as a new resource in order to enable it and also as a data source to get the current status.

https://docs.aws.amazon.com/systems-manager/latest/userguide/managed-instances-default-host-management.html

Requested Resource(s) and/or Data Source(s)

resource "aws_ssm_dhmc" "example" {}

data "aws_ssm_dhmc" "example" {}

Potential Terraform Configuration

resource "aws_ssm_dhmc" "example" {
  enable   = true
  iam_role = aws_iam_role.AWSSystemsManagerDefaultEC2InstanceManagementRole
}

resource "aws_iam_role" "AWSSystemsManagerDefaultEC2InstanceManagementRole" {
  name               = "AWSSystemsManagerDefaultEC2InstanceManagementRole"
  assume_role_policy = templatefile("${path.module}/policies/trust-policy.json", {})
}

resource "aws_iam_role_policy_attachment" "AmazonSSMManagedEC2InstanceDefaultPolicy" {
  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedEC2InstanceDefaultPolicy"
  role       = aws_iam_role.AWSSystemsManagerDefaultEC2InstanceManagementRole
}

data "aws_ssm_dhmc" "example" {}

output "dhmc_status" {
  value = data.aws_ssm_dhmc.status
}

#trust-policy.json
#{
#    "Version":"2012-10-17",
#    "Statement":[
#        {
#            "Sid":"",
#            "Effect":"Allow",
#            "Principal":{
#                "Service":"ssm.amazonaws.com"
#            },
#            "Action":"sts:AssumeRole"
#        }
#    ]
#}

References

AWS announcement: https://aws.amazon.com/about-aws/whats-new/2023/02/enable-aws-systems-manager-default-all-ec2-instances-account/ DHMC User Guide: https://docs.aws.amazon.com/systems-manager/latest/userguide/managed-instances-default-host-management.html

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[dkravetz]

I don't think this is necessary, you can achieve the same effect by creating and referencing the following resources:

module "ssm_default_host_management_role" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
  version = "5.20.0"

  create_role = true

  trusted_role_services = [
    "ssm.amazonaws.com"
  ]

  role_name         = "AWSSystemsManagerDefaultEC2InstanceManagementRole"
  role_requires_mfa = false

  custom_role_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonSSMManagedEC2InstanceDefaultPolicy",
  ]
}

resource "aws_ssm_service_setting" "default_host_management" {
  setting_id    = "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:servicesetting/ssm/managed-instance/default-ec2-instance-management-role"
  setting_value = "service-role/AWSSystemsManagerDefaultEC2InstanceManagementRole"
}

[dustyketchum]

I needed to use

resource "aws_ssm_service_setting" "default_host_management" {
  setting_id    = "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:servicesetting/ssm/managed-instance/default-ec2-instance-management-role"
  setting_value = "AWSSystemsManagerDefaultEC2InstanceManagementRole"
}

without service-role/, it did not work for me until I changed this. (I also created the policy inline instead of using the module, that may be related)

[rahulsen]

I don't think this is necessary, you can achieve the same effect by creating and referencing the following resources:

module "ssm_default_host_management_role" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
  version = "5.20.0"

  create_role = true

  trusted_role_services = [
    "ssm.amazonaws.com"
  ]

  role_name         = "AWSSystemsManagerDefaultEC2InstanceManagementRole"
  role_requires_mfa = false

  custom_role_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonSSMManagedEC2InstanceDefaultPolicy",
  ]
}

resource "aws_ssm_service_setting" "default_host_management" {
  setting_id    = "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:servicesetting/ssm/managed-instance/default-ec2-instance-management-role"
  setting_value = "service-role/AWSSystemsManagerDefaultEC2InstanceManagementRole"
}

How does this "achieve the same effect" ? It is not enabling DHMC as far as i can see. All it is doing is setting the value of "servicesetting/ssm/managed-instance/default-ec2-instance-management-role" to the role's name that SSM service will be trusted to assume for the instance to be able to register to SSM. If DHMC is not enabled in the first place, this is useless. Correct me if i am wrong.

[lorengordon]

All it is doing is setting the value of "servicesetting/ssm/managed-instance/default-ec2-instance-management-role" to the role's name that SSM service will be trusted to assume for the instance to be able to register to SSM. If DHMC is not enabled in the first place, this is useless. Correct me if i am wrong.

Yep, that is all that toggle does when "enabling" DHMC. It just sets the ssm service setting to the role to use. Apply that config, and the toggle is enabled.

[rahulsen]

All it is doing is setting the value of "servicesetting/ssm/managed-instance/default-ec2-instance-management-role" to the role's name that SSM service will be trusted to assume for the instance to be able to register to SSM. If DHMC is not enabled in the first place, this is useless. Correct me if i am wrong.

Yep, that is all that toggle does when "enabling" DHMC. It just sets the ssm service setting to the role to use. Apply that config, and the toggle is enabled.

Ok thanks. That was the gap in my understanding. I tested it and indeed just setting/resetting that value IS the DHMC toggle. I wish AWS documentation was explicit about this.

[lorengordon]

I wish AWS documentation was explicit about this.

Absolutely! I only figured it out by digging through the CloudFormation stack and SSM Documents that are created as part of the "quick setup" when configuring Default Host Management for an Organization... Definitely an obscure setup! At the end, I was like, "That's it? Ok, well I can do that easily enough without the quick setup or the CloudFormation it relies on..."

[lorengordon]

fyi, although the API doc claims the setting_id should be an ARN, it appears it accepts the simplified "setting name" also, e.g. /ssm/managed-instance/default-ec2-instance-management-role

Edit: Nevermind. Terraform internally is looking at the arn as the setting_id, so using just the setting name causes a persistent diff. :*(

[lorengordon]

Went ahead and published a module to make it easier to set up default host management... https://registry.terraform.io/modules/plus3it/tardigrade-ssm-default-host-management/aws/latest