[Bug]: Error: creating SSM association: InvalidParameters: Parameter "InstanceId" requires a value

[kunleoladimeji]

Terraform Core Version

1.7.3

AWS Provider Version

5.37.0

Affected Resource(s)

aws_ssm_association

Expected Behavior

Applying the resource should create an AWS SSM Association

Actual Behavior

Resource could not be created due to error.

Relevant Error/Panic Output Snippet

╷
│ Error: creating SSM association: InvalidParameters: Parameter "InstanceId" requires a value.
│ 
│   with aws_ssm_association.shutdown_ec2_instances,
│   on systems-manager.tf line 72, in resource "aws_ssm_association" "shutdown_ec2_instances":
│   72: resource "aws_ssm_association" "shutdown_ec2_instances" {
│ 
╵

Terraform Configuration Files

data "aws_iam_policy_document" "ssm_start_stop_resources" {
  statement {
    actions   = ["rds:Describe*", "rds:Start*", "rds:Stop*", "rds:Reboot*"]
    resources = ["*"]
    effect    = "Allow"
  }
  statement {
    effect = "Allow"
    actions = ["ssm:StartAutomationExecution",
    "ec2:DescribeInstanceStatus"]
    resources = ["*"]
  }
  statement {
    effect    = "Allow"
    actions   = ["ec2:StartInstances", "ec2:StopInstances"]
    resources = ["*"]
  }
}

data "aws_iam_policy_document" "ssm_assume_role" {
  statement {
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["ssm.amazonaws.com"]
    }
    actions = ["sts:AssumeRole"]
  }
}
data "aws_instances" "jumpbox" {
  instance_tags = {
    "usage" = "jumpbox"
  }
  instance_state_names = [ "running", "stopped" ]
}

resource "aws_iam_role" "ssm_restart" {
  name = "SSMShutdownStartupRole"
  inline_policy {
    policy = data.aws_iam_policy_document.ssm_start_stop_resources.json
  }
  assume_role_policy = data.aws_iam_policy_document.ssm_assume_role.json
}

resource "aws_ssm_association" "shutdown_ec2_instances" {
  name                = "AWS-StopEC2Instance"
  schedule_expression = "cron(0 21 ? * MON-FRI *)"
  targets {
    key    = "InstanceIds"
    values = data.aws_instances.jumpbox.ids
  }
  parameters = {
    "AutomationAssumeRole" = aws_iam_role.ssm_restart.arn
  }
}

Steps to Reproduce

terraform apply

Debug Output

2024-02-21T14:39:52.475+0400 [TRACE] maybeTainted: aws_ssm_association.shutdown_ec2_instances was already tainted, so nothing to do
2024-02-21T14:39:52.475+0400 [TRACE] terraform.contextPlugins: Schema for provider "registry.terraform.io/hashicorp/aws" is in the global cache
2024-02-21T14:39:52.475+0400 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for aws_ssm_association.shutdown_ec2_instances
2024-02-21T14:39:52.475+0400 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for aws_ssm_association.shutdown_ec2_instances
2024-02-21T14:39:52.475+0400 [DEBUG] State storage *remote.State declined to persist a state snapshot
2024-02-21T14:39:52.475+0400 [ERROR] vertex "aws_ssm_association.shutdown_ec2_instances" error: creating SSM association: InvalidParameters: Parameter "InstanceId" requires a value.
2024-02-21T14:39:52.475+0400 [TRACE] vertex "aws_ssm_association.shutdown_ec2_instances": visit complete, with errors
2024-02-21T14:39:52.475+0400 [DEBUG] provider.terraform-provider-aws_v5.37.0_x5: HTTP Response Received: http.status_code=400 rpc.system=aws-api tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ApplyResourceChange http.response.header.connection=keep-alive http.response.header.date="Wed, 21 Feb 2024 10:39:52 GMT" http.response.header.x_amzn_requestid=959630f8-15a2-46b0-a91a-4c09cba072b7 @module=aws aws.region=af-south-1 tf_req_id=4b527a8b-31b0-4bed-6280-fd63c7be361f http.response.header.server=Server rpc.method=CreateAssociation rpc.service=SSM tf_aws.sdk=aws-sdk-go @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.48/logger.go:157
  http.response.body=
  | {"__type":"InvalidParameters","Message":"Parameter \"InstanceId\" requires a value."}
   tf_mux_provider="*schema.GRPCProviderServer" tf_resource_type=aws_ssm_association http.duration=469 http.response.header.content_type=application/x-amz-json-1.1 timestamp="2024-02-21T14:39:52.474+0400"

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[acwwat]

This is not a provider issue but an usage issue with SSM. The automation runbook/document AWS-StopEC2Instance requires two parameters - InstanceId and AutomationAssumeRole, the former of which is the subject of the error message you are seeing.

Since the association is many-to-one, you'll need to specify a parameters from the runbook/document to branch off of (what to iterate against), which in this case is InstanceId. Thus you'll need to add the following to your aws_ssm_assoication resource definition like so:

resource "aws_ssm_association" "shutdown_ec2_instances" {
  name = "AWS-StopEC2Instance"
  schedule_expression = "cron(0 21 ? * MON*)"
  targets {
    key    = "tag:StopNightly"
    values = ["true"]
  }
  automation_target_parameter_name = "InstanceId"
  parameters = {
    AutomationAssumeRole = "arn:aws:iam::<redacted>:role/MySSMAutomationRole"
  }
}

Note: I am not able to use InstanceIds as a target - it doesn't seem to be supported and is not available in State Manager. I can only use tag - even so the UI complains, but Terraform doesn't. Your cron schedule also doesn't work - for some reason it's not accepting MON-FRI even though the documentation seems to say otherwise. I am not sure if that means having to create 5 associations - one per day of week. So you'll have to experiment and figure this part out yourself or open an AWS Support Ticket.

Perhaps This AWS blog post can give you some ideas on different configurations you can apply in AWS Management Console, which you can then translate to Terraform.

Since this is probably not an issue with the Terraform AWS Provider, please feel free to close the ticket and report back any findings you have for the benefit of other users. Thank you.

[justinretzolk]

With the above in mind, closing.

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.