How to create an 'AWS::SSM::Document' with DocumentType of Package using CloudFormation

Question

This AWS CloudFormation document suggests that it is possible to administer an 'AWS::SSM::Document' resource with a DocumentType of 'Package'. However the 'Content' required to achieve this remains a mystery.

Is it possible to create a Document of type 'Package' via CloudFormation, and if so, what is the equivalent of this valid CLI command written as a CloudFormation template (preferably with YAML formatting)?

ssm create-document --name my-package --content "file://manifest.json" --attachments Key="SourceUrl",Values="s3://my-s3-bucket" --document-type Package

Failed Attempt. The content used is an inline version of the manifest.json which was provided when using the CLI option. There doesn't seem to be an option to specify an AttachmentSource when using CloudFormation:

AWSTemplateFormatVersion: 2010-09-09

Resources:
  Document:
    Type: AWS::SSM::Document
    Properties:
      Name: 'my-package'
      Content: !Sub |
        {
          "schemaVersion": "2.0",
          "version": "Auto-Generated-1579701261956",
          "packages": {
            "windows": {
              "_any": {
                "x86_64": {
                  "file": "my-file.zip"
                }
              }
            }
          },
          "files": {
            "my-file.zip": {
              "checksums": {
                "sha256": "sha...."
              }
            }
          }
        }
      DocumentType: Package

CloudFormation Error

AttachmentSource not provided in the input request. (Service: AmazonSSM; Status Code: 400; Error Code: InvalidParameterValueException;

Answer 1

Yes, this is possible! I've successfully created a resource with DocumentType: Package and the package shows up in the SSM console under Distributor Packages after the stack succeeds.

Your YAML is almost there, but you need to also include the Attachments property that is now available .

Here is a working example:

AWSTemplateFormatVersion: "2010-09-09"
Description: Sample to create a Package type Document

Parameters:
  S3BucketName:
    Type: "String"
    Default: "my-sample-bucket-for-package-files"
    Description: "The name of the S3 bucket."

Resources:
  CrowdStrikePackage:
    Type: AWS::SSM::Document
    Properties:
      Attachments:
        - Key: "SourceUrl"
          Values:
            - !Sub "s3://${S3BucketName}"
      Content:
        !Sub |
          {
              "schemaVersion": "2.0",
              "version": "1.0",
              "packages": {
                  "windows": {
                      "_any": {
                          "_any": {
                              "file": "YourZipFileName.zip"
                          }
                      }
                  }
              },
              "files": {
                  "YourZipFileName.zip": {
                      "checksums": {
                          "sha256": "7981B430E8E7C45FA1404FE6FDAB8C3A21BBCF60E8860E5668395FC427CE7070"
                      }
                  }
              }
          }
      DocumentFormat: "JSON"
      DocumentType: "Package"
      Name: "YourPackageNameGoesHere"
      TargetType: "/AWS::EC2::Instance"

Note: for the Attachments property you must use the SourceUrl key when using DocumentType: Package . The creation process will append a "/" to this S3 bucket URL and concatenate it with each file name you have listed in the manifest that is the Content property when it creates the package.

Answer 2

Seems there is no direct way to create an SSM Document with Attachment via CloudFormation (CFN). You can use a workaround as using a backed Lambda CFN where you will use a Lambda to call the API SDK to create SSM Document then use Custom Resource in CFN to invoke that Lambda.

There are some notes on how to implement this solution as below:

• How to invoke Lambda from CFN: Is it possible to trigger a lambda on creation from CloudFormation template
• Sample of a Lambda sending response format (when using Custom Resource in CFN): https://github.com/stelligent/cloudformation-custom-resources
• In order to deploy Lambda with best practices and easy upload the attachment, Document content from local, you should use sam deploy instead of CFN create stack .
• You can get information of the newly created resource from lambda to the CFN by adding the resource detail into the data json in the response lambda send back and the CFN can use it with !GetAtt CustomResrc.Attribute, you can find more detail here .

There are some drawbacks on this solution:

• Add more complex to the original solution as you have to create resources for the Lambda execution such as (S3 to deploy Lambda, Role for Lambda execution and assume the SSM execution, SSM content file - or you have to use a 'long' inline content). It won't be a One-call CFN create-stack anymore. However, you can put everything into the SAM template because at the end of the day, it's just a CFN template
• When Delete the CFN stack, you have to implement the lambda when RequestType == Delete for cleaning up your resource.

PS: If you don't have to work strictly on CFN, then you can try with Terraform:https://www.terraform.io/docs/providers/aws/r/ssm_document.html