AI Environment Standardization via AWS SSM Association

Question

Pulumi · Accepted Answer

AWS Systems Manager (SSM) is a service that allows you to automate the management and maintenance of your EC2 instances and your on-premises servers and VMs in your hybrid environment. One of the capabilities of SSM is State Manager, which helps to define and maintain consistent configuration of your environments.

An SSM Document defines the actions that Systems Manager performs on your managed instances. An SSM Association is a configuration that applies an SSM Document to a set of instances. This association can specify parameters and a schedule that determines how the document should be applied. This is useful to enforce a standard setup for your environments.

In the Pulumi program below, we will:

1. Create an SSM Document that, for example, installs and starts an Apache web server on your instances.
2. Define an SSM Association to apply this document to a target set of instances based on tags.
3. The program will create the infrastructure and demonstrate how you can manage the configuration of your instances automatically.

Here is a comprehensive Pulumi program that will create an SSM Document and Association:

```python
import pulumi
import pulumi_aws as aws

# Create a Managed Instance Role for SSM
role = aws.iam.Role("role",
    assume_role_policy="""{
        "Version": "2012-10-17",
        "Statement": [{
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "ssm.amazonaws.com"
            }
        }]
    }""")

# Attach the AmazonSSMManagedInstanceCore policy to the role
role_policy_attachment = aws.iam.RolePolicyAttachment("role_policy_attachment", 
    role=role,
    policy_arn="arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore")

# Define the content of the SSM document
# This content should describe the configuration you want on your instances.
# For example, the content below will ensure an Apache web server is installed and running.
ssm_document_content = {
    "schemaVersion": "2.2",
    "description": "Install and run apache.",
    "mainSteps": [{
        "action": "aws:runShellScript",
        "name": "installApache",
        "inputs": {
            "runCommand": [
                "yum install -y httpd",
                "systemctl start httpd",
                "systemctl enable httpd"
            ]
        }
    }]
}

# Create an SSM Document that defines actions to be performed on instances
ssm_document = aws.ssm.Document("ssmDocument",
    content=pulumi.Output.json(ssm_document_content),
    document_type="Command")

# Define an instance to associate with the SSM Document
instance = aws.ec2.Instance("instance",
    # Other required configuration
    # make sure the instance is using the role created above
    iam_instance_profile=role.name,
    tags={"Environment": "production"})

# Create the association of the SSM Document with the target instances
association = aws.ssm.Association("association",
    name=ssm_document.name,
    targets=[{
        "key": "tag:Environment",
        "values": ["production"],
    }],
    # Optionally, schedule the association to apply the document at a certain interval
    schedule_expression="rate(30 minutes)")

# Export the URL of the instance to be able to access it later
pulumi.export('instance_url', pulumi.Output.concat('http://', instance.public_dns))

```

### Explanation

- We define an IAM role and attach the requisite policy that grants permission to manage instances with Systems Manager.

- Next, we create an SSM Document (`aws.ssm.Document`) that describes the configuration that we want to apply. In this case, it's a shell script to install and start an Apache web server.

- We create an EC2 instance and specify that it should use the role we created so it can be managed by SSM.

- Lastly, we set up an SSM Association (`aws.ssm.Association`) that ties the document to targets. In this case, we target the instances with the tag key "Environment" and the value "production".

- An optional `schedule_expression` is provided to specify that this association should be applied every 30 minutes. This is helpful if you want to ensure that your configuration is enforced regularly.

- We export the public DNS of the instance to access the Apache web server once it's running.

When this program runs, Pulumi will provision the instances and set up SSM to make sure that our configuration is applied correctly. You can adjust the `ssm_document_content` to apply different configurations as per your standardization requirements.