6

I have a CloudFormation template that creates an AWS::Events::Rule and an AWS::SSM::Document. I need to provide a list of Targets for the SSM::Rule, but each target expects an ARN:

mySSMDocument:
  Type: AWS::SSM::Document
  Properties:
    DocumentType: 'Command'
    Content:
      schemaVersion: '2.2'
      description: "Code that will be run on EC2"
      mainSteps:
        - action: "aws:runShellScript"
          name: runShellScript
          inputs:
            runCommand:
              - 'Some command to execute'
myEventRule:
  Type: AWS::Events::Rule
  Properties:
    Description: "A description for the Rule."
    EventPattern: 
      source:
        - "aws.autoscaling"
      detail-type:
        - "EC2 Instance-terminate Lifecycle Action"
      detail:
        AutoScalingGroupName:
          - !Ref 'someAutoScalingGroupInThisTemplate'
    RoleArn: 'some role ARN'
    State: "ENABLED"
    Targets:
      - Id: "some-unique-id"
        Arn: <-- This is the value that I need to fill in.
        RunCommandParameters:
          RunCommandTargets:
            - Key: "tag: Name"
              Values:
                - 'The name of the EC2 machine'

I think that I need to replace the <-- This is the value that I need to fill in. with the ARN of mySSMDocument, but I don't see any way to retrieve this value from within the template itself. The documentation does not specify any GetAtt functionality on SSM::Document that allows to get the ARN. Anyone know how to solve this issue?

Titulum
  • 9,928
  • 11
  • 41
  • 79

2 Answers2

7

This is ARN pattern of Document

arn:${Partition}:ssm:${Region}:${Account}:document/${DocumentName}

example:

arn:aws:ssm:us-east-2:12345678912:document/demoooo

You can use Ref function to get name of document, then Sub to create final ARN

refer: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html#awssystemsmanager-resources-for-iam-policies

Tuan Vo
  • 1,875
  • 10
  • 10
  • 1
    Any reason to use `Join` instead of `Sub`? I see it being used everywhere while `Sub` is much more readable. – Titulum Dec 16 '19 at 08:59
  • @TuanVA Can I give ARN pattern for package (which is created using distributor in system manager)? I tried but it is not accepting – codebuff Jun 04 '20 at 17:19
7
!Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:document/${mySSMDocument}

You can produce the ARN format for AWS::SSM::Document using the return Value for AWS::SSM::Document, the Pseudo Parameters for Partition, Region, and AccountId, and the Sub intrinsic function

Pat Myron
  • 4,437
  • 2
  • 20
  • 39