kakakakakku blog

Weekly Tech Blog: Keep on Learning!

Terraform で AWS Systems Manager Inventory を有効化する

Terraform AWS Systems Manager

AWS Systems Manager Inventory の有効化(AWS Systems Manager State Manager の関連付け)を Terraform で構築する場合 aws_ssm_association リソースを使って設定できる💡

aws_ssm_associationparameters に関しては Terraform のドキュメントには詳しく載っていないため,マネジメントコンソールの「セットアップインベントリ」画面と AWS Systems Manager DocumentsAWS-GatherSoftwareInventory を参考にしながら設定すると良いと思う❗️

docs.aws.amazon.com

Terraform コード

設定としては以下のように仮置きしている👌

  • 収集対象にする Amazon EC2 インスタンスにはタグ Inventory: true を追加しておく
  • 1時間に1回実行する(早めに動作確認ができるように)
  • Windows は対象外にする
resource "aws_ssm_association" "inventory" {
  name = "AWS-GatherSoftwareInventory"
  association_name = "Inventory"

  targets {
    key    = "tag:Inventory"
    values = ["true"]
  }

  parameters = {
    applications                = "Enabled"
    awsComponents               = "Enabled"
    files                       = ""
    networkConfig               = "Enabled"
    windowsUpdates              = "Disabled"
    instanceDetailedInformation = "Enabled"
    services                    = "Disabled"
    windowsRegistry             = ""
    windowsRoles                = "Disabled"
    customInventory             = "Enabled"
    billingInfo                 = "Enabled"
  }

  schedule_expression = "rate(1 hour)"
}

結果

期待通りに構築できて,AWS Systems Manager Inventory でメタデータも収集できた❗️

参考: AWS Systems Manager Documents

AWS Systems Manager Documents の AWS-GatherSoftwareInventory のコンテンツ(バージョン1)を載せておく.Terraform で指定する EnabledDisabled という値の期待値やデフォルト値などを確認できる💡

{
  "schemaVersion": "2.0",
  "description": "Software Inventory Policy Document.",
  "parameters": {
    "applications": {
      "type": "String",
      "default": "Enabled",
      "description": "(Optional) Collect data for installed applications.",
      "allowedValues": [
        "Enabled",
        "Disabled"
      ]
    },
    "awsComponents": {
      "type": "String",
      "default": "Enabled",
      "description": "(Optional) Collect data for AWS Components like amazon-ssm-agent.",
      "allowedValues": [
        "Enabled",
        "Disabled"
      ]
    },
    "files": {
      "type": "String",
      "default": "",
      "description": "<p>(Optional, requires SSMAgent version 2.2.64.0 and above)<br/><br/>Linux example:<br/><em>[{\"Path\":\"/usr/bin\", \"Pattern\":[\"aws*\", \"*ssm*\"],\"Recursive\":false},{\"Path\":\"/var/log\", \"Pattern\":[\"amazon*.*\"], \"Recursive\":true, \"DirScanLimit\":1000}]<br/></em><br/>Windows example:<br/><em>[{\"Path\":\"%PROGRAMFILES%\", \"Pattern\":[\"*.exe\"],\"Recursive\":true}]</em><br/><br/>Learn More: http://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-about.html#sysman-inventory-file-and-registry  </p>",
      "displayType": "textarea"
    },
    "networkConfig": {
      "type": "String",
      "default": "Enabled",
      "description": "(Optional) Collect data for Network configurations.",
      "allowedValues": [
        "Enabled",
        "Disabled"
      ]
    },
    "windowsUpdates": {
      "type": "String",
      "default": "Enabled",
      "description": "(Optional, Windows OS only) Collect data for all Windows Updates.",
      "allowedValues": [
        "Enabled",
        "Disabled"
      ]
    },
    "instanceDetailedInformation": {
      "type": "String",
      "default": "Enabled",
      "description": "(Optional) Collect additional information about the instance, including the CPU model, speed, and the number of cores, to name a few.",
      "allowedValues": [
        "Enabled",
        "Disabled"
      ]
    },
    "services": {
      "type": "String",
      "default": "Enabled",
      "description": "(Optional, Windows OS only, requires SSMAgent version 2.2.64.0 and above) Collect data for service configurations.",
      "allowedValues": [
        "Enabled",
        "Disabled"
      ]
    },
    "windowsRegistry": {
      "type": "String",
      "default": "",
      "description": "<p>(Optional, Windows OS only, requires SSMAgent version 2.2.64.0 and above)<br/><br/>Example:<br />[{\"Path\":\"HKEY_CURRENT_CONFIG\\System\",\"Recursive\":true},{\"Path\":\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Amazon\\MachineImage\", \"ValueNames\":[\"AMIName\"]}]<br/><br/>Learn More: http://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-about.html#sysman-inventory-file-and-registry </p>",
      "displayType": "textarea"
    },
    "windowsRoles": {
      "type": "String",
      "default": "Enabled",
      "description": "(Optional, Windows OS only, requires SSMAgent version 2.2.64.0 and above) Collect data for Microsoft Windows role configurations.",
      "allowedValues": [
        "Enabled",
        "Disabled"
      ]
    },
    "customInventory": {
      "type": "String",
      "default": "Enabled",
      "description": "(Optional) Collect data for custom inventory.",
      "allowedValues": [
        "Enabled",
        "Disabled"
      ]
    },
    "billingInfo": {
      "type": "String",
      "default": "Enabled",
      "description": "(Optional) Collect billing info for license included applications.",
      "allowedValues": [
        "Enabled",
        "Disabled"
      ]
    }
  },
  "mainSteps": [
    {
      "action": "aws:softwareInventory",
      "name": "collectSoftwareInventoryItems",
      "inputs": {
        "applications": "{{ applications }}",
        "awsComponents": "{{ awsComponents }}",
        "networkConfig": "{{ networkConfig }}",
        "files": "{{ files }}",
        "services": "{{ services }}",
        "windowsRoles": "{{ windowsRoles }}",
        "windowsRegistry": "{{ windowsRegistry}}",
        "windowsUpdates": "{{ windowsUpdates }}",
        "instanceDetailedInformation": "{{ instanceDetailedInformation }}",
        "billingInfo": "{{ billingInfo }}",
        "customInventory": "{{ customInventory }}"
      }
    }
  ]
}