aws_ssm_maintenance_window_task Resource
Use the aws_ssm_maintenance_window_task
InSpec audit resource to test properties of a single AWS Systems Manager (SSM) maintenance window task.
The AWS::SSM::MaintenanceWindowTask
resource defines information about a task for an AWS Systems Manager maintenance window.
For additional information, including details on parameters and properties, see the AWS documentation on AWS SSM MaintenanceWindowTask.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
Ensure that the maintenance window task exists.
aws_ssm_maintenance_window_task(window_id: 'WINDOW_ID', window_task_id: 'WINDOW_TASK_ID')
it { should exist }
end
Parameters
window_id
(required)The ID of the maintenance window where the task is registered.
window_task_id
(required)The task ID.
Properties
window_id
- The ID of the maintenance window where the task is registered.
window_task_id
- The task ID.
task_arn
- The resource that the task uses during execution.
type
- The type of task.
targets
- The targets (either instances or tags).
target_keys
- User-defined criteria for sending commands that target instances that meet the criteria.
target_values
- User-defined criteria that maps to Key.
task_parameters
- The parameters that should be passed to the task when it is run.
priority
- The priority of the task in the maintenance window.
logging_info.s3_bucket_name
- The name of an S3 bucket where execution logs are stored.
logging_info.s3_key_prefix
- The S3 bucket subfolder.
logging_info.s3_region
- The Amazon Web Services Region where the S3 bucket is located.
service_role_arn
- The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) service role to use to publish Amazon Simple Notification Service (Amazon SNS) notifications for maintenance window Run Command tasks.
max_concurrency
- The maximum number of targets this task can be run for, in parallel.
max_errors
- The maximum number of errors allowed before this task stops being scheduled.
name
- The task name.
description
- A description of the task.
cutoff_behavior
- The specification for whether tasks should continue to run after the cutoff time specified in the maintenance windows is reached.
Examples
Ensure a window task ID is available.
aws_ssm_maintenance_window_task(window_id: 'WINDOW_ID', window_task_id: 'WINDOW_TASK_ID')
its('window_task_id') { should eq 'WINDOW_TASK_ID' }
end
Verify the priority of the maintenance window.
aws_ssm_maintenance_window_task(window_id: 'WINDOW_ID', window_task_id: 'WINDOW_TASK_ID')
its('priority') { should eq 1 }
end
Verify the type of the maintenance window.
aws_ssm_maintenance_window_task(window_id: 'WINDOW_ID', window_task_id: 'WINDOW_TASK_ID')
its('type') { should eq 'AUTOMATION' }
end
Verify the name of the maintenance window.
aws_ssm_maintenance_window_task(window_id: 'WINDOW_ID', window_task_id: 'WINDOW_TASK_ID')
its('name') { should eq 'WINDOW_TASK_NAME' }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
The controls will pass if the describe
method returns at least one result.
exist
Use should
to test that the entity exists.
aws_ssm_maintenance_window_task(window_id: 'WINDOW_ID', window_task_id: 'WINDOW_TASK_ID')
it { should exist }
end
Use should_not
to test the entity does not exist.
aws_ssm_maintenance_window_task(window_id: 'WINDOW_ID', window_task_id: 'WINDOW_TASK_ID')
it { should_not exist }
end
AWS Permissions
Your Principal will need the SSM:Client:DescribeMaintenanceWindowTasksResult
action with Effect
set to Allow
.