initial commit

modules/ManagementGovernance/ssm-schedule-run-command/README.md

@@ -0,0 +1,44 @@
+<!-- This readme file is generated with terraform-docs -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| aws | >= 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | >= 5.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_ssm_maintenance_window.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_maintenance_window) | resource |
+| [aws_ssm_maintenance_window_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_maintenance_window_target) | resource |
+| [aws_ssm_maintenance_window_task.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_maintenance_window_task) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| cron-expression | Cron expression for SSM maintenance window schedule | `string` | n/a | yes |
+| description | Description of command to run | `string` | n/a | yes |
+| instance-id | Id of Ec2 instance to execute the script | `string` | n/a | yes |
+| schedule-name | Name of maintenance window. e.g. Daily0900UTC8 | `string` | n/a | yes |
+| shell-script-path | Full path to script | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+ 
+---
+## Authorship
+This module was developed by xpk.

modules/ManagementGovernance/ssm-schedule-run-command/main.tf

@@ -0,0 +1,80 @@
+# SSM run command
+#resource "aws_ssm_document" "this" {
+#  name          = replace(title(var.description), " ", "")
+#  document_type = "Command"
+#  target_type   = "/AWS::EC2::Instance"
+#  content = jsonencode(
+#    {
+#      "schemaVersion" : "2.2",
+#      "description" : "Run script for ${var.description}",
+#      "parameters" : {
+#      },
+#      "mainSteps" : [
+#        {
+#          "action" : "aws:runShellScript",
+#          "name" : "RunShellScript",
+#          "inputs" : {
+#            "runCommand" : var.shell-script-path
+#          }
+#        }
+#      ]
+#    }
+#  )
+#}
+
+resource "aws_ssm_maintenance_window" "this" {
+  name        = replace(title(var.description), " ", "")
+  description = var.description
+  schedule    = var.cron-expression
+  duration    = var.maintenance-window-duration
+  cutoff      = 1
+}
+
+resource "aws_ssm_maintenance_window_target" "this" {
+  window_id     = aws_ssm_maintenance_window.this.id
+  name          = replace(title(var.description), " ", "")
+  description   = var.description
+  resource_type = "INSTANCE"
+
+  targets {
+    key    = "InstanceIds"
+    values = [var.instance-id]
+  }
+}
+
+resource "aws_ssm_maintenance_window_task" "this" {
+  name            = replace(title(var.description), " ", "")
+  max_concurrency = 1
+  max_errors      = 1
+  priority        = 1
+  task_arn        = "AWS-RunShellScript"
+  task_type       = "RUN_COMMAND"
+  window_id       = aws_ssm_maintenance_window.this.id
+
+  targets {
+    key    = "InstanceIds"
+    values = [var.instance-id]
+  }
+
+  task_invocation_parameters {
+    run_command_parameters {
+      timeout_seconds = 60 # If this time is reached and the command has not already started executing, it doesn't run.
+
+      cloudwatch_config {
+        cloudwatch_log_group_name = aws_cloudwatch_log_group.this.name
+        cloudwatch_output_enabled = true
+      }
+
+      parameter {
+        name   = "commands"
+        values = [var.shell-script-path]
+      }
+    }
+  }
+}
+
+resource "aws_cloudwatch_log_group" "this" {
+  name              = "/aws/ssm-maintenance/${replace(title(var.description), " ", "")}"
+  retention_in_days = var.cloudwatch-log-retention-days
+  log_group_class   = "STANDARD" # infrequent access logs can only be viewed via insight
+}

modules/ManagementGovernance/ssm-schedule-run-command/variables.tf

@@ -0,0 +1,36 @@
+variable shell-script-path {
+  type = string
+  description = "Full path to script"
+}
+
+variable cron-expression {
+  type = string
+  description = "Cron expression for SSM maintenance window schedule"
+}
+
+variable instance-id {
+  type = string
+  description = "Id of Ec2 instance to execute the script"
+}
+
+variable description {
+  type = string
+  description = "Description of command to run"
+}
+
+variable schedule-name {
+  type = string
+  description = "Name of maintenance window. e.g. Daily0900UTC8"
+}
+
+variable maintenance-window-duration {
+  type        = number
+  description = "Duration of maintenance window, must be >= 2"
+  default     = 2
+}
+
+variable cloudwatch-log-retention-days {
+  type = number
+  description = "Days to retain logs on cloudwatch logs"
+  default = 30
+}

modules/ManagementGovernance/ssm-schedule-run-command/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}