aws_ssm_maintenance_window_tasks Resource
Use the aws_ssm_maintenance_window_tasks InSpec audit resource to test properties of multiple AWS Systems Manager (SSM) maintenance window tasks.
The AWS::SSM::MaintenanceWindowTask resource defines information about a task for an AWS Systems Manager maintenance window.
For additional information, including details on parameters and properties, see the AWS documentation on AWS SSM MaintenanceWindowTask.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
Ensure that the maintenance window task exists.
aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID')
it { should exist }
end
Parameters
window_id(required)The ID of the maintenance window where the task is registered.
Properties
window_ids- The ID of the maintenance window where the task is registered.
Field:
window_idwindow_task_ids- The task ID.
Field:
window_task_idtask_arns- The resource that the task uses during execution.
Field:
task_arntypes- The type of task.
Field:
typetargets- The targets (either instances or tags).
Field:
targetstask_parameters- The parameters that should be passed to the task when it is run.
Field:
task_parameterspriorities- The priority of the task in the maintenance window.
Field:
prioritylogging_infos- The logging information.
Field:
logging_infoservice_role_arns- The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) service role to use to publish Amazon Simple Notification Service (Amazon SNS) notifications for maintenance window Run Command tasks.
Field:
service_role_arnmax_concurrencies- The maximum number of targets this task can be run for, in parallel.
Field:
max_concurrencymax_errors- The maximum number of errors allowed before this task stops being scheduled.
Field:
max_errorsnames- The task name.
Field:
namedescriptions- A description of the task.
Field:
descriptioncutoff_behaviors- The specification for whether tasks should continue to run after the cutoff time specified in the maintenance windows is reached.
Field:
cutoff_behavior
Examples
Ensure a window task ID is available.
aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID')
its('window_task_ids') { should include 'WINDOW_TASK_ID' }
end
Verify the priority of the maintenance window.
aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID')
its('priorities') { should include 1 }
end
Verify the type of the maintenance window.
aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID')
its('types') { should include 'AUTOMATION' }
end
Verify the name of the maintenance window.
aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID')
its('names') { should include 'WINDOW_TASK_NAME' }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
The controls will pass if the describe method returns at least one result.
exist
Use should to test that the entity exists.
aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID')
it { should exist }
end
Use should_not to test the entity does not exist.
aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID')
it { should_not exist }
end
AWS Permissions
Your Principal will need the SSM:Client:DescribeMaintenanceWindowTasksResult action with Effect set to Allow.
Was this page helpful?