CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/npm-pulumi--aws

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources with infrastructure-as-code.

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview
Eval results
Files

ssm.mddocs/services/

Systems Manager - Operations Management

AWS Systems Manager provides operational insights and automates management tasks.

Common Tasks

import { ssm } from "@pulumi/aws";

// Store application configuration
const dbPassword = new ssm.Parameter("db-password", {
    type: "SecureString",
    value: dbPasswordSecret,
    description: "Database password",
});

// Create a maintenance window
const patchWindow = new ssm.MaintenanceWindow("patch-window", {
    schedule: "cron(0 2 ? * SUN *)",
    duration: 3,
    cutoff: 1,
});

// Define a Systems Manager document for automation
const restartDocument = new ssm.Document("restart-instance", {
    documentType: "Automation",
    content: JSON.stringify({
        schemaVersion: "0.3",
        description: "Restart EC2 instance",
        parameters: {
            InstanceId: { type: "String" }
        },
        mainSteps: [{
            name: "restartInstance",
            action: "aws:executeAwsApi",
            inputs: {
                Service: "ec2",
                Api: "RebootInstances",
                InstanceIds: ["{{ InstanceId }}"]
            }
        }]
    }),
});

Core Resources

Parameter

Parameter Store provides secure, hierarchical storage for configuration data and secrets.

class Parameter extends pulumi.CustomResource {
    constructor(name: string, args: ParameterArgs, opts?: pulumi.CustomResourceOptions);

    readonly arn: pulumi.Output<string>;
    readonly name: pulumi.Output<string>;
    readonly version: pulumi.Output<number>;
}

interface ParameterArgs {
    name?: pulumi.Input<string>;
    type: pulumi.Input<"String" | "StringList" | "SecureString">;
    value: pulumi.Input<string>;
    description?: pulumi.Input<string>;
    keyId?: pulumi.Input<string>;
    overwrite?: pulumi.Input<boolean>;
    tier?: pulumi.Input<"Standard" | "Advanced" | "Intelligent-Tiering">;
    tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}

Example - Store application configuration

// Plain text configuration
const apiEndpoint = new ssm.Parameter("api-endpoint", {
    name: "/myapp/prod/api-endpoint",
    type: "String",
    value: "https://api.example.com",
    description: "Production API endpoint",
    tags: {
        Environment: "production",
    },
});

// Encrypted secret
const apiKey = new ssm.Parameter("api-key", {
    name: "/myapp/prod/api-key",
    type: "SecureString",
    value: secretApiKey,
    keyId: kmsKey.id,
    tier: "Advanced",
    description: "API key for external service",
});

// Reference in Lambda environment
const lambda = new aws.lambda.Function("api-consumer", {
    environment: {
        variables: {
            API_ENDPOINT: apiEndpoint.value,
            API_KEY_PARAM: apiKey.name,
        },
    },
    // ... other config
});

Document

SSM Documents define actions that Systems Manager performs.

class Document extends pulumi.CustomResource {
    constructor(name: string, args: DocumentArgs, opts?: pulumi.CustomResourceOptions);

    readonly arn: pulumi.Output<string>;
}

interface DocumentArgs {
    content: pulumi.Input<string>;
    documentType: pulumi.Input<"Command" | "Automation" | "Policy" | "ChangeCalendar" | "Package">;
    name?: pulumi.Input<string>;
    documentFormat?: pulumi.Input<"JSON" | "YAML">;
    targetType?: pulumi.Input<string>;
    versionName?: pulumi.Input<string>;
    tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}

Example - Create automation document

const backupDocument = new ssm.Document("backup-automation", {
    name: "BackupEC2Volumes",
    documentType: "Automation",
    documentFormat: "YAML",
    content: `
schemaVersion: '0.3'
description: Create snapshots of EC2 instance volumes
parameters:
  InstanceId:
    type: String
    description: EC2 instance ID
  RetentionDays:
    type: Integer
    default: 7
mainSteps:
  - name: describeInstance
    action: 'aws:executeAwsApi'
    inputs:
      Service: ec2
      Api: DescribeInstances
      InstanceIds:
        - '{{ InstanceId }}'
    outputs:
      - Name: volumeIds
        Selector: '$.Reservations[0].Instances[0].BlockDeviceMappings..Ebs.VolumeId'
        Type: StringList
  - name: createSnapshots
    action: 'aws:executeAwsApi'
    inputs:
      Service: ec2
      Api: CreateSnapshot
      VolumeId: '{{ describeInstance.volumeIds }}'
      Description: 'Automated backup'
`,
});

MaintenanceWindow

Maintenance windows define schedules for performing instance management tasks.

class MaintenanceWindow extends pulumi.CustomResource {
    constructor(name: string, args: MaintenanceWindowArgs, opts?: pulumi.CustomResourceOptions);
}

interface MaintenanceWindowArgs {
    name?: pulumi.Input<string>;
    schedule: pulumi.Input<string>;
    duration: pulumi.Input<number>;
    cutoff: pulumi.Input<number>;
    allowUnassociatedTargets?: pulumi.Input<boolean>;
    enabled?: pulumi.Input<boolean>;
    scheduleTimezone?: pulumi.Input<string>;
    tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}

Example - Create maintenance window for patching

const patchWindow = new ssm.MaintenanceWindow("weekly-patching", {
    name: "weekly-patch-window",
    schedule: "cron(0 2 ? * SUN *)", // 2 AM every Sunday
    duration: 4, // 4 hours
    cutoff: 1, // Stop 1 hour before end
    scheduleTimezone: "America/New_York",
    tags: {
        Purpose: "patch-management",
    },
});

const patchTarget = new ssm.MaintenanceWindowTarget("prod-servers", {
    windowId: patchWindow.id,
    resourceType: "INSTANCE",
    targets: [{
        key: "tag:Environment",
        values: ["production"],
    }],
});

const patchTask = new ssm.MaintenanceWindowTask("run-patch", {
    windowId: patchWindow.id,
    taskType: "RUN_COMMAND",
    taskArn: "AWS-RunPatchBaseline",
    targets: [{
        key: "WindowTargetIds",
        values: [patchTarget.id],
    }],
    maxConcurrency: "50%",
    maxErrors: "10%",
    priority: 1,
    serviceRoleArn: maintenanceRole.arn,
});

PatchBaseline

Patch baselines define which patches to install during patching operations.

class PatchBaseline extends pulumi.CustomResource {
    constructor(name: string, args?: PatchBaselineArgs, opts?: pulumi.CustomResourceOptions);

    readonly id: pulumi.Output<string>;
}

interface PatchBaselineArgs {
    name?: pulumi.Input<string>;
    operatingSystem?: pulumi.Input<string>;
    approvedPatches?: pulumi.Input<pulumi.Input<string>[]>;
    rejectedPatches?: pulumi.Input<pulumi.Input<string>[]>;
    approvalRules?: pulumi.Input<pulumi.Input<PatchBaselineApprovalRule>[]>;
    globalFilters?: pulumi.Input<PatchBaselineGlobalFilters>;
    tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}

Additional Resources

SSM provides 14 resources including:

  • Association - Associate SSM document with targets
  • Activation - Register on-premises servers
  • MaintenanceWindowTarget - Define targets for maintenance windows
  • MaintenanceWindowTask - Define tasks for maintenance windows
  • PatchGroup - Group instances for patch management
  • ResourceDataSync - Aggregate SSM data across regions/accounts
  • ContactsRotation - Incident Manager on-call rotations

For complete SSM API with 8 data sources, see All Services.

Related Services

Install with Tessl CLI

npx tessl i tessl/npm-pulumi--aws@7.16.0

docs

services

all-services.md

analytics.md

athena.md

bedrock.md

cloudtrail.md

cloudwatch.md

comprehend.md

config.md

cost.md

devtools.md

emr.md

eventbridge.md

glue.md

kinesis.md

migration.md

ml.md

opensearch.md

overview.md

rekognition.md

sagemaker.md

sfn.md

sns.md

sqs.md

ssm.md

xray.md

index.md

quickstart.md

README.md

tile.json