Skip to main content

aws_ssm_maintenance_window_tasks resource

Use the aws_ssm_maintenance_window_tasks InSpec audit resource to test properties of multiple AWS Systems Manager (SSM) maintenance window tasks.

The AWS::SSM::MaintenanceWindowTask resource defines information about a task for an AWS Systems Manager maintenance window.

For additional information, including details on parameters and properties, see the AWS documentation on AWS SSM MaintenanceWindowTask.

Syntax

Ensure that the maintenance window task exists.

aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID')
  it { should exist }
end

Parameters

window_id (required)

The ID of the maintenance window where the task is registered.

Properties

window_ids
The ID of the maintenance window where the task is registered.

Field: window_id

window_task_ids
The task ID.

Field: window_task_id

task_arns
The resource that the task uses during execution.

Field: task_arn

types
The type of task.

Field: type

targets
The targets (either instances or tags).

Field: targets

task_parameters
The parameters that should be passed to the task when it is run.

Field: task_parameters

priorities
The priority of the task in the maintenance window.

Field: priority

logging_infos
The logging information.

Field: logging_info

service_role_arns
The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) service role to use to publish Amazon Simple Notification Service (Amazon SNS) notifications for maintenance window Run Command tasks.

Field: service_role_arn

max_concurrencies
The maximum number of targets this task can be run for, in parallel.

Field: max_concurrency

max_errors
The maximum number of errors allowed before this task stops being scheduled.

Field: max_errors

names
The task name.

Field: name

descriptions
A description of the task.

Field: description

cutoff_behaviors
The specification for whether tasks should continue to run after the cutoff time specified in the maintenance windows is reached.

Field: cutoff_behavior

Examples

Ensure a window task ID is available:

aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID')
  its('window_task_ids') { should include 'WINDOW_TASK_ID' }
end

Verify the priority of the maintenance window:

aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID')
  its('priorities') { should include 1 }
end

Verify the type of the maintenance window:

aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID')
  its('types') { should include 'AUTOMATION' }
end

Verify the name of the maintenance window:

aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID')
  its('names') { should include 'WINDOW_TASK_NAME' }
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

The controls will pass if the describe method returns at least one result.

exist

Use should to test that the entity exists.

aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID')
  it { should exist }
end

Use should_not to test the entity does not exist.

aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID')
  it { should_not exist }
end

AWS Permissions

Your AWS principal will need the SSM:Client:DescribeMaintenanceWindowTasksResult action with Effect set to Allow.

Thank you for your feedback!

×