terraform.aws-baseline-infra/modules/ManagementGovernance/ssm-schedule-run-command/main.tf

# SSM run command
#resource "aws_ssm_document" "this" {
#  name          = replace(title(var.description), " ", "")
#  document_type = "Command"
#  target_type   = "/AWS::EC2::Instance"
#  content = jsonencode(
#    {
#      "schemaVersion" : "2.2",
#      "description" : "Run script for ${var.description}",
#      "parameters" : {
#      },
#      "mainSteps" : [
#        {
#          "action" : "aws:runShellScript",
#          "name" : "RunShellScript",
#          "inputs" : {
#            "runCommand" : var.shell-script-path
#          }
#        }
#      ]
#    }
#  )
#}

resource "aws_ssm_maintenance_window" "this" {
  name        = replace(title(var.description), " ", "")
  description = var.description
  schedule    = var.cron-expression
  duration    = var.maintenance-window-duration
  cutoff      = 1
}

resource "aws_ssm_maintenance_window_target" "this" {
  window_id     = aws_ssm_maintenance_window.this.id
  name          = replace(title(var.description), " ", "")
  description   = var.description
  resource_type = "INSTANCE"

  targets {
    key    = "InstanceIds"
    values = [var.instance-id]
  }
}

resource "aws_ssm_maintenance_window_task" "this" {
  name            = replace(title(var.description), " ", "")
  max_concurrency = 1
  max_errors      = 1
  priority        = 1
  task_arn        = "AWS-RunShellScript"
  task_type       = "RUN_COMMAND"
  window_id       = aws_ssm_maintenance_window.this.id

  targets {
    key    = "InstanceIds"
    values = [var.instance-id]
  }

  task_invocation_parameters {
    run_command_parameters {
      timeout_seconds = 60 # If this time is reached and the command has not already started executing, it doesn't run.

      cloudwatch_config {
        cloudwatch_log_group_name = aws_cloudwatch_log_group.this.name
        cloudwatch_output_enabled = true
      }

      parameter {
        name   = "commands"
        values = [var.shell-script-path]
      }
    }
  }
}

resource "aws_cloudwatch_log_group" "this" {
  name              = "/aws/ssm-maintenance/${replace(title(var.description), " ", "")}"
  retention_in_days = var.cloudwatch-log-retention-days
  log_group_class   = "STANDARD" # infrequent access logs can only be viewed via insight
}