The patching offered in this module works, with cross account patching also working, however I have included cloudformation templates below as with cross account patching, I've had occasional errors where the permissions have been incorrect. Please see below if the templates are needed for reference.
"Parameters": {
"AdminAccountId": {
"Type": "String",
"Description": "AWS Account ID of the primary account (the account from which AWS Systems Manager Automation will be initiated).",
"MaxLength": 12,
"MinLength": 12
}
},
"Resources": {
"AWSSystemsManagerAutomationExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "AWS-SystemsManager-AutomationExecutionRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": [
"arn:aws:iam::${AdminAccountId}:role/AWS-SystemsManager-AutomationAdministrationRole",
{
"AdminAccountId": {
"Ref": "AdminAccountId"
}
}
]
}
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
],
"Path": "/",
"Policies": [
{
"PolicyName": "ExecutionPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"resource-groups:ListGroupResources",
"tag:GetResources",
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/AWS-SystemsManager-AutomationExecutionRole"
}
}
]
}
}
]
}
}
}
}
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Configure the AWS-SystemsManager-AutomationAdministrationRole to enable use of AWS Systems Manager Cross Account/Region Automation execution.",
"Resources": {
"MasterAccountRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "AWS-SystemsManager-AutomationAdministrationRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "AssumeRole-AWSSystemsManagerAutomationExecutionRole",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:iam::*:role/AWS-SystemsManager-AutomationExecutionRole"
}
}
]
}
}
]
}
}
}
}