Open
Description
Describe the bug
The sra_linux_maintenance maintenance window is failing after initial success. This appears to be due to a documented hash mismatch issue where the document hash is stored at creation time but not updated when AWS updates the underlying SSM documents.
Checking CloudWatch logs shows this error:
"errorCode": "InvalidDocument",
"errorMessage": "document hash ee02200c65f0b5f76be341511a1520e7880c15312ca8b5455aebf1847d08705f does not match Sha256."
To Reproduce
Steps to reproduce the behavior:
- Deploy the AWS SRA solution using either the easy setup or the individual patch management solution
- Wait for AWS to update their SSM documents (specifically AWS-RunPatchBaseline)
- The next time the maintenance window runs, it will fail with a document hash mismatch error
Expected behavior
The maintenance windows should either:
- Not hardcode the document hash at creation time, or
- Have a mechanism to update the document hash automatically when AWS updates the underlying SSM documents
Deployment Environment (please complete the following information)
- Deployment Framework [e.g. Customizations for Control Tower and CloudFormation StackSets]: sra-easy-setup.yaml
- Deployment Framework Version [e.g. 1.0, 2.0]: Not sure, it's a few months old, latest sra-easy-setup.yaml
Additional context
Add any other context about the problem here.