Skip to content
/ terraform-aws-ssm-ami-bakery Public

An AWS native 'serverless' module for building AMI's and publishing them

10 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

bitflight-public/terraform-aws-ssm-ami-bakery

BranchesTags

Repository files navigation

terraform-aws-ssm-ami-bakery

This Terraform Module creates AWS AMI's that can be easily kept up to date, automatically applying operating system (OS) patches to a Windows or Linux AMI that is already considered to be the most up-to-date or latest AMI. In the example, the default value of the parameter SourceAmiId is defined by a Systems Manager Parameter Store parameter called latestAmi. The value of latestAmi is updated by an AWS Lambda function invoked at the end of the Automation workflow. As a result of this Automation process, the time and effort spent patching AMIs is minimized.

TODO:

  • Create Lambda functions
  • Create Automation documents
  • Test pipeline
  • Create a basic example
  • Create a full README.md file
  • Enable logging of the update processes to cloudwatch
  • Provide inputs for specifying a subnet to launch in
  • Split the single role into 2 roles, one for lambda and one for SSM.
  • Provide inputs for security groups to attach
  • Create output SNS queue, and write the queue arn to Parameter store, so that events can be chained together
  • Import the file linux-user-data.sh append the variable var.additional_userdata to it, base64 encode it and update the SSM document
  • Create Submodule: Allow setting expiry of old images
  • Allow updating of a specified ASG arn to use the new AMI
  • Add the ability to wait for approval before updating the ASG

Simple Example

This will:

  • Create a SSM automation document for linux
  • Create appropriate roles and policies to run the process
  • Create the lambda functions needed to trigger the process
  • Create the Parameter Store Name /cp/dev/amazon-linux/LatestAmi and store the value of ami in it
  • Provide parameters to the lambda function such as a name template name template "{namespace}-{stage}-{name}-{date}"
  • Subscribe the lambda function to an SNS topic for it to be triggered as per this aws example

When the lambda is triggered it will:

  • Launch the specified AMI as a new instance
  • Generate a new ami with the name template "{namespace}-{stage}-{name}-{date}" and in the example below the output template is cp-dev-amazon-linux-{{global:DATE_TIME}}
  • Install the latest SSM agent on it if it is not installed already.
  • Update all of the OS patches (yum update -y)
  • Shut down the instance
  • Terminate the instance
  • Trigger the second lambda function to update the Parameter Store Name /cp/dev/amazon-linux/LatestAmi with the new AMI id.
provider "aws" {
	region = "eu-west-2"
}

module "keep_ami_patched" {
  source    = "git::[email protected]:bitflight-public/terraform-aws-ssm-ami-bakery.git"
  namespace = "cp"
  stage     = "dev"
  name      = "amazon-linux"
  ami       = "ami-dc2ecebb" // eu-west-2 amazon ami, but you would normally start with your own customised ami
}

# For Amazon Linux updates, they are only released in an SNS feed from us-east-1
# Pin a provider to us-east-1 to create a topic subscription to that SNS feed.
# Below we are subscribing the lambda function to this release notification, 
# This means that on each release from amazon, we will update our custom image to match.
provider "aws" {
  region = "us-east-1"
  alias  = "us-east-1"
}

resource "aws_sns_topic_subscription" "trigger_automation" {
  provider  = "aws.us-east-1"
  topic_arn = "arn:aws:sns:us-east-1:137112412989:amazon-linux-ami-updates"
  protocol  = "lambda"
  endpoint  = "${module.keep_ami_patched.lambda_endpoint_arn}"
}

About

An AWS native 'serverless' module for building AMI's and publishing them

Resources

Readme
Activity
Custom properties

Stars

10 stars

Watchers

1 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages