├── .github
    └── ISSUE_TEMPLATE
    │   ├── bug_report.md
    │   └── feature_request.md
├── .gitignore
├── README.md
├── automationdocument.tf
├── examples
    └── amazon-ami-default-example
    │   ├── README.md
    │   ├── example.auto.tfvars
    │   └── main.tf
├── iam.tf
├── labels.tf
├── lambda.tf
├── lambda
    ├── lambda-trigger-automation.py
    ├── lambda-update-autoscaling-groups.py
    └── lambda-update-parameter-store.py
├── linux-user-data.sh
├── main.tf
├── outputs.tf
└── variables.tf


/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Bug report
 3 | about: Create a report to help us improve
 4 | 
 5 | ---
 6 | 
 7 | **Describe the bug**
 8 | A clear and concise description of what the bug is.
 9 | 
10 | **To Reproduce**
11 | Steps to reproduce the behavior:
12 | 1. Go to '...'
13 | 2. Click on '....'
14 | 3. Scroll down to '....'
15 | 4. See error
16 | 
17 | **Expected behavior**
18 | A clear and concise description of what you expected to happen.
19 | 
20 | **Screenshots**
21 | If applicable, add screenshots to help explain your problem.
22 | 
23 | **Desktop (please complete the following information):**
24 |  - OS: [e.g. iOS]
25 |  - Browser [e.g. chrome, safari]
26 |  - Version [e.g. 22]
27 | 
28 | **Smartphone (please complete the following information):**
29 |  - Device: [e.g. iPhone6]
30 |  - OS: [e.g. iOS8.1]
31 |  - Browser [e.g. stock browser, safari]
32 |  - Version [e.g. 22]
33 | 
34 | **Additional context**
35 | Add any other context about the problem here.
36 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Feature request
 3 | about: Suggest an idea for this project
 4 | 
 5 | ---
 6 | 
 7 | **Is your feature request related to a problem? Please describe.**
 8 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 9 | 
10 | **Describe the solution you'd like**
11 | A clear and concise description of what you want to happen.
12 | 
13 | **Describe alternatives you've considered**
14 | A clear and concise description of any alternative solutions or features you've considered.
15 | 
16 | **Additional context**
17 | Add any other context or screenshots about the feature request here.
18 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | *.tfstate
 2 | *.tfstate.*
 3 | **/*.pem
 4 | **/.terraform
 5 | **/terraform.tfstate
 6 | **/terraform.tfstate.backup
 7 | 
 8 | dev.auto.tfvars
 9 | *.zip
10 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # terraform-aws-ssm-ami-bakery
 2 | 
 3 | This Terraform Module creates AWS AMI's that can be easily kept up to date, automatically applying operating system (OS) patches to a Windows or Linux AMI that is already considered to be the most up-to-date or latest AMI. In the example, the default value of the parameter `SourceAmiId` is defined by a Systems Manager Parameter Store parameter called `latestAmi`. The value of `latestAmi` is updated by an AWS Lambda function invoked at the end of the Automation workflow. As a result of this Automation process, the time and effort spent patching AMIs is minimized.
 4 | 
 5 | ## TODO:
 6 | - [x] Create Lambda functions
 7 | - [x] Create Automation documents
 8 | - [x] Test pipeline
 9 | - [x] Create a basic example
10 | - [ ] Create a full README.md file
11 | - [ ] [Enable logging](https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-ssm-agent.html) of the update processes to cloudwatch
12 | - [ ] Provide inputs for specifying a subnet to launch in
13 | - [ ] Split the single role into 2 roles, one for lambda and one for SSM.
14 | - [ ] Provide inputs for security groups to attach
15 | - [ ] Create output SNS queue, and write the queue arn to Parameter store, so that events can be chained together
16 | - [ ] Import the file `linux-user-data.sh` append the variable `var.additional_userdata` to it, base64 encode it and update the SSM document
17 | - [ ] Create Submodule: Allow setting expiry of old images
18 | - [x] Allow updating of a specified ASG arn to use the new AMI
19 | - [x] Add the ability to wait for approval before updating the ASG
20 | 
21 | ## Simple Example
22 | 
23 | **This will:**
24 | - Create a SSM automation document for linux
25 | - Create appropriate roles and policies to run the process
26 | - Create the lambda functions needed to trigger the process
27 | - Create the Parameter Store Name `/cp/dev/amazon-linux/LatestAmi` and store the value of `ami` in it
28 | - Provide parameters to the lambda function such as a name template name template "{namespace}-{stage}-{name}-{date}"
29 | - Subscribe the lambda function to an SNS topic for it to be triggered as per [this aws example](http://docs.amazonaws.cn/en_us/AWSEC2/latest/UserGuide/amazon-linux-ami-basics.html#linux-ami-notifications)
30 |  
31 | 
32 | **When the lambda is triggered it will:**
33 | - Launch the specified AMI as a new instance
34 | - Generate a new ami with the name template "{namespace}-{stage}-{name}-{date}" and in the example below the output template is `cp-dev-amazon-linux-{{global:DATE_TIME}}`
35 | - Install the latest SSM agent on it if it is not installed already.
36 | - Update all of the OS patches (`yum update -y`)
37 | - Shut down the instance
38 | - Terminate the instance
39 | - Trigger the second lambda function to update the Parameter Store Name `/cp/dev/amazon-linux/LatestAmi` with the new AMI id.
40 | 
41 | ```hcl
42 | provider "aws" {
43 | 	region = "eu-west-2"
44 | }
45 | 
46 | module "keep_ami_patched" {
47 |   source    = "git::git@github.com:bitflight-public/terraform-aws-ssm-ami-bakery.git"
48 |   namespace = "cp"
49 |   stage     = "dev"
50 |   name      = "amazon-linux"
51 |   ami       = "ami-dc2ecebb" // eu-west-2 amazon ami, but you would normally start with your own customised ami
52 | }
53 | 
54 | # For Amazon Linux updates, they are only released in an SNS feed from us-east-1
55 | # Pin a provider to us-east-1 to create a topic subscription to that SNS feed.
56 | # Below we are subscribing the lambda function to this release notification, 
57 | # This means that on each release from amazon, we will update our custom image to match.
58 | provider "aws" {
59 |   region = "us-east-1"
60 |   alias  = "us-east-1"
61 | }
62 | 
63 | resource "aws_sns_topic_subscription" "trigger_automation" {
64 |   provider  = "aws.us-east-1"
65 |   topic_arn = "arn:aws:sns:us-east-1:137112412989:amazon-linux-ami-updates"
66 |   protocol  = "lambda"
67 |   endpoint  = "${module.keep_ami_patched.lambda_endpoint_arn}"
68 | }
69 | ```
70 | 


--------------------------------------------------------------------------------
/automationdocument.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_ssm_document" "document_linux" {
  2 |   count         = "${var.os_type == "linux" ? 1 : 0 }"
  3 |   name          = "${module.label.id}-linux-document"
  4 |   document_type = "Automation"
  5 | 
  6 |   content = <<DOC
  7 | {
  8 |   "schemaVersion": "0.3",
  9 |   "description": "Updates AMI with Linux distribution packages and Amazon software. For details,see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sysman-ami-walkthrough.html",
 10 |   "assumeRole": "{{AutomationAssumeRole}}",
 11 |   "parameters": {
 12 |     "SourceAmiId": {
 13 |       "type": "String",
 14 |       "description": "(Required) The source Amazon Machine Image ID."
 15 |     },
 16 |     "SourceAmiParameterName": {
 17 |       "type": "String",
 18 |       "description": "(Required) The Parameter Store key where the AMI id is stored."
 19 |     },
 20 |     "SSMAmiLambdaFunctionName": {
 21 |       "type": "String",
 22 |       "description": "(Required) The Lambda function name that should be triggered at the end of the build."
 23 |     },
 24 |     "InstanceIamRole": {
 25 |       "type": "String",
 26 |       "description": "(Required) The name of the role that enables Systems Manager (SSM) to manage the instance.",
 27 |       "default": "ManagedInstanceProfile"
 28 |     },
 29 |     "AutomationAssumeRole": {
 30 |       "type": "String",
 31 |       "description": "(Required) The ARN of the role that allows Automation to perform the actions on your behalf.",
 32 |       "default": "arn:aws:iam::{{global:ACCOUNT_ID}}:role/AutomationServiceRole"
 33 |     },
 34 |     "TargetAmiName": {
 35 |       "type": "String",
 36 |       "description": "(Optional) The name of the new AMI that will be created. Default is a system-generated string including the source AMI id, and the creation time and date.",
 37 |       "default": "UpdateLinuxAmi_from_{{SourceAmiId}}_on_{{global:DATE_TIME}}"
 38 |     },
 39 |     "InstanceType": {
 40 |       "type": "String",
 41 |       "description": "(Optional) Type of instance to launch as the workspace host. Instance types vary by region. Default is t2.micro.",
 42 |       "default": "t2.micro"
 43 |     },
 44 |     "PreUpdateScript": {
 45 |       "type": "String",
 46 |       "description": "(Optional) URL of a script to run before updates are applied. Default (\"none\") is to not run a script.",
 47 |       "default": "none"
 48 |     },
 49 |     "PostUpdateScript": {
 50 |       "type": "String",
 51 |       "description": "(Optional) URL of a script to run after package updates are applied. Default (\"none\") is to not run a script.",
 52 |       "default": "none"
 53 |     },
 54 |     "IncludePackages": {
 55 |       "type": "String",
 56 |       "description": "(Optional) Only update these named packages. By default (\"all\"), all available updates are applied.",
 57 |       "default": "all"
 58 |     },
 59 |     "ExcludePackages": {
 60 |       "type": "String",
 61 |       "description": "(Optional) Names of packages to hold back from updates, under all conditions. By default (\"none\"), no package is excluded.",
 62 |       "default": "none"
 63 |     },
 64 |     "SSMAutomationUpdateAsg": {
 65 |       "type": "String",
 66 |       "description": "Lambda function name that updates the ASGs",
 67 |       "default": ""
 68 |     },
 69 |     "targetASG": {
 70 |       "type": "String",
 71 |       "description": "(Optional) Autoscaling group ARN to update to use the new AMI created",
 72 |       "default": ""
 73 |     },
 74 |     "ApprovalNotificationArn": {
 75 |       "type": "String",
 76 |       "description": "(Optional) ARN of an SNS topic which to watch for approval requests",
 77 |       "default": ""
 78 |     }
 79 |   },
 80 |   "mainSteps": [
 81 |     {
 82 |       "name": "launchInstance",
 83 |       "action": "aws:runInstances",
 84 |       "maxAttempts": 3,
 85 |       "timeoutSeconds": 1200,
 86 |       "onFailure": "Abort",
 87 |       "inputs": {
 88 |         "ImageId": "{{SourceAmiId}}",
 89 |         "InstanceType": "{{InstanceType}}",
 90 |         "UserData": "IyEvYmluL2Jhc2gNCg0KZnVuY3Rpb24gZ2V0X2NvbnRlbnRzKCkgew0KICAgIGlmIFsgLXggIiQod2hpY2ggY3VybCkiIF07IHRoZW4NCiAgICAgICAgY3VybCAtcyAtZiAiJDEiDQogICAgZWxpZiBbIC14ICIkKHdoaWNoIHdnZXQpIiBdOyB0aGVuDQogICAgICAgIHdnZXQgIiQxIiAtTyAtDQogICAgZWxzZQ0KICAgICAgICBkaWUgIk5vIGRvd25sb2FkIHV0aWxpdHkgKGN1cmwsIHdnZXQpIg0KICAgIGZpDQp9DQoNCnJlYWRvbmx5IElERU5USVRZX1VSTD0iaHR0cDovLzE2OS4yNTQuMTY5LjI1NC8yMDE2LTA2LTMwL2R5bmFtaWMvaW5zdGFuY2UtaWRlbnRpdHkvZG9jdW1lbnQvIg0KcmVhZG9ubHkgVFJVRV9SRUdJT049JChnZXRfY29udGVudHMgIiRJREVOVElUWV9VUkwiIHwgYXdrIC1GXCIgJy9yZWdpb24vIHsgcHJpbnQgJDQgfScpDQpyZWFkb25seSBERUZBVUxUX1JFR0lPTj0idXMtZWFzdC0xIg0KcmVhZG9ubHkgUkVHSU9OPSIke1RSVUVfUkVHSU9OOi0kREVGQVVMVF9SRUdJT059Ig0KDQpyZWFkb25seSBTQ1JJUFRfTkFNRT0iYXdzLWluc3RhbGwtc3NtLWFnZW50Ig0KIFNDUklQVF9VUkw9Imh0dHBzOi8vYXdzLXNzbS1kb3dubG9hZHMtJFJFR0lPTi5zMy5hbWF6b25hd3MuY29tL3NjcmlwdHMvJFNDUklQVF9OQU1FIg0KDQppZiBbICIkUkVHSU9OIiA9ICJjbi1ub3J0aC0xIiBdOyB0aGVuDQogIFNDUklQVF9VUkw9Imh0dHBzOi8vYXdzLXNzbS1kb3dubG9hZHMtJFJFR0lPTi5zMy5jbi1ub3J0aC0xLmFtYXpvbmF3cy5jb20uY24vc2NyaXB0cy8kU0NSSVBUX05BTUUiDQpmaQ0KDQppZiBbICIkUkVHSU9OIiA9ICJ1cy1nb3Ytd2VzdC0xIiBdOyB0aGVuDQogIFNDUklQVF9VUkw9Imh0dHBzOi8vYXdzLXNzbS1kb3dubG9hZHMtJFJFR0lPTi5zMy11cy1nb3Ytd2VzdC0xLmFtYXpvbmF3cy5jb20vc2NyaXB0cy8kU0NSSVBUX05BTUUiDQpmaQ0KDQpjZCAvdG1wDQpGSUxFX1NJWkU9MA0KTUFYX1JFVFJZX0NPVU5UPTMNClJFVFJZX0NPVU5UPTANCg0Kd2hpbGUgWyAkUkVUUllfQ09VTlQgLWx0ICRNQVhfUkVUUllfQ09VTlQgXSA7IGRvDQogIGVjaG8gQVdTLVVwZGF0ZUxpbnV4QW1pOiBEb3dubG9hZGluZyBzY3JpcHQgZnJvbSAkU0NSSVBUX1VSTA0KICBnZXRfY29udGVudHMgIiRTQ1JJUFRfVVJMIiA+ICIkU0NSSVBUX05BTUUiDQogIEZJTEVfU0laRT0kKGR1IC1rIC90bXAvJFNDUklQVF9OQU1FIHwgY3V0IC1mMSkNCiAgZWNobyBBV1MtVXBkYXRlTGludXhBbWk6IEZpbmlzaGVkIGRvd25sb2FkaW5nIHNjcmlwdCwgc2l6ZTogJEZJTEVfU0laRQ0KICBpZiBbICRGSUxFX1NJWkUgLWd0IDAgXTsgdGhlbg0KICAgIGJyZWFrDQogIGVsc2UNCiAgICBpZiBbWyAkUkVUUllfQ09VTlQgLWx0IE1BWF9SRVRSWV9DT1VOVCBdXTsgdGhlbg0KICAgICAgUkVUUllfQ09VTlQ9JCgoUkVUUllfQ09VTlQrMSkpOw0KICAgICAgZWNobyBBV1MtVXBkYXRlTGludXhBbWk6IEZpbGVTaXplIGlzIDAsIHJldHJ5Q291bnQ6ICRSRVRSWV9DT1VOVA0KICAgIGZpDQogIGZpIA0KZG9uZQ0KDQppZiBbICRGSUxFX1NJWkUgLWd0IDAgXTsgdGhlbg0KICBjaG1vZCAreCAiJFNDUklQVF9OQU1FIg0KICBlY2hvIEFXUy1VcGRhdGVMaW51eEFtaTogUnVubmluZyBVcGRhdGVTU01BZ2VudCBzY3JpcHQgbm93IC4uLi4NCiAgLi8iJFNDUklQVF9OQU1FIiAtLXJlZ2lvbiAiJFJFR0lPTiINCmVsc2UNCiAgZWNobyBBV1MtVXBkYXRlTGludXhBbWk6IFVuYWJsZSB0byBkb3dubG9hZCBzY3JpcHQsIHF1aXR0aW5nIC4uLi4NCmZp",
 91 |         "MinInstanceCount": 1,
 92 |         "MaxInstanceCount": 1,
 93 |         "IamInstanceProfileName": "{{InstanceIamRole}}"
 94 |       }
 95 |     },
 96 |     {
 97 |       "name": "updateOSSoftware",
 98 |       "action": "aws:runCommand",
 99 |       "maxAttempts": 3,
100 |       "timeoutSeconds": 3600,
101 |       "onFailure": "Abort",
102 |       "inputs": {
103 |         "DocumentName": "AWS-RunShellScript",
104 |         "InstanceIds": [
105 |           "{{launchInstance.InstanceIds}}"
106 |         ],
107 |         "Parameters": {
108 |           "commands": [
109 |             "set -e",
110 |             "[ -x \"$(which wget)\" ] && get_contents='wget $1 -O -'",
111 |             "[ -x \"$(which curl)\" ] && get_contents='curl -s -f $1'",
112 |             "eval $get_contents https://aws-ssm-downloads-{{global:REGION}}.s3.amazonaws.com/scripts/aws-update-linux-instance > /tmp/aws-update-linux-instance",
113 |             "chmod +x /tmp/aws-update-linux-instance",
114 |             "/tmp/aws-update-linux-instance --pre-update-script '{{PreUpdateScript}}' --post-update-script '{{PostUpdateScript}}' --include-packages '{{IncludePackages}}' --exclude-packages '{{ExcludePackages}}' 2>&1 | tee /tmp/aws-update-linux-instance.log"
115 |           ]
116 |         }
117 |       }
118 |     },
119 |     {
120 |       "name": "stopInstance",
121 |       "action": "aws:changeInstanceState",
122 |       "maxAttempts": 3,
123 |       "timeoutSeconds": 1200,
124 |       "onFailure": "Abort",
125 |       "inputs": {
126 |         "InstanceIds": [
127 |           "{{launchInstance.InstanceIds}}"
128 |         ],
129 |         "DesiredState": "stopped"
130 |       }
131 |     },
132 |     {
133 |       "name": "createImage",
134 |       "action": "aws:createImage",
135 |       "maxAttempts": 3,
136 |       "onFailure": "Abort",
137 |       "inputs": {
138 |         "InstanceId": "{{launchInstance.InstanceIds}}",
139 |         "ImageName": "{{TargetAmiName}}",
140 |         "NoReboot": true,
141 |         "ImageDescription": "AMI Generated by EC2 Automation on {{global:DATE_TIME}} from {{SourceAmiId}}"
142 |       }
143 |     },
144 |     {
145 |       "name": "terminateInstance",
146 |       "action": "aws:changeInstanceState",
147 |       "maxAttempts": 3,
148 |       "onFailure": "Continue",
149 |       "inputs": {
150 |         "InstanceIds": [
151 |           "{{launchInstance.InstanceIds}}"
152 |         ],
153 |         "DesiredState": "terminated"
154 |       }
155 |     },
156 |     {
157 |          "name":"updateSsmParam",
158 |          "action":"aws:invokeLambdaFunction",
159 |          "timeoutSeconds":1200,
160 |          "maxAttempts":1,
161 |          "onFailure":"Abort",
162 |          "inputs":{
163 |             "FunctionName":"{{SSMAmiLambdaFunctionName}}",
164 |             "Payload":"{\"parameterName\":\"{{SourceAmiParameterName}}\", \"parameterValue\":\"{{createImage.ImageId}}\"}"
165 |          }
166 |       }
167 |       ${local.approval_request},
168 |       {
169 |          "name":"updateASG",
170 |          "action":"aws:invokeLambdaFunction",
171 |          "timeoutSeconds":1200,
172 |          "maxAttempts":1,
173 |          "onFailure":"Abort",
174 |          "inputs": {
175 |             "FunctionName": "{{SSMAutomationUpdateAsg}}",
176 |             "Payload": "{\"targetASG\":\"{{targetASG}}\", \"newAmiID\":\"{{createImage.ImageId}}\"}"
177 |          }
178 |       }
179 |   ],
180 |   "outputs": [
181 |     "createImage.ImageId"
182 |   ]
183 | }
184 | DOC
185 | }
186 | 
187 | locals {
188 |   approval_request_format = {
189 |     "NotificationArn"      = "{{ApprovalNotificationArn}}"
190 |     "Message"              = "Please the approve the update of the ASGs."
191 |     "timeoutSeconds"       = 86000
192 |     "onFailure"            = "Abort"
193 |     "MinRequiredApprovals" = "${min(var.min_num_approvers, length(var.approvers_list))}"
194 |     "Approvers"            = ["${var.approvers_list}"]
195 |   }
196 | 
197 |   approval_request = "${var.require_approval_to_update_asg == "true" ? ",${jsonencode(local.approval_request_format)}" : ""}"
198 | }
199 | 
200 | resource "aws_sns_topic" "approve_asg_updates" {
201 |   count       = "${var.require_approval_to_update_asg == "true" ? 1 : 0}"
202 |   name_prefix = "Automation-${module.label.id}"
203 | }
204 | 
205 | resource "aws_ssm_document" "document_windows" {
206 |   count         = "${var.os_type == "windows" ? 1 : 0 }"
207 |   name          = "${module.label.id}-windows-document"
208 |   document_type = "Automation"
209 | 
210 |   content = <<DOC
211 | {
212 |    "description":"Systems Manager Automation – Patch AMI and Update SSM Param",
213 |    "schemaVersion":"0.3",
214 |    "assumeRole":"the role ARN you created",
215 |    "parameters":{
216 |       "sourceAMIid":{
217 |          "type":"String",
218 |          "description":"AMI to patch",
219 |          "default":"{{ssm:latestAmi}}"
220 |       },
221 |       "targetAMIname":{
222 |          "type":"String",
223 |          "description":"Name of new AMI",
224 |          "default":"patchedAMI-{{global:DATE_TIME}}"
225 |       }
226 |    },
227 |    "mainSteps":[
228 |       {
229 |          "name":"startInstances",
230 |          "action":"aws:runInstances",
231 |          "timeoutSeconds":1200,
232 |          "maxAttempts":1,
233 |          "onFailure":"Abort",
234 |          "inputs":{
235 |             "ImageId":"{{ sourceAMIid }}",
236 |             "InstanceType":"m3.large",
237 |             "MinInstanceCount":1,
238 |             "MaxInstanceCount":1,
239 |             "IamInstanceProfileName":"${aws_iam_role.role.name}"
240 |          }
241 |       },
242 |       {
243 |          "name":"installMissingWindowsUpdates",
244 |          "action":"aws:runCommand",
245 |          "maxAttempts":1,
246 |          "onFailure":"Continue",
247 |          "inputs":{
248 |             "DocumentName":"AWS-InstallMissingWindowsUpdates",
249 |             "InstanceIds":[
250 |                "{{ startInstances.InstanceIds }}"
251 |             ],
252 |             "Parameters":{
253 |                "UpdateLevel":"Important"
254 |             }
255 |          }
256 |       },
257 |       {
258 |          "name":"stopInstance",
259 |          "action":"aws:changeInstanceState",
260 |          "maxAttempts":1,
261 |          "onFailure":"Continue",
262 |          "inputs":{
263 |             "InstanceIds":[
264 |                "{{ startInstances.InstanceIds }}"
265 |             ],
266 |             "DesiredState":"stopped"
267 |          }
268 |       },
269 |       {
270 |          "name":"createImage",
271 |          "action":"aws:createImage",
272 |          "maxAttempts":1,
273 |          "onFailure":"Continue",
274 |          "inputs":{
275 |             "InstanceId":"{{ startInstances.InstanceIds }}",
276 |             "ImageName":"{{ targetAMIname }}",
277 |             "NoReboot":true,
278 |             "ImageDescription":"AMI created by EC2 Automation"
279 |          }
280 |       },
281 |       {
282 |          "name":"terminateInstance",
283 |          "action":"aws:changeInstanceState",
284 |          "maxAttempts":1,
285 |          "onFailure":"Continue",
286 |          "inputs":{
287 |             "InstanceIds":[
288 |                "{{ startInstances.InstanceIds }}"
289 |             ],
290 |             "DesiredState":"terminated"
291 |          }
292 |       },
293 |       {
294 |          "name":"updateSsmParam",
295 |          "action":"aws:invokeLambdaFunction",
296 |          "timeoutSeconds":1200,
297 |          "maxAttempts":1,
298 |          "onFailure":"Abort",
299 |          "inputs":{
300 |             "FunctionName":"Automation-UpdateSsmParam",
301 |             "Payload":"{\"parameterName\":\"latestAmi\", \"parameterValue\":\"{{createImage.ImageId}}\"}"
302 |          }
303 |       }
304 |    ],
305 |    "outputs":[
306 |       "createImage.ImageId"
307 |    ]
308 | }
309 | DOC
310 | }
311 | 


--------------------------------------------------------------------------------
/examples/amazon-ami-default-example/README.md:
--------------------------------------------------------------------------------
 1 | ## Simple Example
 2 | 
 3 | This will:
 4 | - Create a SSM automation document for linux
 5 | - Create appropriate roles and policies to run the process
 6 | - Create the lambda functions needed to trigger the process
 7 | - Create the Parameter Store Name `/cp/dev/amazon-linux/LatestAmi` and store the value of `ami` in it
 8 | - Provide parameters to the lambda function such as a name template name template "{namespace}-{stage}-{name}-{date}"
 9 | - Subscribe the lambda function to an SNS topic for it to be triggered as per [this aws example](http://docs.amazonaws.cn/en_us/AWSEC2/latest/UserGuide/amazon-linux-ami-basics.html#linux-ami-notifications)
10 |  
11 | 
12 | When the lambda is triggered it will:
13 | - Launch the specified AMI as a new instance
14 | - Generate a new ami with the name template "{namespace}-{stage}-{name}-{date}" and in the example below the output template is `cp-dev-amazon-linux-{{global:DATE_TIME}}`
15 | - Install the latest SSM agent on it if it is not installed already.
16 | - Update all of the OS patches (`yum update -y`)
17 | - Shut down the instance
18 | - Terminate the instance
19 | - Trigger the second lambda function to update the Parameter Store Name `/cp/dev/amazon-linux/LatestAmi` with the new AMI id.


--------------------------------------------------------------------------------
/examples/amazon-ami-default-example/example.auto.tfvars:
--------------------------------------------------------------------------------
1 | namespace="cp"
2 | stage="staging"
3 | name="amazon-ami-patching"


--------------------------------------------------------------------------------
/examples/amazon-ami-default-example/main.tf:
--------------------------------------------------------------------------------
 1 | variable "namespace" {
 2 |   default = "default"
 3 | }
 4 | 
 5 | variable "stage" {
 6 |   default = "default"
 7 | }
 8 | 
 9 | variable "name" {
10 |   default = "default"
11 | }
12 | 
13 | variable "region" {
14 |   default = "eu-west-2"
15 | }
16 | 
17 | variable "new_ami_sns_topic_arns" {
18 |   type        = "list"
19 |   description = "A list of strings of the ARN's of the SNS topics used to trigger a build. Defaults to the Amazon Linux topic."
20 |   default     = ["arn:aws:sns:us-east-1:137112412989:amazon-linux-ami-updates"]
21 | }
22 | 
23 | provider "aws" {
24 |   region = "${var.region}"
25 | 
26 |   # Make it faster by skipping something
27 |   skip_get_ec2_platforms      = true
28 |   skip_metadata_api_check     = true
29 |   skip_region_validation      = true
30 |   skip_credentials_validation = true
31 |   skip_requesting_account_id  = true
32 | }
33 | 
34 | data "aws_ami" "amazonlinux_ami" {
35 |   most_recent = true
36 |   owners      = ["137112412989"]
37 | 
38 |   filter {
39 |     name   = "name"
40 |     values = ["amzn-ami-hvm-*-x86_64-gp2"]
41 |   }
42 | }
43 | 
44 | module "amazon_ami_bakery" {
45 |   source    = "../../"
46 |   namespace = "${var.namespace}"
47 |   stage     = "${var.stage}"
48 |   name      = "${var.name}"
49 |   ami       = "${data.aws_ami.amazonlinux_ami.id}"
50 | }
51 | 
52 | # For Amazon Linux updates, they are only released in an SNS feed from us-east-1
53 | # Pin a provider to us-east-1 to create a topic subscription to that SNS feed.
54 | # Below we are subscribing the lambda function to this release notification, 
55 | # This means that on each release from amazon, we will update our custom image to match.
56 | 
57 | provider "aws" {
58 |   region = "us-east-1"
59 |   alias  = "us-east-1"
60 | }
61 | 
62 | resource "aws_sns_topic_subscription" "subscribe_automation" {
63 |   provider  = "aws.us-east-1"
64 |   count     = "${length(var.new_ami_sns_topic_arns)}"
65 |   topic_arn = "${element(var.new_ami_sns_topic_arns, count.index)}"
66 |   protocol  = "lambda"
67 |   endpoint  = "${module.amazon_ami_bakery.lambda_endpoint_arn}"
68 | }
69 | 
70 | # Generate a random hash, but the hash could be the sha256 of a lambda function easily enough.
71 | resource "random_string" "unique" {
72 |   length  = 8
73 |   special = false
74 |   lower   = true
75 |   upper   = false
76 |   number  = false
77 | }
78 | 
79 | # Trigger it to run now
80 | resource "aws_sns_topic" "default" {
81 |   name_prefix = "Automation-Trigger"
82 | }
83 | 
84 | resource "aws_sns_topic_subscription" "run_automation_sns" {
85 |   topic_arn = "${aws_sns_topic.default.arn}"
86 |   protocol  = "lambda"
87 |   endpoint  = "${module.amazon_ami_bakery.lambda_endpoint_arn}"
88 | }
89 | 
90 | module "run_automation_sns" {
91 |   source        = "git::https://github.com/bitflight-public/terraform-aws-sns-topic-notify.git?ref=master"
92 |   namespace     = "${var.namespace}"
93 |   stage         = "${var.stage}"
94 |   name          = "${var.name}-notify"
95 |   sns_topic_arn = "${aws_sns_topic.default.arn}"
96 |   trigger_hash  = "${random_string.unique.result}"
97 | }
98 | 


--------------------------------------------------------------------------------
/iam.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_instance_profile" "ec2_profile" {
 2 |   name = "${module.label.id}-profile"
 3 |   role = "${aws_iam_role.role.name}"
 4 | }
 5 | 
 6 | data "aws_iam_policy_document" "ssm_role_policy" {
 7 |   statement {
 8 |     actions = ["sts:AssumeRole"]
 9 | 
10 |     principals {
11 |       type        = "Service"
12 |       identifiers = ["ec2.amazonaws.com", "ssm.amazonaws.com", "lambda.amazonaws.com", "sns.amazonaws.com"]
13 |     }
14 |   }
15 | }
16 | 
17 | data "aws_iam_policy_document" "ssm_role_passrole" {
18 |   statement {
19 |     actions   = ["iam:GetRole", "iam:PassRole"]
20 |     resources = ["${aws_iam_role.role.arn}"]
21 |   }
22 | }
23 | 
24 | resource "aws_iam_policy" "policy_passrole" {
25 |   name        = "${module.label.id}-passrole-policy"
26 |   description = "${module.label.id}"
27 |   policy      = "${data.aws_iam_policy_document.ssm_role_passrole.json}"
28 | }
29 | 
30 | resource "aws_iam_role_policy_attachment" "attach_passrole" {
31 |   role       = "${aws_iam_role.role.name}"
32 |   policy_arn = "${aws_iam_policy.policy_passrole.arn}"
33 | }
34 | 
35 | resource "aws_iam_role" "role" {
36 |   name = "${module.label.id}-role"
37 |   path = "/"
38 | 
39 |   assume_role_policy = "${data.aws_iam_policy_document.ssm_role_policy.json}"
40 | }
41 | 
42 | resource "aws_iam_role_policy_attachment" "attach_ssm_automation" {
43 |   role       = "${aws_iam_role.role.name}"
44 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
45 | }
46 | 
47 | resource "aws_iam_role_policy_attachment" "attach_ec2_role" {
48 |   role       = "${aws_iam_role.role.name}"
49 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
50 | }
51 | 
52 | resource "aws_iam_role_policy_attachment" "attach_lambda_role" {
53 |   role       = "${aws_iam_role.role.name}"
54 |   policy_arn = "arn:aws:iam::aws:policy/AWSLambdaExecute"
55 | }
56 | 
57 | resource "aws_iam_role_policy_attachment" "attach_autoscaling_role" {
58 |   role       = "${aws_iam_role.role.name}"
59 |   policy_arn = "arn:aws:iam::aws:policy/AutoScalingFullAccess"
60 | }
61 | 
62 | resource "aws_iam_role_policy_attachment" "attach_additional" {
63 |   count      = "${length(var.additional_role_arns)}"
64 |   role       = "${aws_iam_role.role.name}"
65 |   policy_arn = "${element(var.additional_role_arns, count.index)}"
66 | }
67 | 


--------------------------------------------------------------------------------
/labels.tf:
--------------------------------------------------------------------------------
 1 | variable "namespace" {
 2 |   description = "Namespace (e.g. `cp` or `cloudposse`) - required for `label` module"
 3 | }
 4 | 
 5 | variable "stage" {
 6 |   description = "Stage (e.g. `prod`, `dev`, `staging` - required for `label` module"
 7 | }
 8 | 
 9 | variable "name" {
10 |   description = "Name  (e.g. `bastion` or `db`) - required for `label` module"
11 | }
12 | 
13 | variable "delimiter" {
14 |   default = "-"
15 | }
16 | 
17 | variable "attributes" {
18 |   description = "Additional attributes (e.g. `policy` or `role`)"
19 |   type        = "list"
20 |   default     = []
21 | }
22 | 
23 | variable "tags" {
24 |   description = "Additional tags"
25 |   type        = "map"
26 |   default     = {}
27 | }
28 | 
29 | variable "enabled" {
30 |   description = "Enable the label"
31 |   default     = "true"
32 | }
33 | 
34 | module "label" {
35 |   source     = "git::https://github.com/cloudposse/terraform-terraform-label.git?ref=tags/0.1.2"
36 |   namespace  = "${var.namespace}"
37 |   stage      = "${var.stage}"
38 |   name       = "${var.name}"
39 |   attributes = "${var.attributes}"
40 |   delimiter  = "${var.delimiter}"
41 |   tags       = "${var.tags}"
42 |   enabled    = "${var.enabled == true || var.enabled == "true" ? "true" : "false"}"
43 | }
44 | 


--------------------------------------------------------------------------------
/lambda.tf:
--------------------------------------------------------------------------------
 1 | data "archive_file" "lambda_update_parameter_store" {
 2 |   type        = "zip"
 3 |   source_file = "${path.module}/lambda/lambda-update-parameter-store.py"
 4 |   output_path = "${path.module}/lambda/lambda-update-parameter-store.zip"
 5 | }
 6 | 
 7 | resource "aws_lambda_function" "lambda_update_parameter_store" {
 8 |   filename         = "${data.archive_file.lambda_update_parameter_store.output_path}"
 9 |   function_name    = "${module.label.id}-update-parameter-store"
10 |   role             = "${aws_iam_role.role.arn}"
11 |   handler          = "lambda-update-parameter-store.lambda_handler"
12 |   source_code_hash = "${data.archive_file.lambda_update_parameter_store.output_base64sha256}"
13 |   runtime          = "python2.7"
14 |   tags             = "${module.label.tags}"
15 |   timeout          = "15"
16 | 
17 |   # vpc_config {}
18 |   kms_key_arn = "${var.kms_key_arn}"
19 | }
20 | 
21 | data "archive_file" "lambda_update_asg" {
22 |   type        = "zip"
23 |   source_file = "${path.module}/lambda/lambda-update-autoscaling-groups.py"
24 |   output_path = "${path.module}/lambda/lambda-update-autoscaling-groups.zip"
25 | }
26 | 
27 | resource "aws_lambda_function" "lambda_update_asg" {
28 |   filename         = "${data.archive_file.lambda_update_asg.output_path}"
29 |   function_name    = "${module.label.id}-update-asg"
30 |   role             = "${aws_iam_role.role.arn}"
31 |   handler          = "lambda-update-parameter-store.lambda_handler"
32 |   source_code_hash = "${data.archive_file.lambda_update_asg.output_base64sha256}"
33 |   runtime          = "python2.7"
34 |   tags             = "${module.label.tags}"
35 |   timeout          = "15"
36 | 
37 |   kms_key_arn = "${var.kms_key_arn}"
38 | }
39 | 
40 | locals {
41 |   target_ami_name = "${var.target_ami_name_override != "" ? var.target_ami_name_override : "${module.label.id}-{{global:DATE_TIME}}"}"
42 | }
43 | 
44 | data "archive_file" "lambda_trigger_automation" {
45 |   type        = "zip"
46 |   source_file = "${path.module}/lambda/lambda-trigger-automation.py"
47 |   output_path = "${path.module}/lambda/lambda-trigger-automation.zip"
48 | }
49 | 
50 | resource "aws_lambda_function" "lambda_trigger_automation" {
51 |   filename         = "${data.archive_file.lambda_trigger_automation.output_path}"
52 |   function_name    = "${module.label.id}-trigger-automation"
53 |   role             = "${aws_iam_role.role.arn}"
54 |   handler          = "lambda-trigger-automation.lambda_handler"
55 |   source_code_hash = "${data.archive_file.lambda_trigger_automation.output_base64sha256}"
56 |   runtime          = "python2.7"
57 |   tags             = "${module.label.tags}"
58 |   timeout          = "15"
59 | 
60 |   # vpc_config {}
61 |   kms_key_arn = "${var.kms_key_arn}"
62 | 
63 |   environment {
64 |     variables = {
65 |       DocumentName             = "${var.os_type == "linux" ? join("",aws_ssm_document.document_linux.*.name) : "${var.os_type == "windows" ?  join("", aws_ssm_document.document_linux.*.name) : "none"}" }"
66 |       SourceAmiId              = "${local.ami}"
67 |       InstanceIamRole          = "${aws_iam_instance_profile.ec2_profile.name}"
68 |       AutomationAssumeRole     = "${aws_iam_role.role.arn}"
69 |       TargetAmiName            = "${local.target_ami_name}"
70 |       InstanceType             = "${var.instance_type}"
71 |       PreUpdateScript          = "${var.pre_update_script_url}"
72 |       PostUpdateScript         = "${var.post_update_script_url}"
73 |       IncludePackages          = "${var.include_packages}"
74 |       ExcludePackages          = "${var.exclude_packages}"
75 |       SSMAmiLambdaFunctionName = "${aws_lambda_function.lambda_update_parameter_store.function_name}"
76 |       SourceAmiParameterName   = "${join("",module.parameter.names)}"
77 |       SSMAutomationUpdateAsg   = "${aws_lambda_function.lambda_update_asg.function_name}"
78 |       targetASG                = "${var.target_asg}"
79 |       ApprovalNotificationArn  = "${join("",aws_sns_topic.approve_asg_updates.*.arn)}"
80 |     }
81 |   }
82 | }
83 | 


--------------------------------------------------------------------------------
/lambda/lambda-trigger-automation.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import boto3
 3 | import logging
 4 | import operator
 5 | from datetime import datetime
 6 | def lambda_handler(event, context):
 7 |   logger = logging.getLogger(__name__)
 8 |   logger.addHandler(logging.StreamHandler())
 9 |   logger.setLevel(logging.INFO)
10 |   ec2_client = boto3.client('ec2')
11 |   ssm_client = boto3.client('ssm')
12 |   # response = ec2_client.describe_images(Owners=['amazon'], Filters=[{'Name': 'name', 'Values': ['amzn-ami-hvm-????.??.??.*-x86_64-gp2']}])
13 |   # images = [{'ImageId':image['ImageId'], 'CreationDate': datetime.strptime(image['CreationDate'], '%Y-%m-%dT%H:%M:%S.%fZ')} for image in response['Images']]
14 |   # images = sorted(images, reverse=True, key=operator.itemgetter('CreationDate'))
15 |   # ami_id = images[0]['ImageId']
16 |   #confirm  parameter exists before updating it
17 |   response = ssm_client.describe_parameters(Filters=[{'Key': 'Name','Values': [os.environ['SourceAmiParameterName'],],},])
18 |   if not response['Parameters']:
19 |     print('No such parameter')
20 |     return 'SSM parameter not found.'
21 |   #if parameter has a Descrition field, update it PLUS the Value
22 |   if 'Name' in response['Parameters'][0]:
23 |     ami_id_response = ssm_client.get_parameters(Names=[response['Parameters'][0]['Name'],])
24 |     #ami_id_response = ssm_client.get_parameters(Names=[response['Parameters'][0]['Name'],],WithDecryption=True)
25 |     ami_id = ami_id_response['Parameters'][0]['Value']
26 |     logger.info("ami-id: {}".format(ami_id))
27 |     ssm_response = ssm_client.start_automation_execution(DocumentName=os.environ['DocumentName'],
28 |       Parameters={
29 |       'SourceAmiId': [ami_id,], \
30 |       'InstanceIamRole': [os.environ['InstanceIamRole'],], \
31 |       'AutomationAssumeRole': [os.environ['AutomationAssumeRole'],], \
32 |       'TargetAmiName': [os.environ['TargetAmiName'],], \
33 |       'InstanceType': [os.environ['InstanceType'],], \
34 |       'PreUpdateScript': [os.environ['PreUpdateScript'],], \
35 |       'PostUpdateScript': [os.environ['PostUpdateScript'],], \
36 |       'IncludePackages': [os.environ['IncludePackages'],], \
37 |       'ExcludePackages': [os.environ['ExcludePackages'],], \
38 |       'SSMAmiLambdaFunctionName': [os.environ['SSMAmiLambdaFunctionName'],], \
39 |       'ApprovalNotificationArn': [os.environ['ApprovalNotificationArn'],], \
40 |       'SourceAmiParameterName': [os.environ['SourceAmiParameterName'],] \
41 |       }
42 |     )
43 |     logger.info(ami_id_response)
44 |     logger.info(ssm_response)
45 |   logger.info(response)
46 | 


--------------------------------------------------------------------------------
/lambda/lambda-update-autoscaling-groups.py:
--------------------------------------------------------------------------------
 1 | from __future__ import print_function
 2 | 
 3 | import json
 4 | import datetime
 5 | import time
 6 | import boto3
 7 | 
 8 | print('Loading function')
 9 | 
10 | 
11 | def lambda_handler(event, context):
12 |     print("Received event: " + json.dumps(event, indent=2))
13 | 
14 |     if not event['targetASG']:
15 |         return 'No ASG to update'
16 | 
17 |     # get autoscaling client
18 |     client = boto3.client('autoscaling')
19 | 
20 |     # get object for the ASG we're going to update, filter by name of target ASG
21 |     response = client.describe_auto_scaling_groups(AutoScalingGroupNames=[event['targetASG']])
22 | 
23 |     if not response['AutoScalingGroups']:
24 |         return 'No such ASG'
25 | 
26 |     # get name of InstanceID in current ASG that we'll use to model new Launch Configuration after
27 |     sourceInstanceId = response.get('AutoScalingGroups')[0]['Instances'][0]['InstanceId']
28 | 
29 |     # create LC using instance from target ASG as a template, only diff is the name of the new LC and new AMI
30 |     timeStamp = time.time()
31 |     timeStampString = datetime.datetime.fromtimestamp(timeStamp).strftime('%Y-%m-%d  %H-%M-%S')
32 |     newLaunchConfigName = 'LC '+ event['newAmiID'] + ' ' + timeStampString
33 |     client.create_launch_configuration(
34 |         InstanceId = sourceInstanceId,
35 |         LaunchConfigurationName=newLaunchConfigName,
36 |         ImageId= event['newAmiID'] )
37 | 
38 |     # update ASG to use new LC
39 |     response = client.update_auto_scaling_group(AutoScalingGroupName = event['targetASG'],LaunchConfigurationName = newLaunchConfigName)
40 | 
41 |     return 'Updated ASG `%s` with new launch configuration `%s` which includes AMI `%s`.' % (event['targetASG'], newLaunchConfigName, event['newAmiID'])


--------------------------------------------------------------------------------
/lambda/lambda-update-parameter-store.py:
--------------------------------------------------------------------------------
 1 | from __future__ import print_function
 2 | 
 3 | import json
 4 | import boto3
 5 | 
 6 | print('Loading function')
 7 | 
 8 | 
 9 | #Updates an SSM parameter
10 | #Expects parameterName, parameterValue
11 | def lambda_handler(event, context):
12 |     print("Received event: " + json.dumps(event, indent=2))
13 | 
14 |     # get SSM client
15 |     client = boto3.client('ssm')
16 | 
17 |     #confirm  parameter exists before updating it
18 |     response = client.describe_parameters(
19 |        Filters=[
20 |           {
21 |            'Key': 'Name',
22 |            'Values': [ event['parameterName'] ]
23 |           },
24 |         ]
25 |     )
26 | 
27 |     if not response['Parameters']:
28 |         print('No such parameter')
29 |         return 'SSM parameter not found.'
30 | 
31 |     #if parameter has a Descrition field, update it PLUS the Value
32 |     if 'Description' in response['Parameters'][0]:
33 |         description = response['Parameters'][0]['Description']
34 |         
35 |         response = client.put_parameter(
36 |           Name=event['parameterName'],
37 |           Value=event['parameterValue'],
38 |           Description=description,
39 |           Type='String',
40 |           Overwrite=True
41 |         )
42 |     
43 |     #otherwise just update Value
44 |     else:
45 |         response = client.put_parameter(
46 |           Name=event['parameterName'],
47 |           Value=event['parameterValue'],
48 |           Type='String',
49 |           Overwrite=True
50 |         )
51 |         
52 |     reponseString = 'Updated parameter %s with value %s.' % (event['parameterName'], event['parameterValue'])
53 |         
54 |     return reponseString


--------------------------------------------------------------------------------
/linux-user-data.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | function get_contents() {
 4 |     if [ -x "$(which curl)" ]; then
 5 |         curl -s -f "$1"
 6 |     elif [ -x "$(which wget)" ]; then
 7 |         wget "$1" -O -
 8 |     else
 9 |         die "No download utility (curl, wget)"
10 |     fi
11 | }
12 | 
13 | readonly IDENTITY_URL="http://169.254.169.254/2016-06-30/dynamic/instance-identity/document/"
14 | readonly TRUE_REGION=$(get_contents "$IDENTITY_URL" | awk -F\" '/region/ { print $4 }')
15 | readonly DEFAULT_REGION="us-east-1"
16 | readonly REGION="${TRUE_REGION:-$DEFAULT_REGION}"
17 | 
18 | readonly SCRIPT_NAME="aws-install-ssm-agent"
19 |  SCRIPT_URL="https://aws-ssm-downloads-$REGION.s3.amazonaws.com/scripts/$SCRIPT_NAME"
20 | 
21 | if [ "$REGION" = "cn-north-1" ]; then
22 |   SCRIPT_URL="https://aws-ssm-downloads-$REGION.s3.cn-north-1.amazonaws.com.cn/scripts/$SCRIPT_NAME"
23 | fi
24 | 
25 | if [ "$REGION" = "us-gov-west-1" ]; then
26 |   SCRIPT_URL="https://aws-ssm-downloads-$REGION.s3-us-gov-west-1.amazonaws.com/scripts/$SCRIPT_NAME"
27 | fi
28 | 
29 | cd /tmp
30 | FILE_SIZE=0
31 | MAX_RETRY_COUNT=3
32 | RETRY_COUNT=0
33 | 
34 | while [ $RETRY_COUNT -lt $MAX_RETRY_COUNT ] ; do
35 |   echo AWS-UpdateLinuxAmi: Downloading script from $SCRIPT_URL
36 |   get_contents "$SCRIPT_URL" > "$SCRIPT_NAME"
37 |   FILE_SIZE=$(du -k /tmp/$SCRIPT_NAME | cut -f1)
38 |   echo AWS-UpdateLinuxAmi: Finished downloading script, size: $FILE_SIZE
39 |   if [ $FILE_SIZE -gt 0 ]; then
40 |     break
41 |   else
42 |     if [[ $RETRY_COUNT -lt MAX_RETRY_COUNT ]]; then
43 |       RETRY_COUNT=$((RETRY_COUNT+1));
44 |       echo AWS-UpdateLinuxAmi: FileSize is 0, retryCount: $RETRY_COUNT
45 |     fi
46 |   fi 
47 | done
48 | 
49 | if [ $FILE_SIZE -gt 0 ]; then
50 |   chmod +x "$SCRIPT_NAME"
51 |   echo AWS-UpdateLinuxAmi: Running UpdateSSMAgent script now ....
52 |   ./"$SCRIPT_NAME" --region "$REGION"
53 | else
54 |   echo AWS-UpdateLinuxAmi: Unable to download script, quitting ....
55 | fi


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
 1 | # SSM AMI Updater
 2 | 
 3 | # Use this data source to validtate that the AMI exists.
 4 | data "aws_ami" "info" {
 5 |   filter {
 6 |     name   = "image-id"
 7 |     values = ["${var.ami}"]
 8 |   }
 9 | }
10 | 
11 | locals {
12 |   ami = "${data.aws_ami.info.id}"
13 | }
14 | 
15 | module "parameter" {
16 |   source = "git::git@github.com:Jamie-BitFlight/terraform-aws-parameter-store.git?ref=bitflight/master"
17 | 
18 |   parameter_write = [{
19 |     name      = "/${var.namespace}/${var.stage}/${var.name}/LatestAmi"
20 |     value     = "${local.ami}"
21 |     type      = "String"
22 |     overwrite = "true"
23 |   }]
24 | }
25 | 


--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
 1 | output "lambda_endpoint_arn" {
 2 |   value = "${aws_lambda_function.lambda_trigger_automation.arn}"
 3 | }
 4 | 
 5 | output "document_name" {
 6 |   value = "${var.os_type == "linux" ? join("",aws_ssm_document.document_linux.*.name) : "${var.os_type == "windows" ?  join("",aws_ssm_document.document_linux.*.name) : "none"}" }"
 7 | }
 8 | 
 9 | output "source_ami_id" {
10 |   value = "${local.ami}"
11 | }
12 | 
13 | output "target_ami_name" {
14 |   value = "${local.target_ami_name}"
15 | }
16 | 
17 | output "instance_iam_role" {
18 |   value = "${aws_iam_instance_profile.ec2_profile.name}"
19 | }
20 | 
21 | output "instance_type" {
22 |   value = "${var.instance_type}"
23 | }
24 | 
25 | output "pre_update_script_url" {
26 |   value = "${var.pre_update_script_url}"
27 | }
28 | 
29 | output "post_update_script_url" {
30 |   value = "${var.post_update_script_url}"
31 | }
32 | 
33 | output "include_packages" {
34 |   value = "${var.include_packages}"
35 | }
36 | 
37 | output "exclude_packages" {
38 |   value = "${var.exclude_packages}"
39 | }
40 | 
41 | output "source_ami_parameter_name" {
42 |   value = "${join("",module.parameter.names)}"
43 | }
44 | 
45 | output "source_ami_parameter_value" {
46 |   value = "${join("",module.parameter.values)}"
47 | }
48 | 


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
  1 | # Label variables are stored in the labels.tf file for portibility.
  2 | 
  3 | variable "subnet" {
  4 |   type        = "string"
  5 |   description = "Which subnet should the AMI be in when building"
  6 |   default     = ""
  7 | }
  8 | 
  9 | variable "ami" {
 10 |   type        = "string"
 11 |   description = "Which base AMI should this module use"
 12 |   default     = ""
 13 | }
 14 | 
 15 | variable "os_type" {
 16 |   type        = "string"
 17 |   default     = "linux"
 18 |   description = "Is the AMI of 'linux' or 'windows'"
 19 | }
 20 | 
 21 | variable "additional_role_arns" {
 22 |   type        = "list"
 23 |   description = "A list of additional role ARNs to attach to the SSM role, that is also attached to the AMI while it builds."
 24 |   default     = []
 25 | }
 26 | 
 27 | variable "target_ami_name_override" {
 28 |   type        = "string"
 29 |   description = "By default the generated AMI name is based on the format of the terraform-null-label id. This can be used to override that."
 30 |   default     = ""
 31 | }
 32 | 
 33 | variable "instance_type" {
 34 |   type        = "string"
 35 |   description = "Which instance type should be used to build the AMI"
 36 |   default     = "t2.small"
 37 | }
 38 | 
 39 | variable "include_packages" {
 40 |   type        = "string"
 41 |   description = "Only update these named packages. Defaults to 'all' packages."
 42 |   default     = "all"
 43 | }
 44 | 
 45 | variable "exclude_packages" {
 46 |   type        = "string"
 47 |   description = "Exclude these named packages. Defaults to 'none'"
 48 |   default     = "none"
 49 | }
 50 | 
 51 | variable "pre_update_script_url" {
 52 |   type        = "string"
 53 |   description = "URL of a script to run before updates are applied. Default ('none') is to not run a script"
 54 |   default     = "none"
 55 | }
 56 | 
 57 | variable "post_update_script_url" {
 58 |   type        = "string"
 59 |   description = "URL of a script to run after package updates are applied. Default ('none') is to not run a script."
 60 |   default     = "none"
 61 | }
 62 | 
 63 | variable "activate" {
 64 |   type        = "string"
 65 |   description = "If set to true, a build will be run now"
 66 |   default     = "false"
 67 | }
 68 | 
 69 | variable "additional_userdata" {
 70 |   type        = "string"
 71 |   description = "User data for the build"
 72 |   default     = ""
 73 | }
 74 | 
 75 | variable "kms_key_arn" {
 76 |   type        = "string"
 77 |   description = "KMS Key for decrypting/encrypting SSM Parameter store values"
 78 |   default     = ""
 79 | }
 80 | 
 81 | variable "target_asg" {
 82 |   type        = "string"
 83 |   description = "Automatically update this autoscaling group arn to use the new AMI if they were using the old AMI"
 84 |   default     = ""
 85 | }
 86 | 
 87 | variable "approvers_list" {
 88 |   type = "list"
 89 | 
 90 |   description = <<EOF
 91 | A list of AWS authenticated principals who are able to either approve or reject the action. 
 92 | The maximum number of approvers is 10. 
 93 | You can specify principals by using any of the following formats:
 94 | - An AWS Identity and Access Management (IAM) user name
 95 | - An IAM user ARN
 96 | - An IAM role ARN
 97 | - An IAM assume role user ARN
 98 | EOF
 99 | 
100 |   default = []
101 | }
102 | 
103 | variable "min_num_approvers" {
104 |   type = "string"
105 | 
106 |   description = <<EOF
107 | The minimum number of approvals required to resume the Automation execution. 
108 | If you don't specify a value, the system defaults to one. The value for this parameter must be a positive number. 
109 | The value for this parameter can't exceed the number of approvers defined by the Approvers parameter.
110 | Defaults to 1"
111 | EOF
112 | 
113 |   default = "1"
114 | }
115 | 
116 | variable "require_approval_to_update_asg" {
117 |   type        = "string"
118 |   description = "If true, an additional section is added to the automation that requires user approval in the AWS SSM console before updating the ASG"
119 |   default     = "false"
120 | }
121 | 


--------------------------------------------------------------------------------