Update aws bastion to use ubuntu 22.04 and launch templates (#81)

* update aws ami to 24.04 * moving to launch template * add config blocks * adding networking interface security group * remove security group parameter * revert ami filter value * updating default version * adding latest version to asg * removing default from template * adding depends_on to asg * depends on list * updating ami filter value to 22.04 * remove python install * ami filter to 24.04 * changing awscli install for 24.04 * revert to jammy * final fixes
FairwindsOps · Jul 9, 2024 · 69e2c3b · 69e2c3b
1 parent b444ac9
commit 69e2c3b
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 21 deletions.
diff --git a/aws/auto-scaling.tf b/aws/auto-scaling.tf
@@ -2,11 +2,11 @@
 # replacing an unhealthy EC2 instance or recovering from an
 # availability zone failure.
 resource "aws_autoscaling_group" "bastion" {
-  # The Launch Configuration ID is part of the Auto Scaling Group name,
-  # to force the ASG and its EC2 to be recreated.
-  name = "asg-${aws_launch_configuration.bastion.id}"
-
-  launch_configuration = aws_launch_configuration.bastion.name
+  name = "asg-${aws_launch_template.bastion.id}"
+  launch_template {
+    name = aws_launch_template.bastion.name
+    version = aws_launch_template.bastion.latest_version
+  }
 
   min_size            = 1
   max_size            = 1
@@ -29,7 +29,7 @@ resource "aws_autoscaling_group" "bastion" {
   }
 
 
-  # THis needs to match the Launch Configuration.
+  # This needs to match the LaunchTemplate.
   lifecycle {
     create_before_destroy = true
 

diff --git a/aws/bastion-userdata.tmpl b/aws/bastion-userdata.tmpl
@@ -28,7 +28,7 @@ info Triggering a job using at, to sleep then run apt-get upgrade...
 echo "sleep 120 ; apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade" |at now
 
 info Installing packages needed on the bastion...
-apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install awscli python unattended-upgrades
+apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install awscli unattended-upgrades
 
 info The infra bucket is: ${infrastructure_bucket} and the S3 key is ${infrastructure_bucket_bastion_key}
 

diff --git a/aws/inputs.tf b/aws/inputs.tf
@@ -99,7 +99,7 @@ variable "ami_owner_id_govcloud" {
 
 variable "ami_filter_value" {
   description = "The filter path for the AMI."
-  default     = "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"
+  default     = "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"
 }
 
 variable "arn_prefix" {

diff --git a/aws/launchconfig.tf → aws/launchtemplate.tf b/aws/launchconfig.tf → aws/launchtemplate.tf
@@ -21,32 +21,37 @@ data "template_file" "bastion_user_data" {
   }
 }
 
-resource "aws_launch_configuration" "bastion" {
-  # Generate a unique name for the Launch Configuration,
-  # so the Auto Scaling Group can be updated without conflict before destroying the previous Launch Configuration.
-  # Also see the related lifecycle block below.
+resource "aws_launch_template" "bastion" {
   name_prefix = "${var.bastion_name}-"
 
   image_id      = data.aws_ami.ubuntu.id
   instance_type = var.instance_type
 
-  iam_instance_profile        = aws_iam_instance_profile.bastion.name
-  security_groups             = [aws_security_group.bastion_ssh.id]
-  associate_public_ip_address = "true"
+  iam_instance_profile {
+    name = aws_iam_instance_profile.bastion.name
+  }
+
+  network_interfaces {
+      associate_public_ip_address      = true
+      security_groups = [aws_security_group.bastion_ssh.id]
+  }
 
-  user_data_base64 = base64gzip(data.template_file.bastion_user_data.rendered)
+  user_data = base64gzip(data.template_file.bastion_user_data.rendered)
   key_name         = length(aws_key_pair.bastion) > 0 ? aws_key_pair.bastion[0].id : null
 
-  root_block_device {
-    encrypted   = var.encrypt_root_volume
-    volume_type = var.root_volume_type
+  block_device_mappings {
+    device_name = "/dev/sda1"
+    ebs {
+      encrypted   = var.encrypt_root_volume
+      volume_type = var.root_volume_type
+    }
   }
 
   lifecycle {
     create_before_destroy = true
 
-    # DO not recreate the Launch Configuration if a newer AMI becomes available.
-    # `terrform taint` the Launch Configuration resource to force it to be recreated.
+    # DO not recreate the Launch Template if a newer AMI becomes available.
+    # `terrform taint` the Launch Template resource to force it to be recreated.
     # In the future we may want to also include user-data in this list.
     ignore_changes = [image_id]
   }