How to auto update bastions with latest AMI version

[davidkelliott]

User Story

The bastions use an autoscaling group which recreates them daily. But the autoscaling group pulls the AMI as defined in the launch template, this only gets updated from Terraform when the Terraform is run.

This ticket is to look into a solution that automatically updates the launch template with the latest AMI version.

Value

Bastions are automatically updated daily to the latest AMI version.

Questions / Assumptions

Definition of done

• [ ] solution to automatically update the bastions to the latest AMI version in place
• [ ] readme has been updated
• [ ] user docs have been updated
• [ ] another team member has reviewed
• [ ] tests are green

Reference

How to write good user stories

[dms1981]

Seems like a data call would be ideal here? https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami - could be used to return the most recent ami based on a few filters.

[dms1981]

I understand this a bit better now; in short, this is to find a way to flag the autoscaling / launch group to use the latest version of the AMI it's set to use, without needing to resort to Terraform updating that AMI when run via data call.

[dms1981]

The terraform guidance is here - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#with-latest-version-of-launch-template However, what that looks like in practice (eg, does it update to a more recent version without a terraform run), I don't know.

[dms1981]

Having done a little more thinking on this, I think that the bastion_linux_template needs to be decoupled from the code in main.tf and then run via github actions on a daily schedule. The inline reference to the template would need to be replaced by a data call referring to the decomposed template, but this all seems quite achievable.

[davidkelliott]

Could we update the bastion Autoscaling groups across the platform with a Lambda?