aws-s3-virusscan
aws-s3-virusscan copied to clipboard
widdix
Replace static RegionMap
with Query the latest Amazon Linux AMI from AWS Systems Manager Parameter Store
Thanks a lot for your contribution, @duckworth.
I like the simplicity of your approach to fetch the latest AMIs from the Parameter Store.
However, I prefer having a list of AMIs in the template to ensure testability and stability.
What are your thoughts, @michaelwittig.
I can try adding a param to override the AMI Id if you want it static for testing but have it fallback to the latest if it is blank.
I understand the idea why it looks tempting to fetch the AMI from some remote place. But: We want the template to be deterministic. Introducing a variable that comes from the outside (aka side effect) is against this idea. A released and automatically tested template should stay the same no matter what. Otherwise we end up with releases that could break at some point when AWS decides to push an AMI that is incompatible in some way.
What we could (and should) do is update the map with the latest AMI IDs and release a new version.
Yeah, I understand and it makes sense for a public template. There are just so many outdated templates with vulnerable ami's out there. I have started having them get latest AMI in case of stack creation but keep the AMI in case of stack updates, as I would rather have it break when creating a new stack and deal with it then.
If you are going to keep the static AMI the one thing I would suggest is adding yum_cron with security upgrades enabled. I can open a pull request for that if you are interested.
What we usually do these days is to use SSM Patch Manager. That requires SystemsManagerAccess to bet set to true. The benefit is that you get monitoring out of the box. If the cron fails you have to add some logic to monitor that.