feat(lambda): add ami-updater function for automated ami updates

- implement core ami updater logic with ec2 and ssm integration
- add comprehensive unit tests for all components
- configure eslint and typescript for code quality
- include vitest for testing framework
- add aws powertools for logging and metrics
- implement dry run mode for safe testing
- add error handling and logging throughout

Author: dgokcin

lambdas/functions/ami-updater/.eslintrc.js

@@ -0,0 +1,20 @@
+module.exports = {
+  parser: '@typescript-eslint/parser',
+  extends: [
+    'eslint:recommended',
+    'plugin:@typescript-eslint/recommended',
+  ],
+  parserOptions: {
+    ecmaVersion: 2020,
+    sourceType: 'module',
+  },
+  env: {
+    node: true,
+    es6: true,
+  },
+  rules: {
+    '@typescript-eslint/explicit-function-return-type': 'off',
+    '@typescript-eslint/no-explicit-any': 'off',
+    '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }],
+  },
+};

lambdas/functions/ami-updater/index.ts

@@ -0,0 +1,130 @@
+import { EC2Client, DescribeImagesCommand, Image } from '@aws-sdk/client-ec2';
+import { SSMClient, GetParameterCommand, PutParameterCommand } from '@aws-sdk/client-ssm';
+import { Logger } from '@aws-lambda-powertools/logger';
+
+const logger = new Logger({ serviceName: process.env.POWERTOOLS_SERVICE_NAME });
+const DRY_RUN = process.env.DRY_RUN?.toLowerCase() === 'true';
+const SSM_PARAMETER_NAME = process.env.SSM_PARAMETER_NAME || '/github-action-runners/latest_ami_id';
+const AMI_FILTER = JSON.parse(process.env.AMI_FILTER || '{}');
+
+const ec2Client = new EC2Client({});
+const ssmClient = new SSMClient({});
+
+async function getLatestAmi(): Promise<Image> {
+  try {
+    const command = new DescribeImagesCommand({
+      Owners: AMI_FILTER.owners,
+      Filters: AMI_FILTER.filters,
+    });
+
+    const response = await ec2Client.send(command);
+    const images = response.Images || [];
+
+    if (images.length === 0) {
+      throw new Error('No matching AMIs found');
+    }
+
+    // Sort by creation date to get the latest
+    const sortedImages = images.sort((a, b) => {
+      return (b.CreationDate || '').localeCompare(a.CreationDate || '');
+    });
+
+    return sortedImages[0];
+  } catch (error) {
+    logger.error('Error getting latest AMI', { error });
+    throw error;
+  }
+}
+
+async function getCurrentAmiId(): Promise<string | null> {
+  try {
+    const command = new GetParameterCommand({
+      Name: SSM_PARAMETER_NAME,
+    });
+
+    const response = await ssmClient.send(command);
+    return response.Parameter?.Value || null;
+  } catch (error: any) {
+    if (error.name === 'ParameterNotFound') {
+      logger.info(`Parameter ${SSM_PARAMETER_NAME} not found`);
+      return null;
+    }
+    logger.error('Error getting current AMI ID from SSM', { error });
+    throw error;
+  }
+}
+
+async function updateAmiParameter(amiId: string): Promise<{ success: boolean; message: string }> {
+  try {
+    const currentAmiId = await getCurrentAmiId();
+
+    if (currentAmiId === amiId) {
+      logger.info('SSM parameter already contains latest AMI ID', { amiId });
+      return { success: true, message: 'Already using latest AMI' };
+    }
+
+    if (DRY_RUN) {
+      logger.info('Would update SSM parameter', {
+        from: currentAmiId,
+        to: amiId,
+        dryRun: true,
+      });
+      return { success: true, message: 'Would update AMI (Dry Run)' };
+    }
+
+    const command = new PutParameterCommand({
+      Name: SSM_PARAMETER_NAME,
+      Value: amiId,
+      Type: 'String',
+      Overwrite: true,
+    });
+
+    await ssmClient.send(command);
+
+    logger.info('Successfully updated SSM parameter', {
+      from: currentAmiId,
+      to: amiId,
+    });
+    return { success: true, message: 'Updated successfully' };
+  } catch (error) {
+    logger.error('Error updating SSM parameter', { error });
+    return { success: false, message: `Error: ${error}` };
+  }
+}
+
+export const handler = async (event: any, context: any) => {
+  logger.info('Starting AMI updater', { dryRun: DRY_RUN });
+
+  try {
+    // Get the latest AMI
+    const latestAmi = await getLatestAmi();
+    logger.info('Found latest AMI', { amiId: latestAmi.ImageId });
+
+    if (!latestAmi.ImageId) {
+      throw new Error('Latest AMI ID is undefined');
+    }
+
+    // Update SSM parameter
+    const { success, message } = await updateAmiParameter(latestAmi.ImageId);
+
+    return {
+      statusCode: success ? 200 : 500,
+      body: {
+        dryRun: DRY_RUN,
+        overallSuccess: success,
+        latestAmi: latestAmi.ImageId,
+        message: DRY_RUN ? `[DRY RUN] ${message}` : message,
+      },
+    };
+  } catch (error) {
+    logger.error('Error in lambda execution', { error });
+    return {
+      statusCode: 500,
+      body: {
+        dryRun: DRY_RUN,
+        error: String(error),
+        overallSuccess: false,
+      },
+    };
+  }
+};

lambdas/functions/ami-updater/package.json

@@ -0,0 +1,28 @@
+{
+    "name": "@lambda/ami-updater",
+    "version": "1.0.0",
+    "description": "Lambda function to update AMIs in launch templates",
+    "main": "dist/index.js",
+    "scripts": {
+        "build": "tsc",
+        "test": "vitest run",
+        "test:watch": "vitest",
+        "lint": "eslint . --ext .ts",
+        "lint:fix": "eslint . --ext .ts --fix"
+    },
+    "dependencies": {
+        "@aws-lambda-powertools/logger": "^1.17.0",
+        "@aws-lambda-powertools/metrics": "^1.17.0",
+        "@aws-lambda-powertools/tracer": "^1.17.0",
+        "@aws-sdk/client-ec2": "^3.470.0",
+        "@types/aws-lambda": "^8.10.130"
+    },
+    "devDependencies": {
+        "@types/node": "^20.10.4",
+        "@typescript-eslint/eslint-plugin": "^6.13.2",
+        "@typescript-eslint/parser": "^6.13.2",
+        "eslint": "^8.55.0",
+        "typescript": "^5.3.3",
+        "vitest": "^1.0.2"
+    }
+}

lambdas/functions/ami-updater/src/__tests__/ami.test.ts

@@ -0,0 +1,110 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { EC2Client, DescribeImagesCommand, DescribeLaunchTemplatesCommand, DescribeLaunchTemplateVersionsCommand, CreateLaunchTemplateVersionCommand, ModifyLaunchTemplateCommand } from '@aws-sdk/client-ec2';
+import { AMIManager } from '../ami';
+
+vi.mock('@aws-sdk/client-ec2');
+vi.mock('../../shared/aws-powertools-util', () => ({
+  logger: {
+    info: vi.fn(),
+    warn: vi.fn(),
+    error: vi.fn(),
+  },
+}));
+
+describe('AMIManager', () => {
+  let ec2Client: EC2Client;
+  let amiManager: AMIManager;
+
+  beforeEach(() => {
+    ec2Client = new EC2Client({});
+    amiManager = new AMIManager(ec2Client);
+    vi.clearAllMocks();
+  });
+
+  describe('getLatestAmi', () => {
+    it('should return the latest AMI ID', async () => {
+      const mockResponse = {
+        Images: [
+          { ImageId: 'ami-2', CreationDate: '2023-12-02' },
+          { ImageId: 'ami-1', CreationDate: '2023-12-01' },
+        ],
+      };
+
+      vi.mocked(ec2Client.send).mockResolvedValueOnce(mockResponse);
+
+      const config = {
+        owners: ['self'],
+        filters: [{ name: 'tag:Environment', values: ['prod'] }],
+      };
+
+      const result = await amiManager.getLatestAmi(config);
+      expect(result).toBe('ami-2');
+      expect(ec2Client.send).toHaveBeenCalledWith(expect.any(DescribeImagesCommand));
+    });
+
+    it('should throw error when no AMIs found', async () => {
+      vi.mocked(ec2Client.send).mockResolvedValueOnce({ Images: [] });
+
+      const config = {
+        owners: ['self'],
+        filters: [{ name: 'tag:Environment', values: ['prod'] }],
+      };
+
+      await expect(amiManager.getLatestAmi(config)).rejects.toThrow('No matching AMIs found');
+    });
+  });
+
+  describe('updateLaunchTemplate', () => {
+    it('should update launch template with new AMI ID', async () => {
+      vi.mocked(ec2Client.send)
+        .mockResolvedValueOnce({ // getCurrentAmiId - DescribeLaunchTemplatesCommand
+          LaunchTemplates: [{ LatestVersionNumber: 1 }],
+        })
+        .mockResolvedValueOnce({ // getCurrentAmiId - DescribeLaunchTemplateVersionsCommand
+          LaunchTemplateVersions: [{ LaunchTemplateData: { ImageId: 'ami-old' } }],
+        })
+        .mockResolvedValueOnce({ // updateLaunchTemplate - DescribeLaunchTemplatesCommand
+          LaunchTemplates: [{ LatestVersionNumber: 1 }],
+        });
+
+      const result = await amiManager.updateLaunchTemplate('test-template', 'ami-new', false);
+
+      expect(result.success).toBe(true);
+      expect(result.message).toBe('Updated successfully');
+      expect(ec2Client.send).toHaveBeenCalledWith(expect.any(CreateLaunchTemplateVersionCommand));
+      expect(ec2Client.send).toHaveBeenCalledWith(expect.any(ModifyLaunchTemplateCommand));
+    });
+
+    it('should not update if AMI ID is the same', async () => {
+      vi.mocked(ec2Client.send)
+        .mockResolvedValueOnce({ // getCurrentAmiId - DescribeLaunchTemplatesCommand
+          LaunchTemplates: [{ LatestVersionNumber: 1 }],
+        })
+        .mockResolvedValueOnce({ // getCurrentAmiId - DescribeLaunchTemplateVersionsCommand
+          LaunchTemplateVersions: [{ LaunchTemplateData: { ImageId: 'ami-1' } }],
+        });
+
+      const result = await amiManager.updateLaunchTemplate('test-template', 'ami-1', false);
+
+      expect(result.success).toBe(true);
+      expect(result.message).toBe('Already using latest AMI');
+      expect(ec2Client.send).not.toHaveBeenCalledWith(expect.any(CreateLaunchTemplateVersionCommand));
+    });
+
+    it('should handle dry run mode', async () => {
+      vi.mocked(ec2Client.send)
+        .mockResolvedValueOnce({ // getCurrentAmiId - DescribeLaunchTemplatesCommand
+          LaunchTemplates: [{ LatestVersionNumber: 1 }],
+        })
+        .mockResolvedValueOnce({ // getCurrentAmiId - DescribeLaunchTemplateVersionsCommand
+          LaunchTemplateVersions: [{ LaunchTemplateData: { ImageId: 'ami-old' } }],
+        });
+
+      const result = await amiManager.updateLaunchTemplate('test-template', 'ami-new', true);
+
+      expect(result.success).toBe(true);
+      expect(result.message).toBe('Would update AMI (Dry Run)');
+      expect(ec2Client.send).not.toHaveBeenCalledWith(expect.any(CreateLaunchTemplateVersionCommand));
+    });
+  });
+});

lambdas/functions/ami-updater/src/__tests__/config.test.ts

@@ -0,0 +1,79 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { getConfig } from '../config';
+
+vi.mock('../../shared/aws-powertools-util', () => ({
+  logger: {
+    error: vi.fn(),
+  },
+}));
+
+describe('getConfig', () => {
+  beforeEach(() => {
+    vi.resetModules();
+    process.env = {};
+  });
+
+  it('should return valid configuration when all environment variables are set correctly', () => {
+    process.env.LAUNCH_TEMPLATE_NAME = 'test-template';
+    process.env.DRY_RUN = 'true';
+    process.env.AMI_FILTER = JSON.stringify({
+      owners: ['self'],
+      filters: [{ name: 'tag:Environment', values: ['prod'] }],
+    });
+
+    const config = getConfig();
+
+    expect(config).toEqual({
+      launchTemplateName: 'test-template',
+      dryRun: true,
+      amiFilter: {
+        owners: ['self'],
+        filters: [{ name: 'tag:Environment', values: ['prod'] }],
+      },
+    });
+  });
+
+  it('should handle DRY_RUN=false correctly', () => {
+    process.env.LAUNCH_TEMPLATE_NAME = 'test-template';
+    process.env.DRY_RUN = 'false';
+    process.env.AMI_FILTER = JSON.stringify({
+      owners: ['self'],
+      filters: [{ name: 'tag:Environment', values: ['prod'] }],
+    });
+
+    const config = getConfig();
+    expect(config.dryRun).toBe(false);
+  });
+
+  it('should throw error when LAUNCH_TEMPLATE_NAME is not set', () => {
+    process.env.AMI_FILTER = JSON.stringify({
+      owners: ['self'],
+      filters: [{ name: 'tag:Environment', values: ['prod'] }],
+    });
+
+    expect(() => getConfig()).toThrow('LAUNCH_TEMPLATE_NAME environment variable is not set');
+  });
+
+  it('should throw error when AMI_FILTER is not set', () => {
+    process.env.LAUNCH_TEMPLATE_NAME = 'test-template';
+
+    expect(() => getConfig()).toThrow('AMI_FILTER environment variable is not set');
+  });
+
+  it('should throw error when AMI_FILTER is invalid JSON', () => {
+    process.env.LAUNCH_TEMPLATE_NAME = 'test-template';
+    process.env.AMI_FILTER = 'invalid-json';
+
+    expect(() => getConfig()).toThrow('Invalid AMI_FILTER format');
+  });
+
+  it('should throw error when AMI_FILTER has invalid structure', () => {
+    process.env.LAUNCH_TEMPLATE_NAME = 'test-template';
+    process.env.AMI_FILTER = JSON.stringify({
+      owners: 'not-an-array',
+      filters: 'not-an-array',
+    });
+
+    expect(() => getConfig()).toThrow('AMI_FILTER must contain owners (array) and filters (array)');
+  });
+});