feat(terraform): add ami-updater module for automated ami updates

- create new terraform module for ami updater lambda function
- add comprehensive documentation in readme
- implement all required resources including lambda, iam, eventbridge, and ssm
- add variables for flexible configuration
- include outputs for module integration

Author: dgokcin

modules/ami-updater/README.md

@@ -0,0 +1,101 @@
+# AMI Updater Module
+
+This module creates a Lambda function that automatically updates an SSM parameter with the latest AMI ID based on specified filters. The function runs on a schedule and can be configured to run in dry-run mode.
+
+## Features
+
+- Automatically finds the latest AMI based on configurable filters
+- Updates SSM parameter with the latest AMI ID
+- Supports dry-run mode for testing
+- Configurable schedule via EventBridge
+- Comprehensive logging and metrics using AWS Lambda Powertools
+- Optional VPC configuration
+- Optional X-Ray tracing
+
+## Usage
+
+```hcl
+module "ami_updater" {
+  source = "./modules/ami-updater"
+
+  environment       = "prod"
+  ssm_parameter_name = "/github-action-runners/latest_ami_id"
+
+  config = {
+    dry_run = false
+    ami_filter = {
+      owners = ["self"]
+      filters = [
+        {
+          name   = "tag:Environment"
+          values = ["prod"]
+        },
+        {
+          name   = "state"
+          values = ["available"]
+        }
+      ]
+    }
+  }
+
+  # Optional configurations
+  schedule_expression = "rate(1 day)"
+  state              = "ENABLED"
+  lambda_memory_size = 512
+  lambda_timeout     = 30
+  log_level         = "info"
+
+  tags = {
+    Environment = "prod"
+    Project     = "my-project"
+  }
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.0 |
+| aws | >= 4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | >= 4.0 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| environment | The environment name for the resources. | `string` | n/a | yes |
+| ssm_parameter_name | The name of the SSM parameter to store the latest AMI ID. | `string` | `/github-action-runners/latest_ami_id` | no |
+| config | Configuration for the AMI updater. | `object` | n/a | yes |
+| aws_partition | The AWS partition to use (e.g., aws, aws-cn) | `string` | `"aws"` | no |
+| tags | Map of tags that will be added to created resources | `map(string)` | `{}` | no |
+| lambda_runtime | AWS Lambda runtime | `string` | `"nodejs20.x"` | no |
+| lambda_architecture | AWS Lambda architecture | `string` | `"x86_64"` | no |
+| lambda_timeout | Time out of the lambda in seconds | `number` | `30` | no |
+| lambda_memory_size | Lambda memory size limit | `number` | `512` | no |
+| role_path | The path that will be added to the role | `string` | `null` | no |
+| role_permissions_boundary | Permissions boundary for the role | `string` | `null` | no |
+| lambda_subnet_ids | List of subnet IDs for the Lambda VPC config | `list(string)` | `null` | no |
+| lambda_security_group_ids | List of security group IDs for the Lambda VPC config | `list(string)` | `null` | no |
+| logging_retention_in_days | CloudWatch log retention in days | `number` | `180` | no |
+| logging_kms_key_id | KMS key ID for CloudWatch log encryption | `string` | `null` | no |
+| schedule_expression | EventBridge schedule expression | `string` | `"rate(1 day)"` | no |
+| state | EventBridge rule state | `string` | `"ENABLED"` | no |
+| log_level | Lambda function log level | `string` | `"info"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| lambda | The Lambda function details |
+| role | The IAM role details |
+| eventbridge | The EventBridge rule details |
+
+## License
+
+This module is licensed under the MIT License. See the LICENSE file for details.

modules/ami-updater/data.tf

@@ -0,0 +1,25 @@
+data "aws_iam_policy_document" "lambda_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "lambda_xray" {
+  count = var.tracing_config.mode != null ? 1 : 0
+
+  statement {
+    actions = [
+      "xray:PutTraceSegments",
+      "xray:PutTelemetryRecords",
+      "xray:GetSamplingRules",
+      "xray:GetSamplingTargets",
+      "xray:GetSamplingStatisticSummaries"
+    ]
+    resources = ["*"]
+  }
+}

modules/ami-updater/main.tf

@@ -0,0 +1,140 @@
+locals {
+  lambda_zip = "${path.module}/../../lambdas/functions/ami-updater/dist/ami-updater.zip"
+  role_path  = var.role_path == null ? "/${var.environment}/" : var.role_path
+  tags = merge(
+    {
+      Environment = var.environment
+      Name        = "${var.environment}-ami-updater"
+    },
+    var.tags
+  )
+}
+
+resource "aws_lambda_function" "ami_updater" {
+  filename         = local.lambda_zip
+  source_code_hash = filebase64sha256(local.lambda_zip)
+  function_name    = "${var.environment}-ami-updater"
+  role             = aws_iam_role.ami_updater.arn
+  handler          = "index.handler"
+  runtime          = var.lambda_runtime
+  timeout          = var.lambda_timeout
+  memory_size      = var.lambda_memory_size
+  architectures    = [var.lambda_architecture]
+  tags             = local.tags
+
+  environment {
+    variables = {
+      LOG_LEVEL               = var.log_level
+      DRY_RUN                 = tostring(var.config.dry_run)
+      POWERTOOLS_SERVICE_NAME = "ami-updater"
+      SSM_PARAMETER_NAME      = var.ssm_parameter_name
+      AMI_FILTER              = jsonencode(var.config.ami_filter)
+    }
+  }
+
+  dynamic "vpc_config" {
+    for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
+    content {
+      security_group_ids = var.lambda_security_group_ids
+      subnet_ids         = var.lambda_subnet_ids
+    }
+  }
+
+  dynamic "tracing_config" {
+    for_each = var.tracing_config.mode != null ? [true] : []
+    content {
+      mode = var.tracing_config.mode
+    }
+  }
+}
+
+resource "aws_cloudwatch_log_group" "ami_updater" {
+  name              = "/aws/lambda/${aws_lambda_function.ami_updater.function_name}"
+  retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
+  tags              = var.tags
+}
+
+resource "aws_cloudwatch_event_rule" "ami_updater" {
+  name                = "${var.environment}-ami-updater"
+  description         = "Trigger AMI updater Lambda function"
+  schedule_expression = var.schedule_expression
+  state               = var.state
+  tags                = var.tags
+}
+
+resource "aws_cloudwatch_event_target" "ami_updater" {
+  rule      = aws_cloudwatch_event_rule.ami_updater.name
+  target_id = "TriggerAMIUpdaterLambda"
+  arn       = aws_lambda_function.ami_updater.arn
+}
+
+resource "aws_lambda_permission" "ami_updater" {
+  statement_id  = "AllowExecutionFromCloudWatch"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.ami_updater.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.ami_updater.arn
+}
+
+resource "aws_iam_role" "ami_updater" {
+  name                 = "${var.environment}-ami-updater"
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
+  path                 = local.role_path
+  permissions_boundary = var.role_permissions_boundary
+  tags                 = local.tags
+}
+
+resource "aws_iam_role_policy" "ami_updater" {
+  name = "ami-updater-policy"
+  role = aws_iam_role.ami_updater.name
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ec2:DescribeImages"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "ssm:PutParameter",
+          "ssm:GetParameter"
+        ]
+        Resource = "arn:${var.aws_partition}:ssm:*:*:parameter${var.ssm_parameter_name}"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "ami_updater_logging" {
+  name = "logging-policy"
+  role = aws_iam_role.ami_updater.name
+  policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
+    log_group_arn = aws_cloudwatch_log_group.ami_updater.arn
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ami_updater_vpc_execution_role" {
+  count      = length(var.lambda_subnet_ids) > 0 ? 1 : 0
+  role       = aws_iam_role.ami_updater.name
+  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+resource "aws_iam_role_policy" "ami_updater_xray" {
+  count  = var.tracing_config.mode != null ? 1 : 0
+  name   = "xray-policy"
+  policy = data.aws_iam_policy_document.lambda_xray[0].json
+  role   = aws_iam_role.ami_updater.name
+}
+
+resource "aws_ssm_parameter" "latest_ami_id" {
+  name        = var.ssm_parameter_name
+  description = "Latest AMI ID for GitHub runners"
+  type        = "String"
+  value       = "placeholder" # Will be updated by Lambda function
+  tags        = var.tags
+}

modules/ami-updater/outputs.tf

@@ -0,0 +1,23 @@
+output "lambda" {
+  description = "The Lambda function"
+  value = {
+    function_name = aws_lambda_function.ami_updater.function_name
+    arn           = aws_lambda_function.ami_updater.arn
+  }
+}
+
+output "role" {
+  description = "The IAM role of the Lambda function"
+  value = {
+    name = aws_iam_role.ami_updater.name
+    arn  = aws_iam_role.ami_updater.arn
+  }
+}
+
+output "eventbridge" {
+  description = "The EventBridge rule"
+  value = {
+    name = aws_cloudwatch_event_rule.ami_updater.name
+    arn  = aws_cloudwatch_event_rule.ami_updater.arn
+  }
+}

modules/ami-updater/policies/lambda-cloudwatch.json

@@ -0,0 +1,13 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+            ],
+            "Resource": "${log_group_arn}:*"
+        }
+    ]
+}