Never Update an AMI ID Manually Again: Streamlined Workflow with Event-Driven Automation

Introduction

Managing Amazon Machine Images (AMIs) efficiently is crucial for maintaining consistent and up-to-date environments in your AWS infrastructure. AWS EC2 Image Builder simplifies the creation, maintenance, validation, and testing of AMIs. However, managing the lifecycle of these images and ensuring the latest AMI ID is available for deployments can be challenging. In this blog post, we will walk through how to automate this process using AWS EC2 Image Builder, EventBridge, and Lambda to update an AWS Systems Manager (SSM) Parameter Store with the latest AMI ID.

Solution Overview

Here's a high-level overview of our solution:

1. EC2 Image Builder Pipeline: Creates a new AMI image.
2. Amazon EventBridge: Monitors the status of the AMI creation and triggers events based on its status.
3. AWS Lambda Function: Updates the SSM Parameter Store with the latest AMI ID once the image creation is complete.

Benefits

1. Streamlined AMI Management

Automating the creation and management of AMIs ensures that your environments are always up to date with the latest configurations and security patches. This reduces manual intervention and minimizes the risk of errors.

2. Easy Integration with Infrastructure as Code (IaC)

By updating the AMI ID in the SSM Parameter Store automatically, it becomes easy to maintain the latest AMI ID when deploying infrastructure using Infrastructure as Code (IaC) tools like AWS CloudFormation, Terraform, or AWS CDK. This ensures that your IaC templates always reference the most current AMI without manual updates, leading to more consistent and reliable deployments.

3. Improved Operational Efficiency

With automated triggers and updates, your operations team can focus on more strategic tasks rather than manual AMI updates. This leads to improved operational efficiency and faster rollout of updates across your infrastructure.

Step-by-Step Implementation

Step 1: Setting Up EC2 Image Builder Pipeline

First, create an EC2 Image Builder pipeline that defines the source image, customizations, and the output AMI.

1. Create a Recipe: Define the components and base image to use.
2. Create an Image Pipeline: Use the recipe created to define the schedule and distribution settings.

Here is an example configuration for the image pipeline with output image:

Step 2: Creating EventBridge Rule

Set up an EventBridge rule to match the event pattern when the AMI status is AVAILABLE.

1. Define Event Pattern: The event pattern should match the EC2 Image Builder image creation status.

   {
    "source": ["aws.imagebuilder"],
    "resources": ["arn:aws:imagebuilder:us-east-1:<account-id>:image/test-eventbridge-recipe"],
    "detail": {
        "state": {
            "status": ["AVAILABLE"]
                }
            }
}

2. Create EventBridge Rule: Configure the rule to trigger a Lambda function when the event pattern is matched.

Step 3: Lambda Function to Update SSM Parameter Store

Create a Lambda function that updates the SSM Parameter Store with the latest AMI ID when triggered by the EventBridge rule.

1. Lambda Function code:
   import json

   import boto3

   import os

    

   def lambda_handler(event, context):

       

       # Initialize the Image Builder and SSM clients

       imagebuilder_client = boto3.client('imagebuilder')

       ssm_client = boto3.client("ssm")

       

       # Fetch the image information using the provided image ARN from the eventbridge rule

       response = imagebuilder_client.get_image(

           imageBuildVersionArn=event["resources"][0]

       )

    

       # Extract the AMI ID from the response

       ami = response['image']['outputResources']['amis'][0]['image']

       

       # Update the AMI ID in an SSM parameter

       ssm_client.put_parameter(

           Name=os.environ["AMI_PARAMETER"],        

           Overwrite=True,

           Value=ami,

       )

       print("SSM parameter updated successfully!")
2. Configure Environment Variables: Set the SSM parameter name in the Lambda function's environment variables.
3. IAM Role and Permissions: Ensure the Lambda function has the necessary permissions to read from EC2 Imagebuilder and write to SSM Parameter Store.

Step 4: Testing the Setup

1. Trigger the Image Builder Pipeline: Manually trigger the pipeline or wait for the scheduled build.
2. Verify image status: Check if the status of image built from the EC2 image builder pipeline is AVAILABLE.
3. Check Lambda Execution: Verify that the Lambda function executes and updates the SSM parameter with the new AMI ID.
4. Validate SSM Parameter Store: Confirm that the SSM parameter store has been updated with the latest AMI ID.

Conclusion

By automating the AMI creation and management process using EC2 Image Builder, EventBridge, and Lambda, you ensure that your systems always have access to the latest AMI IDs. This reduces manual effort, minimizes errors, and maintains a consistent and reliable environment for your applications. Additionally, integrating this setup with Infrastructure as Code (IaC) tools ensures that your deployment templates always reference the latest AMI IDs, further streamlining and securing your deployment processes.

Implementing this solution will streamline your AMI management workflow and enhance the efficiency of your AWS infrastructure operations. Happy building!