Merge branch 'main' into fix/update-ami-filter

Author: gberenice

README.md

@@ -1,6 +1,6 @@
 [![Masterpoint Logo](https://i.imgur.com/RDLnuQO.png)](https://masterpoint.io)
 
-[![Release](https://img.shields.io/github/release/masterpointio/ecsrun.svg)](https://github.com/masterpointio/ecsrun/releases/latest)
+[![Release](https://img.shields.io/github/v/release/masterpointio/terraform-aws-ssm-agent.svg)](https://github.com/masterpointio/terraform-aws-ssm-agent/releases/latest)
 
 # terraform-aws-ssm-agent
 
@@ -120,7 +120,7 @@ Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm).
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_security_group_ids"></a> [additional\_security\_group\_ids](#input\_additional\_security\_group\_ids) | Security groups that will be attached to the app instances | `list(string)` | `[]` | no |
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
-| <a name="input_ami"></a> [ami](#input\_ami) | The AMI to use for the SSM Agent EC2 Instance. If not provided, the latest Amazon Linux 2 AMI will be used. Note: This will update periodically as AWS releases updates to their AL2 AMI. Pin to a specific AMI if you would like to avoid these updates. | `string` | `""` | no |
+| <a name="input_ami"></a> [ami](#input\_ami) | The AMI to use for the SSM Agent EC2 Instance. If not provided, the latest Amazon Linux 2023 AMI will be used. Note: This will update periodically as AWS releases updates to their AL2023 AMI. Pin to a specific AMI if you would like to avoid these updates. | `string` | `""` | no |
 | <a name="input_associate_public_ip_address"></a> [associate\_public\_ip\_address](#input\_associate\_public\_ip\_address) | Associate public IP address | `bool` | `null` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
 | <a name="input_cloudwatch_retention_in_days"></a> [cloudwatch\_retention\_in\_days](#input\_cloudwatch\_retention\_in\_days) | The number of days to retain session logs in CloudWatch. This is only relevant if the session\_logging\_enabled variable is `true`. | `number` | `365` | no |

data.tf

@@ -1,8 +1,8 @@
 data "aws_region" "current" {}
 data "aws_caller_identity" "current" {}
 
-# Most recent Amazon Linux 2 AMI
-data "aws_ami" "amazon_linux_2" {
+# Most recent Amazon Linux 2023 AMI
+data "aws_ami" "amazon_linux_2023" {
   most_recent = true
   owners      = ["amazon"]
 
@@ -13,6 +13,11 @@ data "aws_ami" "amazon_linux_2" {
 
   filter {
     name   = "architecture"
-    values = ["x86_64"]
+    values = [var.architecture]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
   }
 }

main.tf

@@ -1,3 +1,26 @@
+locals {
+  instance_type_chars = split("", var.instance_type)
+  # Validate that only 'arm64' architecture is used with 'g' processor instances to ensure compatibility.
+  # https://docs.aws.amazon.com/ec2/latest/instancetypes/instance-type-names.html
+  is_instance_compatible = (
+    # True if does not contain 'g' in the third position when architecture is x86_64
+    (var.architecture == "x86_64" && element(local.instance_type_chars, 2) != "g") ||
+    # True if contains 'g' in the third position when architecture is arm64
+    (var.architecture == "arm64" && element(local.instance_type_chars, 2) == "g")
+  )
+}
+
+resource "null_resource" "validate_instance_type" {
+  count = local.is_instance_compatible ? 0 : 1
+
+  lifecycle {
+    precondition {
+      condition     = local.is_instance_compatible
+      error_message = "The instance_type must be compatible with the specified architecture. For x86_64, you cannot use instance types with ARM processors (e.g., t3, m5, c5). For arm64, use instance types with 'g' indicating ARM processor (e.g., t4g, c6g, m6g)."
+    }
+  }
+}
+
 module "role_label" {
   source  = "cloudposse/label/null"
   version = "0.25.0"
@@ -132,6 +155,7 @@ resource "aws_security_group_rule" "allow_all_egress" {
   to_port           = 0
   protocol          = "-1"
   cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
   security_group_id = aws_security_group.default.id
 }
 
@@ -270,7 +294,7 @@ DOC
 
 resource "aws_launch_template" "default" {
   name_prefix   = module.this.id
-  image_id      = length(var.ami) > 0 ? var.ami : data.aws_ami.amazon_linux_2.id
+  image_id      = coalesce(var.ami, data.aws_ami.amazon_linux_2023.id)
   instance_type = var.instance_type
   key_name      = var.key_pair_name
   user_data     = base64encode(var.user_data)
@@ -305,6 +329,13 @@ resource "aws_launch_template" "default" {
     create_before_destroy = true
   }
 
+  block_device_mappings {
+    device_name = "/dev/xvda"
+    ebs {
+      encrypted = true
+    }
+  }
+
   metadata_options {
     http_endpoint      = var.metadata_http_endpoint_enabled ? "enabled" : "disabled"
     http_tokens        = var.metadata_imdsv2_enabled ? "required" : "optional"

tests/main.tftest.hcl

@@ -0,0 +1,104 @@
+variables {
+  vpc_id = "vpc-12345678"
+  subnet_ids = ["subnet-12345678", "subnet-87654321"]
+  stage = "test"
+  namespace = "mp"
+  name = "ssm-agent"
+  region = "us-east-1"
+  availability_zones = ["us-east-1a"]
+  nat_gateway_enabled = true
+  ipv6_enabled = true
+}
+
+### TESTING INSTANCE and ARCHITECTURE COMPATIBILITY ###
+# https://docs.aws.amazon.com/ec2/latest/instancetypes/instance-type-names.html
+# https://aws.amazon.com/ec2/instance-types/
+
+# Test valid x86_64 instance type
+run "valid_x86_64_instance" {
+  command = plan
+
+  variables {
+    instance_type = "t3.micro"
+    architecture = "x86_64"
+  }
+
+  assert {
+    condition     = local.is_instance_compatible
+    error_message = "Expected instance type t3.micro to be compatible with x86_64 architecture"
+  }
+}
+
+# Test valid arm64 instance type
+run "valid_arm64_instance" {
+  command = plan
+
+  variables {
+    instance_type = "t4g.micro"
+    architecture = "arm64"
+  }
+
+  assert {
+    condition     = local.is_instance_compatible
+    error_message = "Expected instance type t4g.micro to be compatible with arm64 architecture"
+  }
+}
+
+# Test invalid x86_64 instance type (using arm64 instance type)
+run "invalid_x86_64_instance" {
+  command = plan
+
+  variables {
+    instance_type = "t4g.micro"
+    architecture = "x86_64"
+  }
+
+  expect_failures = [
+    null_resource.validate_instance_type
+  ]
+}
+
+# Test invalid arm64 instance type (using x86_64 instance type)
+run "invalid_arm64_instance" {
+  command = plan
+
+  variables {
+    instance_type = "t3.micro"
+    architecture = "arm64"
+  }
+
+  expect_failures = [
+    null_resource.validate_instance_type
+  ]
+}
+
+# Test edge case, where the 'g' is defined as the instance family rather than the processor family
+# It has 'g' in the name, but it's still an x86_64 instance type because the 'g' is the instance family
+run "graphics_instance_arm_incompatiblity_edge_case" {
+  command = plan
+
+  variables {
+    instance_type = "g3s.xlarge"
+    architecture = "arm64"
+  }
+
+  expect_failures = [
+    null_resource.validate_instance_type
+  ]
+}
+
+# Test edge case, where the 'g' is defined as the instance family rather than the processor family
+# It has 'g' in the name, but it still is compatible with x86_64 since the 'g' is the instance family
+run "graphics_instance_x86_compatibility_edge_case" {
+  command = plan
+
+  variables {
+    instance_type = "g4dn.xlarge"
+    architecture = "x86_64"
+  }
+
+  assert {
+    condition     = local.is_instance_compatible
+    error_message = "Expected instance type g3s.xlarge to be compatible with x86_64 architecture"
+  }
+}

variables.tf

@@ -27,7 +27,13 @@ variable "instance_type" {
 variable "ami" {
   default     = ""
   type        = string
-  description = "The AMI to use for the SSM Agent EC2 Instance. If not provided, the latest Amazon Linux 2 AMI will be used. Note: This will update periodically as AWS releases updates to their AL2 AMI. Pin to a specific AMI if you would like to avoid these updates."
+  description = "The AMI to use for the SSM Agent EC2 Instance. If not provided, the latest Amazon Linux 2023 AMI will be used. Note: This will update periodically as AWS releases updates to their AL2023 AMI. Pin to a specific AMI if you would like to avoid these updates."
+}
+
+variable "architecture" {
+  description = "The architecture of the AMI (e.g., x86_64, arm64)"
+  type        = string
+  default     = "arm64"
 }
 
 variable "user_data" {

versions.tf

@@ -11,5 +11,9 @@ terraform {
       source  = "hashicorp/time"
       version = ">= 0.7"
     }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.2"
+    }
   }
 }