Module - AMI Housekeeper
This module deploys a Lambda function responsible for deleting outdated AMIs. You can specify various criteria for the deletion process. Please note that the creation of AMIs is not within the scope of this project; the Lambda's role is solely to remove old ones. To avoid potential conflicts, it is recommended to deploy this module only once.
By default, the Lambda will scan all launch templates and assume that only the default version is in use. Any other AMIs referenced in the launch templates will be considered outdated and subject to deletion. Additionally, the module can search for AMIs referenced in AWS Systems Manager (SSM). When you set ssmParameterNames to *ami-id, the module will regard all AMIs referenced in SSM as in use, sparing them from deletion.
You can further refine the deletion process by applying AMI filters, such as those based on tags. The module also offers a 'dry run' option, allowing you to test the Lambda's behavior before executing actual deletions.
Usages
The module can be activated via the main module by setting enable_ami_housekeeper
to true
. Or invoking the module directly.
module "ami_housekeeper" {
source = "path to module"
prefix = "my-prefix"
ami_cleanup_config = {
ssmParameterNames = ["*/ami-id"]
minimumDaysOld = 30
filters = [
{
Name = "tag:Packer"
Values = ["true"]
}
]
dryRun = true
}
log_level = "debug"
}
Development
Lambda Function
The Lambda function is written in TypeScript and requires Node and yarn. Sources are located in [https://github.com/philips-labs/terraform-aws-github-runner/tree/main/lambdas].
Install
cd lambdas
yarn install
Test
Test are implemented with Jest, calls to AWS and GitHub are mocked.
yarn run test
Package
To compile all TypeScript/JavaScript sources in a single file ncc is used.
yarn run dist
Requirements
Name | Version |
---|---|
terraform | >= 1.3.0 |
aws | ~> 5.27 |
Providers
Name | Version |
---|---|
aws | ~> 5.27 |
Modules
No modules.
Resources
Name | Type |
---|---|
aws_cloudwatch_event_rule.ami_housekeeper | resource |
aws_cloudwatch_event_target.ami_housekeeper | resource |
aws_cloudwatch_log_group.ami_housekeeper | resource |
aws_iam_role.ami_housekeeper | resource |
aws_iam_role_policy.ami_housekeeper | resource |
aws_iam_role_policy.ami_housekeeper_xray | resource |
aws_iam_role_policy.lambda_logging | resource |
aws_iam_role_policy_attachment.ami_housekeeper_vpc_execution_role | resource |
aws_lambda_function.ami_housekeeper | resource |
aws_lambda_permission.ami_housekeeper | resource |
aws_iam_policy_document.lambda_assume_role_policy | data source |
aws_iam_policy_document.lambda_xray | data source |
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
aws_partition | (optional) partition for the base arn if not 'aws' | string |
"aws" |
no |
cleanup_config | Configuration for AMI cleanup.amiFilters - Filters to use when searching for AMIs to cleanup. Default filter for images owned by the account and that are available.dryRun - If true, no AMIs will be deregistered. Default false.launchTemplateNames - Launch template names to use when searching for AMIs to cleanup. Default no launch templates.maxItems - The maximum numer of AMI's tha will be queried for cleanup. Default no maximum.minimumDaysOld - Minimum number of days old an AMI must be to be considered for cleanup. Default 30.ssmParameterNames - SSM parameter names to use when searching for AMIs to cleanup. This parameter should be set when using SSM to configure the AMI to use. Default no SSM parameters. |
object({ |
{} |
no |
lambda_architecture | AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86_64' functions. | string |
"arm64" |
no |
lambda_memory_size | Memory size linit in MB of the lambda. | number |
256 |
no |
lambda_principals | (Optional) add extra principals to the role created for execution of the lambda, e.g. for local testing. | list(object({ |
[] |
no |
lambda_runtime | AWS Lambda runtime. | string |
"nodejs22.x" |
no |
lambda_s3_bucket | S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly. | string |
null |
no |
lambda_s3_key | S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas. | string |
null |
no |
lambda_s3_object_version | S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket. | string |
null |
no |
lambda_schedule_expression | Scheduler expression for action runner binary syncer. | string |
"rate(1 day)" |
no |
lambda_security_group_ids | List of security group IDs associated with the Lambda function. | list(string) |
[] |
no |
lambda_subnet_ids | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the vpc_id . |
list(string) |
[] |
no |
lambda_tags | Map of tags that will be added to all the lambda function resources. Note these are additional tags to the default tags. | map(string) |
{} |
no |
lambda_timeout | Time out of the lambda in seconds. | number |
60 |
no |
lambda_zip | File location of the lambda zip file. | string |
null |
no |
log_level | Logging level for lambda logging. Valid values are 'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'. | string |
"info" |
no |
logging_kms_key_id | Specifies the kms key id to encrypt the logs with | string |
null |
no |
logging_retention_in_days | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | number |
180 |
no |
prefix | The prefix used for naming resources | string |
"github-actions" |
no |
role_path | The path that will be added to the role, if not set the environment name will be used. | string |
null |
no |
role_permissions_boundary | Permissions boundary that will be added to the created role for the lambda. | string |
null |
no |
state_event_rule_ami_housekeeper | State of the rule. | string |
"ENABLED" |
no |
tags | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | map(string) |
{} |
no |
tracing_config | Configuration for lambda tracing. | object({ |
{} |
no |
Outputs
Name | Description |
---|---|
lambda | n/a |
lambda_log_group | n/a |
lambda_role | n/a |