search

aws-quickstart / quickstart-vmware-tanzu-application-platform

AWS Quick Start for VMware Tanzu Application Platform
https://aws-quickstart.github.io/quickstart-vmware-tanzu-application-platform/
Apache License 2.0
13 stars 15 forks source link

Bump Ubuntu Server 22.04 LTS AMI IDs to the latest #119

Closed satya-dillikar closed 1 year ago

satya-dillikar commented 1 year ago

Update VMwareLinuxBastionInstance EC2 AMI affected by the recent OpenSSL security vulnerability CVE-2022-3786 & CVE-2022-3602

More info: https://www.openssl.org/news/secadv/20221101.txt https://ubuntu.com/security/CVE-2022-3786 https://ubuntu.com/security/CVE-2022-3602

This work is the enhancement of PR-115

satya-dillikar commented 1 year ago

I have tested the below AWS SSM CLI and Cloud-formation template

@tlindsay42 , Is it okay to replace hard-corded AMI values for US2204HVM with /aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id

SSM CLI:

aws ssm get-parameters --names /aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id --region us-east-2
{
    "Parameters": [
        {
            "Name": "/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id",
            "Type": "String",
            "Value": "ami-03ba6c40a876f6ed6",
            "Version": 15,
            "LastModifiedDate": "2022-11-01T11:25:46.059000-07:00",
            "ARN": "arn:aws:ssm:us-east-2::parameter/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id",
            "DataType": "aws:ec2:image"
        }
    ],
    "InvalidParameters": []
}

CFT template for the same

AWSTemplateFormatVersion: 2010-09-09
Description: >-
  AWS CloudFormation template
Parameters:
  LatestAmiId:
    Description: >-
      LatestAmiId
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: /aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id
Resources:
  NullResource:
    Type: AWS::CloudFormation::WaitConditionHandle
Mappings:
  AwsAmiRegionMap:
    us-east-2:
      US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}'
      WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}'
Outputs:
  LatestAmiId:
    Description: >-
      LatestAmiId
    Value: !Ref LatestAmiId
  WindowsImageId:
    Description: >-
      WindowsImageId
    Value: !FindInMap [AwsAmiRegionMap, !Ref AWS::Region, WS2022FullBase]
  UbuntuImageId:
    Description: >-
      UbuntuImageId
    Value: !FindInMap [AwsAmiRegionMap, !Ref AWS::Region, US2204HVM]
satya-dillikar commented 1 year ago

In past, you have shared Bash Script to pull the latest AMI


#!/bin/bash

for r in $(aws ec2 describe-regions --query 'Regions | sort_by([], &RegionName) | [].RegionName' --output text)
do
  printf "    ${r}:\n"
  for a in 'US2204HVM'
  do
    case "${a}" in
      'US2204HVM')
        IMAGE_FILTER="ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-????????*"
        OWNER='099720109477,513442679011,837727238323'
        ;;
    esac
    ami=$(aws ec2 describe-images --query 'Images[*].[ImageId][0][0]' --filters "Name=name,Values='${IMAGE_FILTER}'" "Name=owner-id,Values=${OWNER}" --region ${r} --output text)
    printf "      ${a}: ${ami}\n"
  done
done

@tlindsay42 , I am not sure about how to get the above OWNER Ids