RunOnce for command modules

[Edwin-Pau]

Hello! I've been going through this tool to run a custom command upon first boot for our custom AMI, making use of the command module and the RunOnce flag. I understand that it stores instance history via the instance-id directory, but I don't believe the RunOnce flag uses that directory since the instance still sees the module has been run even when sudo ec2-macos-init clean -all is used.

The question I have is regarding where the history for this flag is stored, since when I package it up as a new AMI, I want this module to trigger again to allow the AMI to be re-used as a "custom base" AMI.

[mattcataws]

Hi @Edwin-Pau, the history for this flag is stored in the same instance-id directory that you mentioned. The path is: /usr/local/aws/ec2-macos-init/instances/<instance-id>/. This directory contains the history.json file which is used for these run type configurations.

If you're looking to have the module run for each new instance, I'd recommend using RunPerInstance instead of RunOnce. This will allow your module to execute the first time a new instance is launched from your custom AMI.

Please let me know if this works for you. If you still have the issue, could you please provide some steps to reproduce the problem.

[Edwin-Pau]

Hi @mattcataws thanks for getting back to me so quickly! So just to clarify, to "sysprep" the image, running sudo ec2-macos-init clean -all is good enough since it removes the entire instances directory containing any kind of history right?

So the difference between RunPerInstance and RunOnce is that RunOnce will not trigger the module again if it detects that in any prior instances.

What we are actually trying to do is to make the UX better for our image by allowing a fresh image to set the initial password to the instance-id found in the IMDS on first use. We just want the command module to run only once but not per instance-id.

[mattcataws]

Sorry, it seems that I misunderstood your original comment.

That's correct, sudo ec2-macos-init clean --all will remove everything inside of the instances directory. If that history doesn't exist, ec2-macos-init will run every module the next time it's executed.

Just to clarify, you're creating the AMI directly after running clean --all and seeing that your module doesn't run when launching an instance from said AMI, right?

Would you be able to include some logs to help debug this. I'm wondering the history is being regenerated between the time when you run clean and when the AMI is created.

[Edwin-Pau]

Thanks for confirming that it would remove everything. I have a suspicion that it wasn't running RunOnce even after cleaning the entire instances history which led me to believe it was saving its history somewhere for that. If that's not the case I will re-test and report back. It may actually be related to the secure token being set after changing the password. Inside the instance history directory, I see history.json, so if it says that module succeeded then it would've executed the command right?

On a side note, is there anyway to speed up the data scrubbing process in between instances? It takes around 30 minutes for subsequent restart to test something and generally takes a while just to test a couple things.

[mattcataws]

Yes, it would've executed the command if it says that it succeeded. The log file will have more details from when the module was executed. The logs can be found at this path: /var/log/amazon/ec2/ec2-macos-init.log.

And sadly I don't have a way to speed up the scrubbing process currently.

[Edwin-Pau]

Those logs will be super helpful! Thank you for your help, I will close this for now! :)