Closed exequielrafaela closed 3 years ago
@exequielrafaela This will work both as a filter for locating AMIs but also for tagging the resources created by this module, sure that will work? I mean, instances, volumes and other resources are usually tagged with Terraform=True, Environment=Shared, and other custom tags; will the AMIs need to be tagged identically as well?
@diego-ojeda-binbash OJ as discussed I've updated the aws-config
reference architecture layer with the following security convention
check_approved_amis_by_tag = true
ami_required_tag_key_value = "ApprovedAMI:true"
Hence, I've reflected the necessary updates to support it
most_recent = true
filter {
name = "name"
values = [var.aws_ami_os_id]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
//https://askubuntu.com/questions/53582/how-do-i-know-what-ubuntu-ami-to-launch-on-ec2
// Any user can register an AMI under any name. Nothing prevents a malicious user from registering an AMI that would
// match the search above. So, in order to be safe, you need to verify that the owner of the ami is '099720109477'.
owners = [var.aws_ami_os_owner] # Canonical
tags = merge(
var.tags,
{
ApprovedAMI = var.tagApprovedAMIvalue
},
)
}
What?
Commits on Oct 21, 2020
Why?