BBL-192 | taging AMI to approve and pass aws-config approved-amis-by-tag rule

[exequielrafaela]

What?

Commits on Oct 21, 2020

• @exequielrafaela - BBL-192 | taggin ami to approve and pass aws-config approved-amis-by-tag rule - e782a03

Why?

• Tagging AMIs by default https://docs.aws.amazon.com/config/latest/developerguide/approved-amis-by-tag.html
• We're trusting that the AWS Operator has wisely choose his AMI based on a secure perspective.

[exequielrafaela]

@exequielrafaela This will work both as a filter for locating AMIs but also for tagging the resources created by this module, sure that will work? I mean, instances, volumes and other resources are usually tagged with Terraform=True, Environment=Shared, and other custom tags; will the AMIs need to be tagged identically as well?

@diego-ojeda-binbash OJ as discussed I've updated the aws-config reference architecture layer with the following security convention

  check_approved_amis_by_tag = true
  ami_required_tag_key_value = "ApprovedAMI:true"

Hence, I've reflected the necessary updates to support it

  most_recent = true

  filter {
    name   = "name"
    values = [var.aws_ami_os_id]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  //https://askubuntu.com/questions/53582/how-do-i-know-what-ubuntu-ami-to-launch-on-ec2
  //  Any user can register an AMI under any name. Nothing prevents a malicious user from registering an AMI that would
  //  match the search above. So, in order to be safe, you need to verify that the owner of the ami is '099720109477'.
  owners = [var.aws_ami_os_owner] # Canonical

  tags = merge(
    var.tags,
    {
      ApprovedAMI = var.tagApprovedAMIvalue
    },
  )
}