search

hotosm / tasking-manager

Tasking Manager - The tool to team up for mapping in OpenStreetMap
https://wiki.openstreetmap.org/wiki/Tasking_Manager
BSD 2-Clause "Simplified" License
509 stars 275 forks source link

Use AWS SSM instead of static AMI for Ubuntu base image in cloudformation #6512

Closed tsmock closed 3 months ago

tsmock commented 3 months ago

What type of PR is this? (check all applicable)

Related Issue

Fixes #6506

Describe this PR

Use SSM ("Systems Manager") to find the newest AMI for Ubuntu 20.04.

The current method hardcodes a single AMI (in this case ami-0aa2b7722dc1b5612). The problem with this method is that:

  1. It is region specific (example: ami-081a3b9eded47f0f3 is the equivalent AMI for us-west-1).
  2. It doesn't automatically update/start with the (almost) latest updates (current latest version for us-west-1 is ami-023e8dfe2208927a7, which was created on 2024-07-23). This can be problematic when there is a significant vulnerability that must be patched ASAP (think of the recent SSH vulnerability; it doesn't affect Ubuntu 20.04, but having a period of time where a remote attacker can get into a system isn't a good idea).

Review Guide

Apply the cloudformation stack. Observe that the base AMI is significantly newer and that the deployment finishes.

Additional notes:

Updating the base AMI from Ubuntu 20.04 to 24.04 should be done soonish (EOL is 2025-04). The packages in LaunchTemplateData.UserData will need to be updated. The scope for that is outside of this PR.

sonarcloud[bot] commented 3 months ago

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

tsmock commented 3 months ago

We probably won't move to 24.04 as hopefully will be doing production deployments with ECS within the next few months.

Good to hear. :)

Before I spend a lot of time setting up CodeBuild for the frontend, what are you planning on doing for that? Keep using CircleCI? Or are you also going to use ECS for the frontend?

dakotabenjamin commented 3 months ago

We are moving to github actions. You can see some of the prep work happening here:

About the frontend, I know we are pushing docker images for that but we may still use s3 static site. cc @mahesh-naxa .