Specify the base AMI for the container host & bastion by data block

[kenoir]

What does this change?

In order to use updated base AMIs with standard security requirements baked in, we use the AMIs built and distributed by the platform account.

This change follows:

• https://github.com/wellcomecollection/aws-account-infrastructure/pull/17
• https://github.com/wellcomecollection/platform-infrastructure/pull/416

terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.ec2_cluster_capacity_provider.aws_autoscaling_group.asg will be updated in-place
  ~ resource "aws_autoscaling_group" "asg" {
        id                        = "workflow-stage_ec2_cluster_asg"
        name                      = "workflow-stage_ec2_cluster_asg"
        # (25 unchanged attributes hidden)

      ~ launch_template {
            id      = "lt-0fc1fcede19fc7081"
            name    = "workflow-stage_ec2_cluster_launch_template"
          ~ version = "37" -> (known after apply)
        }

        # (2 unchanged blocks hidden)
    }

  # module.ec2_cluster_capacity_provider.aws_launch_template.launch_template will be updated in-place
  ~ resource "aws_launch_template" "launch_template" {
      ~ default_version         = 37 -> (known after apply)
        id                      = "lt-0fc1fcede19fc7081"
      ~ image_id                = "ami-0914bb48d354dd0c7" -> "ami-0badf788590737070"
      ~ latest_version          = 37 -> (known after apply)
        name                    = "workflow-stage_ec2_cluster_launch_template"
        tags                    = {}
        # (10 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.worker_node_1.module.autoscaling.aws_appautoscaling_target.service_scale_target will be updated in-place
  ~ resource "aws_appautoscaling_target" "service_scale_target" {
        id                 = "service/workflow-stage/workflow-stage-workernode_1"
        tags               = {}
      ~ tags_all           = {
          + "Department"                = "Digital Production"
          + "Division"                  = "Culture and Society"
          + "Environment"               = "Staging"
          + "TerraformConfigurationURL" = "https://github.com/wellcomecollection/goobi-infrastructure/tree/master/infrastructure/staging"
          + "Use"                       = "Goobi"
        }
        # (6 unchanged attributes hidden)
    }

  # module.worker_node_bagit.module.autoscaling.aws_appautoscaling_target.service_scale_target will be updated in-place
  ~ resource "aws_appautoscaling_target" "service_scale_target" {
        id                 = "service/workflow-stage_ec2/workflow-stage-workernode_bagit"
        tags               = {}
      ~ tags_all           = {
          + "Department"                = "Digital Production"
          + "Division"                  = "Culture and Society"
          + "Environment"               = "Staging"
          + "TerraformConfigurationURL" = "https://github.com/wellcomecollection/goobi-infrastructure/tree/master/infrastructure/staging"
          + "Use"                       = "Goobi"
        }
        # (6 unchanged attributes hidden)
    }

Plan: 0 to add, 4 to change, 0 to destroy.

How to test

• [x] Apply the terraform, does it go out successfully?
• [x] Does Goobi still behave as expected?
• [x] Are the appropriate agents running on the EC2 host

How can we measure success?

The EC2 instances are properly monitored and we have a mechanism for keeping their base AMIs up to date.

[mgeerdsen]

applied to staging, AMI changes are ignored for the bastion host.... I'll create an issue for that, since some user-data is missing to make things more comfortable.