This project demonstrates how to detect when an Elastic Beanstalk platform's base AMI has been updated and starts an EC2 Image Builder Pipeline to automate the creation of a golden image and is the companion to the EC2 Image Builder and Hands-free Hardening of Windows Images for AWS Elastic Beanstalk blog post.
This library is licensed under the MIT-0 License. See the LICENSE file.
Additionally, this project installs the following software for the purposes of deploying and running the application:
- Microsoft .NET is an open source developer platform, created by Microsoft is provided under the MIT License.
- Serilog is an open source software diagnostic logging library for .NET applications provided under the Apache 2 License.
- Moq is an open source software mocking library for .NET provided under the BSD 3-Clause License.
- Elastic Beanstalk EC2 Image Builder Pipeline for Windows Automation
This project provides a sample solution to automate the execution of an EC2 Image Builder Pipeline that uses an Amazon Elastic Beanstalk managed AMI as the source AMI. There are currently two parts to the solution, each a Lambda function:
- AmiMonitor - Determines when the Amazon Elastic Beanstalk managed AMI has been updated for a platform. This function is invoked on a schedule.
- ImageBuilderTrigger - Starts the execution of an Amazon EC2 Image Builder pipeline when the Parameter Store parameter referencing the Elastic Beanstalk managed AMI is updated
Both of these Lambda functions are contained in the same .NET assembly.
This project follows the src project structure. In other words, this:
├─ src
│ └─ Project
│ └─ ...
├─ tests
│ ├─ Project.UnitTests
│ └─ ...
The code was developed using .NET 5. Because .NET 5 is not a LTSC release, AWS Lambda's support for container images was used. Once you have cloned the repository, you can execute the following command from the project's root folder to run the unit tests included with the project to ensure all dependencies have been downloaded.
dotnet testThe output should be similar to the following, showing the results of the unit tests that were executed.
Visual Studio is recommended for local development as it can ease the deployment of the of the SAM template.
- PLATFORM_ARN - The ARN of the Elastic Beanstalk platform version to monitor for changes.
- SSM_PARAMETER_NAME - Name of the Systems Manager Parameter Store parameter used to store the latest AMI ID for the Beanstalk Platform version being monitored.
- IMAGE_PIPELINE_ARN - The ARN of the EC2 Image Builder Pipeline that needs to be executed when a new version of the Elastic Beanstalk platform AMI is detected.
The solution has been split into two components. The first is one monitors the selected Elastic Beanstalk platform for changes to the AMI associated with it and ensures that a Systems Manager Parameter Store parameter is kept up to date.
The next component picks up where that Systems Manager Parameter Store parameter left off and will update the associated EC2 Image Builder Pipeline's recipe with the updated AMI ID, and will trigger the execution of the pipeline so that a new AMI is created.
The build stage of the EC2 Image Builder pipeline included in this project follows the steps depicted above. A custom Image Builder Component is also included that updates the SSM Agent prior to installing Windows Updates, and executing the EC2 Image Builder STIG Medium Component to harden the AMI.
Let's take a closer look at the classes that make up the Lambda functions.
All of the Lambda functions are contained within a single Visual Studio project (BeanstalkImageBuilderPipeline). See the Best practices for organizing larger serverless applications blog post for other options on organizing your functions.
This results in a single Docker image being used for both functions with the Lambda's entry point (specified by the Command property of ImageConfig) selecting the appropriate function to call at runtime. For instance, the below excerpt from the serverless.template is used to invoke the AmiMonitor function.
ImageConfig:
Command:
- BeanstalkImageBuilderPipeline::BeanstalkImageBuilderPipeline.AmiMonitor::Handler
There are three major namespaces that make up the solution
- BeanstalkImageBuilderPipeline - Contains the Lambda functions
- BeanstalkImageBuilderPipeline.Repositories - Contains the repository classes used to abstract access to AWS services.
- BeanstalkImageBuilderPipeline.Events - Contains classes representing event payloads not already provided by the AWS SDK.
The base class for all Lambda functions is named LambdaFunction and provides functionality such as lazy initialization of an IServiceProvider that can be used for Dependency Injection, as well as the ConfigureServices template method used to allow subclasses to register their own dependencies.
The two methods depicted in the class diagram are key to how the Lambda functions are initialized. The following section covers how these types interact with each other.
At the start of the Lambda execution environment, the LambdaFunction class takes care of initializing the IServiceProvider instance that used to provide Dependency Injection to the Lambda function.
The LambdaFunction class does this by calling the GetServiceProvider method which in turn creates an instance of .NET's Generic Host. The Generic Host is used because it configures:
- Logging (using Serilog)
- Dependency Injection (using .NET's Service Provider)
- Configuration (using .NET's Configurationg Provider)
Serilog is used to provide Structured Logging, and .NET's support for log scopes is used to add metadata to each log entry (e.g., AWS Request Id). This additional metadata can be seen in log entries created by the application or its dependencies. For example, the below are from CloudWatch:
This is a log entry created by the application.
This is a log entry created by AWS SDK for .NET. Notice that the Scope property has the same AwsRequestId value for both log entries.
Once the Generic Host has initialized the Service Collection, the ConfigureServices template method is called so that LambdaFunction's subclasses may register their dependencies.
The AmiMonitor Lambda function is executed on a schedule by using an EventBridge scheduled rule. AmiMonitor retrieves the latest AMI version for the Beanstalk platform specified in the PLATFORM_ARN environment variable using the DescribePlatformVersion API call.
If the AMI ID returned is different than the value of the Systems Manager Parameter Store parameter specified in the SSM_PARAMETER_NAME environment variable, the parameter is updated.
This parameter update kicks off the second half of the process (i.e. starting the execution of the EC2 Image Builder Pipeline).
The ImageBuilderTrigger Lambda function is invoked using an EventBridge rule triggered when a "Parameter Store Change" event is raised for either the "Update" or "Create" operations.
Once triggered, the Lambda function retrieves the parameter's value (i.e. the new AMI ID) from Parameter Store, and creates a new version the Image Builder Recipe associated with the Image Builder Pipeline referenced in the IMAGE_PIPELINE_ARN environment variable.
With the new recipe referencing the latest AMI ID, a new execution of the pipeline is started, creating a new golden image.
See CONTRIBUTING for more information.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent