feat: build and promote nat-zero AMIs#19
Merged
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR replaces the third-party fck-nat AMI dependency with a Packer-built, in-repo nat-zero AMI, and adds a complete promotion workflow to build, copy, test, and publish that AMI globally. It also simplifies the Lambda by removing the runtime AMI-resolution API calls, moving AMI selection entirely to Terraform.
Changes:
- New Packer build (
ami/) with systemd-based snat service, Packer template, and scripts for the arm64/AL2023 nat-zero AMI - Terraform refactor: replaces
use_fck_nat_ami/custom_ami_*variables withami_owner_account/ami_name_pattern; AMI lookup moved from Lambda runtime to Terraform data source; Lambda EC2 API surface shrunk by removingDescribeImages,DescribeNetworkInterfaces, andDescribeLaunchTemplateVersions - New
nat-images.ymlGitHub Actions workflow covering build → global copy → integration gates → publish → promotion PR; integration test extended with a new Phase 4 (AMI upgrade path)
Reviewed changes
Copilot reviewed 33 out of 34 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
ami/nat-zero.pkr.hcl |
Packer template for arm64/AL2023 minimal NAT AMI |
ami/files/snat.sh |
iptables SNAT setup script baked into the AMI |
ami/files/snat.service |
systemd unit enabling snat.sh at boot |
ami/scripts/install-deps.sh |
OS patching and iptables install at AMI build time |
ami/scripts/configure.sh |
Hardens AMI: removes SSH, installs snat service |
ami/README.md |
Documents AMI design constraints, build steps, and workflow |
ami.tf |
Terraform data source and locals for AMI lookup/resolution |
variables.tf |
Replaces use_fck_nat_ami/custom_ami_* with ami_owner_account/ami_name_pattern |
launch_template.tf |
Uses local.effective_ami_id; adds precondition guard |
lambda.tf |
Removes AMI/ENI env vars; CONFIG_VERSION now uses effective_ami_id |
iam.tf |
Removes ec2:DescribeImages, ec2:DescribeLaunchTemplateVersions, ec2:DescribeNetworkInterfaces |
cmd/lambda/handler.go |
Removes AMIOwner/AMIPattern fields |
cmd/lambda/main.go |
Removes AMI env var reads |
cmd/lambda/ec2iface.go |
Removes DescribeNetworkInterfaces, DescribeImages, DescribeLaunchTemplateVersions from interface |
cmd/lambda/ec2ops.go |
Removes resolveAMI(); simplifies resolveLT() to use LatestVersionNumber directly |
cmd/lambda/mock_test.go |
Removes obsolete mock methods and fields |
cmd/lambda/handler_test.go / ec2ops_test.go |
Updates tests to simplified Lambda API surface |
tests/integration/nat_zero_test.go |
Adds Phase 4 (AMI upgrade), helper functions, and fixture variable |
tests/integration/fixture/main.tf |
Adds nat_ami_id variable to exercise AMI override |
scripts/update_ami_defaults.sh |
AWK-based script to update variables.tf defaults during promotion |
.github/workflows/nat-images.yml |
New AMI build/copy/gate/publish/promote workflow |
.github/workflows/integration-tests.yml |
Adds workflow_call trigger and AMI input parameters |
.github/workflows/precommit.yml |
Adds Packer, shellcheck, and actionlint pre-commit tooling |
.pre-commit-config.yaml |
Adds actionlint, shellcheck, packer-fmt, packer-validate, terraform_validate hooks |
docs/*, README.md, examples/* |
Updated to reference nat-zero AMI instead of fck-nat |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
leonardosul
force-pushed
the
feat/custom-ami
branch
from
0d03d80 to
bccc048
Compare
leonardosul
added
integration-test
leonardosul
had a problem deploying
to
integration
GitHub Actions
Failure
leonardosul
added
integration-test
leonardosul
added
integration-test
leonardosul
added
integration-test
leonardosul
added
integration-test
leonardosul
had a problem deploying
to
integration
GitHub Actions
Failure
leonardosul
added
integration-test
leonardosul
had a problem deploying
to
integration
GitHub Actions
Failure
leonardosul
had a problem deploying
to
integration
GitHub Actions
Failure
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Validation