fix(ami-housekeeper): don't delete referenced AMIs in default config #4623

iainlane · 2025-06-17T17:10:08Z

In 472cc5f the default config was migrated to use SSM for AMI lookup. A parameter is created which stores a reference to the AMI. By default, this parameter is called ${var.ssm_paths.root}/${var.ssm_paths.config}/ami_id.

The housekeeper is a process that looks for AMIs which can be deleted because they're no longer used. It does this in a couple of ways:

Check the launch template for the AMI ID.
Check the SSM parameter.
Apply a threshold to not delete AMIs that are too new, according to the config.

The problem is that we were looking for SSM parameters like this:

const ssmParams = await ssmClient.send(
  new DescribeParametersCommand({
    ParameterFilters: [
      {
        Key: "Name",
        Values: ["ami-id"],
        Option: "Contains",
      },
    ],
  }),
);

i.e. we were looking for parameters which contain the hardcoded string ami-id. This is different to the new default of ami_id. So we weren't considering the right AMIs to be in use.

What would be a better approach would be to reference the values dynamically. This means resolving from the template, and handling the passed-in options, if there are any. We're documenting that we support wildcards, so also support that here too.

The default value in the launch template became resolve:ssm:<id or AMI>, so we need to make sure to ask EC2 to resolve for us when looking up the template. In that way we get the actual AMI ID rather than the alias.

This can be a bit challenging to understand, so the comments are improved.

Comprehensive tests are added to try to ensure this all works as expected.

Closes: #4571

In 472cc5f the default config was migrated to use SSM for AMI lookup. A parameter is created which stores a reference to the AMI. By default, this parameter is called `${var.ssm_paths.root}/${var.ssm_paths.config}/ami_id`. The housekeeper is a process that looks for AMIs which can be deleted because they're no longer used. It does this in a couple of ways: 1. Check the launch template for the AMI ID. 2. Check the SSM parameter. 3. Apply a threshold to not delete AMIs that are too new, according to the config. The problem is that we were looking for SSM parameters like this: ```typescript const ssmParams = await ssmClient.send( new DescribeParametersCommand({ ParameterFilters: [ { Key: 'Name', Values: ['ami-id'], Option: 'Contains', }, ], }), ); ``` i.e. we were looking for parameters which contain the hardcoded string `ami-id`. This is different to the new default of `ami_id`. So we weren't considering the right AMIs to be in use. What would be a better approach would be to reference the values dynamically. This means resolving from the template, and handling the passed-in options, if there are any. We're documenting that we support wildcards, so also support that here too. The default value in the launch template became `resolve:ssm:<id or AMI>`, so we need to make sure to ask EC2 to resolve for us when looking up the template. In that way we get the actual AMI ID rather than the alias. This can be a bit challenging to understand, so the comments are improved. Comprehensive tests are added to try to ensure this all works as expected. Closes: github-aws-runners#4571

iainlane requested a review from a team as a code owner June 17, 2025 17:10

npalm self-requested a review June 17, 2025 17:15

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(ami-housekeeper): don't delete referenced AMIs in default config #4623

fix(ami-housekeeper): don't delete referenced AMIs in default config #4623

Uh oh!

iainlane commented Jun 17, 2025

Uh oh!

Uh oh!

fix(ami-housekeeper): don't delete referenced AMIs in default config #4623

Are you sure you want to change the base?

fix(ami-housekeeper): don't delete referenced AMIs in default config #4623

Uh oh!

Conversation

iainlane commented Jun 17, 2025

Uh oh!

Uh oh!