Golden AMI using Cloud formation

I have attached the sample yml file to work with cloud formation. you guys have to just take the script and run the file.

Note: Please do the necessary changes to the scripts. update the user data as needed.

---
AWSTemplateFormatVersion: '2010-09-09'
Description: " This cloudformation template creates resources required to set up a
golden ami pipeline.(fdp-1o82smtoh)"
Parameters:
productName:
Type: String
Default: ProductName-ProductVersion
Description: 'ProductName-ProductVersion combination of the product for which
you intend to use the pipeline. You get to override this later when you trigger
automation workflow. '
productOSAndVersion:
Type: String
Default: OperatingSystemName-OperatingSystemVersion
Description: Operating system name and OS version. You get to override this later
when you trigger automation workflow.
buildVersion:
Type: String
Default: '1'
Description: Build-Version corresponding to your product. Note - This is just
a default value, you get to override this later when you trigger automation
workflow.
cidrVPC:
Description: An available CIDR block for creating a new VPC. The size of the VPC
should be big enough to hold instances of all your golden AMIs at a time
Type: String
MinLength: '9'
MaxLength: '18'
Default: 10.0.0.0/16
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
cidrPrivateSubnet:
Description: An available CIDR block for creating a new VPC. The size of the VPC
should be big enough to hold instances of all your golden AMIs at a time
Type: String
MinLength: '9'
MaxLength: '18'
Default: 10.0.1.0/24
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
cidrPublicSubnet:
Description: An available CIDR block for creating a new VPC. The size of the VPC
should be big enough to hold instances of all your golden AMIs at a time
Type: String
MinLength: '9'
MaxLength: '18'
Default: 10.0.2.0/24
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
ApproverUserIAMARN:
Type: String
Default: ''
Description: IAM ARN of the Golden AMI approver. The approver must have AmazonSSMAutomationApproverAccess
policy associated with it's IAM Profile .
EmailID:
Type: String
Default: myemail@mycompany.com
AllowedPattern: "([a-zA-Z0-9_\\-\\.]+)@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.)|(([a-zA-Z0-9\\-]+\\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\\]?)"
Description: Your email ID for receiving Inspector assessment results and golden
AMI creation notification.
instanceType:
Type: String
Default: t2.large
Description: Specify the the InstanceType compatible with all your golden AMIs.
This InstanceType will be used for launching continuous vulnerability assessment
of golden AMIs.
continuousInspectionFrequency:
Type: String
Default: rate(1 day)
Description: Frequency for setting up continuous inspection of your AMIs. For
syntax, check - https://docs.aws.amazon.com/lambda/latest/dg/tutorial-scheduled-events-schedule-expressions.html
MetadataJSON:
Type: String
Default: '{"Account_ID_1":"region_1,region_2"}'
Description: Metadata of accounts and regions for distributing the golden AMI.
roleName:
Type: String
Default: goldenAMICrossAccountRole
Description: Cross account role suffix for managing Golden AMI metadata Parameters
in child account(s). This role needs to exist in each account specified in MetadataJSON
parameter.
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
CidrBlock:
Ref: cidrVPC
subnetPrivate:
Type: AWS::EC2::Subnet
Properties:
CidrBlock:
Ref: cidrPrivateSubnet
VpcId:
Ref: VPC
subnetPublic:
Type: AWS::EC2::Subnet
Properties:
MapPublicIpOnLaunch: true
CidrBlock:
Ref: cidrPublicSubnet
VpcId:
Ref: VPC
InternetGateway:
Type: AWS::EC2::InternetGateway
PublicVPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: InternetGateway
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VPC
PublicRoute:
Type: AWS::EC2::Route
DependsOn: PublicVPCGatewayAttachment
Properties:
RouteTableId:
Ref: PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: InternetGateway
PublicSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: subnetPublic
RouteTableId:
Ref: PublicRouteTable
NAT:
DependsOn: PublicVPCGatewayAttachment
Type: AWS::EC2::NatGateway
Properties:
AllocationId:
Fn::GetAtt:
- EIP
- AllocationId
SubnetId:
Ref: subnetPublic
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VPC
EIP:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
PrivateRoute:
Type: AWS::EC2::Route
GoldenAMIAutomationDoc:
Type: AWS::SSM::Document
DependsOn:
- InspectorCompleteTopic
Properties:
DocumentType: Automation
Content:
description: This automation document triggers Golden AMI creation workflow.
schemaVersion: '0.3'
assumeRole:
Fn::GetAtt:
- AutomationServiceRole
- Arn
parameters:
sourceAMIid:
type: String
description: Source/Base AMI to be used for generating your golden AMI
default: ''
productName:
type: String
description: The syntax of this parameter is ProductName-ProductVersion.
default:
Ref: productName
productOSAndVersion:
type: String
description: The syntax of this parameter is OSName-OSVersion
default:
Ref: productOSAndVersion
AMIVersion:
type: String
description: Golden AMI Build version number to be created.
default:
Ref: buildVersion
subnetId:
type: String
default:
Ref: subnetPrivate
description: Subnet in which instances will be launched.
securityGroupId:
type: String
default:
Ref: secGroup
description: Security Group that will be attached to the instance. By
Default a security group without any inbound access is attached
instanceType:
type: String
description: A compatible instance-type for launching an instance
default:
Ref: instanceType
targetAMIname:
type: String
description: Name for the golden AMI to be created
default: "{{productName}}-{{productOSAndVersion}}-{{AMIVersion}}"
ApproverUserIAMARN:
type: String
description: IAM ARN of the user who has SSM approval permissions.
default:
Ref: ApproverUserIAMARN
ApproverNotificationArn:
type: String
description: SNS Topic ARN on which a notification would be published
once the golden AMI candidate is ready for validation.
default:
Ref: ApproverNotification
ManagedInstanceProfile:
type: String
description: Instance Profile. Do not change the default value.
default:
Ref: ManagedInstanceProfile
SSMInstallationUserData:
type: String
description: Base64 encoded SSM installation user-data.
default: IyEvYmluL2Jhc2gNCg0KZnVuY3Rpb24gZ2V0X2NvbnRlbnRzKCkgew0KICAgIGlmIFsgLXggIiQod2hpY2ggY3VybCkiIF07IHRoZW4NCiAgICAgICAgY3VybCAtcyAtZiAiJDEiDQogICAgZWxpZiBbIC14ICIkKHdoaWNoIHdnZXQpIiBdOyB0aGVuDQogICAgICAgIHdnZXQgIiQxIiAtTyAtDQogICAgZWxzZQ0KICAgICAgICBkaWUgIk5vIGRvd25sb2FkIHV0aWxpdHkgKGN1cmwsIHdnZXQpIg0KICAgIGZpDQp9DQoNCnJlYWRvbmx5IElERU5USVRZX1VSTD0iaHR0cDovLzE2OS4yNTQuMTY5LjI1NC8yMDE2LTA2LTMwL2R5bmFtaWMvaW5zdGFuY2UtaWRlbnRpdHkvZG9jdW1lbnQvIg0KcmVhZG9ubHkgVFJVRV9SRUdJT049JChnZXRfY29udGVudHMgIiRJREVOVElUWV9VUkwiIHwgYXdrIC1GXCIgJy9yZWdpb24vIHsg
PreUpdateScript:
type: String
description: (Optional) URL of a script to run before updates are applied.
Default ("none") is to not run a script.
default: none
PostUpdateScript:
type: String
description: (Optional) URL of a script to run after package updates are
applied. Default ("none") is to not run a script.
default: none
IncludePackages:
type: String
description: (Optional) Only update these named packages. By default ("all"),
all available updates are applied.
default: all
ExcludePackages:
type: String
description: (Optional) Names of packages to hold back from updates, under
all conditions. By default ("none"), no package is excluded.
default: none
mainSteps:
- name: startInstances
action: aws:runInstances
timeoutSeconds: 3600
maxAttempts: 1
onFailure: Abort
inputs:
ImageId: "{{ sourceAMIid }}"
InstanceType: "{{instanceType}}"
MinInstanceCount: 1
MaxInstanceCount: 1
SubnetId: "{{ subnetId }}"
SecurityGroupIds:
- "{{ securityGroupId }}"
UserData: "{{SSMInstallationUserData}}"
IamInstanceProfileName: "{{ ManagedInstanceProfile }}"
- name: updateOSSoftware
action: aws:runCommand
maxAttempts: 3
timeoutSeconds: 3600
onFailure: Abort
inputs:
DocumentName: AWS-RunShellScript
InstanceIds:
- "{{startInstances.InstanceIds}}"
Parameters:
commands:
- set -e
- '[ -x "$(which wget)" ] && get_contents=''wget $1 -O -'''
- '[ -x "$(which curl)" ] && get_contents=''curl -s -f $1'''
- eval $get_contents https://aws-ssm-downloads-{{global:REGION}}.s3.amazonaws.com/scripts/aws-update-linux-instance > /tmp/aws-update-linux-instance
- chmod +x /tmp/aws-update-linux-instance
- "/tmp/aws-update-linux-instance --pre-update-script '{{PreUpdateScript}}'
--post-update-script '{{PostUpdateScript}}' --include-packages '{{IncludePackages}}'
--exclude-packages '{{ExcludePackages}}' 2>&1 | tee /tmp/aws-update-linux-instance.log"
- name: stopInstance
action: aws:changeInstanceState
timeoutSeconds: 1200
maxAttempts: 1
onFailure: Abort
inputs:
InstanceIds:
- "{{ startInstances.InstanceIds }}"
DesiredState: stopped
- name: createImage
action: aws:createImage
timeoutSeconds: 1200
maxAttempts: 1
onFailure: Continue
inputs:
InstanceId: "{{ startInstances.InstanceIds }}"
ImageName: "{{ targetAMIname }}"
NoReboot: true
ImageDescription: AMI created by EC2 Automation
- name: TagTheAMI
action: aws:createTags
timeoutSeconds: 1200
maxAttempts: 1
onFailure: Continue
inputs:
ResourceType: EC2
ResourceIds:
- "{{ createImage.ImageId }}"
Tags:
- Key: ProductOSAndVersion
Value: "{{productOSAndVersion}}"
- Key: ProductName
Value: "{{productName}}"
- Key: version
Value: "{{AMIVersion}}"
- Key: AMI-Type
Value: Golden
- name: terminateFirstInstance
action: aws:changeInstanceState
timeoutSeconds: 1200
maxAttempts: 1
onFailure: Continue
inputs:
InstanceIds:
- "{{ startInstances.InstanceIds }}"
DesiredState: terminated
- name: createInstanceFromNewImage
action: aws:runInstances
timeoutSeconds: 1200
maxAttempts: 1
onFailure: Abort
inputs:
ImageId: "{{ createImage.ImageId }}"
InstanceType: "{{instanceType}}"
MinInstanceCount: 1
MaxInstanceCount: 1
SubnetId: "{{ subnetId }}"
SecurityGroupIds:
- "{{ securityGroupId }}"
IamInstanceProfileName: "{{ ManagedInstanceProfile }}"
- name: TagNewinstance
action: aws:createTags
timeoutSeconds: 1200
maxAttempts: 1
onFailure: Continue
inputs:
ResourceType: EC2
ResourceIds:
- "{{ createInstanceFromNewImage.InstanceIds }}"
Tags:
- Key: Type
Value: "{{createImage.ImageId}}-{{productOSAndVersion}}/{{productName}}/{{AMIVersion}}"
- Key: Automation-Instance-Type
Value: Golden
- name: sleep
action: aws:sleep
inputs:
- name: updateLatestVersionValue
action: aws:invokeLambdaFunction
timeoutSeconds: 1200
maxAttempts: 1
onFailure: Abort
inputs:
FunctionName:
Ref: AppendParamLambda
Payload: '{"parameterName":"/GoldenAMI/latest", "valueToBeCreatedOrAppended":"{{createImage.ImageId}}"}'
outputs:
- createImage.ImageId

Above CF script will create and ssm document in AWS Systems manager. With the help of SSM document, you guys can run a execution in AWS.