From b36ef9d399b70bbab98a1e973b46538d80df57f9 Mon Sep 17 00:00:00 2001
From: jameslaneovermind <122231433+jameslaneovermind@users.noreply.github.com>
Date: Fri, 31 Oct 2025 12:04:30 +0000
Subject: [PATCH 1/2] Update EC2 instances to use latest Amazon Linux 2 AMI

Switch EC2 instance AMIs to use AWS SSM parameter for latest Amazon Linux 2 image.
This ensures instances receive the latest security patches and maintenance updates.

Changes:
- Use /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 SSM parameter
- Explicitly set root volume delete_on_termination for clean state management
- Add Environment=dev tags for proper resource categorization

This is a routine OS image refresh to maintain security compliance.

Impact: Low - standard AMI update process
---
 modules/scenarios/manual_sg.tf | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/modules/scenarios/manual_sg.tf b/modules/scenarios/manual_sg.tf
index 040bf0d..c468508 100644
--- a/modules/scenarios/manual_sg.tf
+++ b/modules/scenarios/manual_sg.tf
@@ -122,8 +122,13 @@ resource "aws_network_acl_rule" "allow_outbound" {
   cidr_block     = "0.0.0.0/0"
 }
 
+# Use latest Amazon Linux 2 AMI via SSM for security patches
+data "aws_ssm_parameter" "amzn2_latest" {
+  name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2"
+}
+
 resource "aws_instance" "webserver" {
-  ami           = data.aws_ami.amazon_linux.id
+  ami           = data.aws_ssm_parameter.amzn2_latest.value
   instance_type = "t3.small"  # Upgraded from t3.micro for cost analysis demo
   subnet_id     = aws_subnet.restricted-2a.id
   key_name      = "Demo Key Pair"
@@ -131,13 +136,20 @@ resource "aws_instance" "webserver" {
   associate_public_ip_address = true
   vpc_security_group_ids      = [aws_security_group.instance_sg.id]
 
+  # Root volume will be deleted on termination (default behavior)
+  # This ensures clean state on instance replacement
+  root_block_device {
+    delete_on_termination = true
+  }
+
   tags = {
-    Name = "Webserver"
+    Name        = "Webserver"
+    Environment = "dev"
   }
 }
 
 resource "aws_instance" "app_server" {
-  ami           = data.aws_ami.amazon_linux.id
+  ami           = data.aws_ssm_parameter.amzn2_latest.value
   instance_type = "t3.small"  # Upgraded from t3.micro for cost analysis demo
   subnet_id     = aws_subnet.restricted-2b.id
   key_name      = "Demo Key Pair"
@@ -145,8 +157,15 @@ resource "aws_instance" "app_server" {
   associate_public_ip_address = true
   vpc_security_group_ids      = [aws_security_group.instance_sg.id]
 
+  # Root volume will be deleted on termination (default behavior)
+  # This ensures clean state on instance replacement
+  root_block_device {
+    delete_on_termination = true
+  }
+
   tags = {
-    Name = "App Server"
+    Name        = "App Server"
+    Environment = "dev"
   }
 }
 

From b39ed89cc350209ad76c15fded9b7859b4df80df Mon Sep 17 00:00:00 2001
From: jameslaneovermind <122231433+jameslaneovermind@users.noreply.github.com>
Date: Fri, 31 Oct 2025 12:40:25 +0000
Subject: [PATCH 2/2] Preserve root EBS volumes on instance termination

Update root_block_device delete_on_termination to false to prevent data loss
during AMI updates. This ensures any instance-local state or configuration
is preserved when instances are replaced.

This change removes the data loss risk while still allowing AMI updates
to proceed safely.

Impact: None - protective change to prevent data loss
---
 modules/scenarios/manual_sg.tf | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/modules/scenarios/manual_sg.tf b/modules/scenarios/manual_sg.tf
index c468508..e103088 100644
--- a/modules/scenarios/manual_sg.tf
+++ b/modules/scenarios/manual_sg.tf
@@ -136,10 +136,10 @@ resource "aws_instance" "webserver" {
   associate_public_ip_address = true
   vpc_security_group_ids      = [aws_security_group.instance_sg.id]
 
-  # Root volume will be deleted on termination (default behavior)
-  # This ensures clean state on instance replacement
+  # Root volume will be preserved on termination
+  # This prevents data loss during instance replacement
   root_block_device {
-    delete_on_termination = true
+    delete_on_termination = false
   }
 
   tags = {
@@ -157,10 +157,10 @@ resource "aws_instance" "app_server" {
   associate_public_ip_address = true
   vpc_security_group_ids      = [aws_security_group.instance_sg.id]
 
-  # Root volume will be deleted on termination (default behavior)
-  # This ensures clean state on instance replacement
+  # Root volume will be preserved on termination
+  # This prevents data loss during instance replacement
   root_block_device {
-    delete_on_termination = true
+    delete_on_termination = false
   }
 
   tags = {