From 9f10b44c188749d075bfd946c8ae383be0eee67b Mon Sep 17 00:00:00 2001
From: Alexander Petric <alpetric@users.noreply.github.com>
Date: Tue, 17 Mar 2026 16:12:04 -0400
Subject: [PATCH] =?UTF-8?q?update=20cloudformation=20template=20to=20use?=
 =?UTF-8?q?=20latest=20cli/images=20+=20fix=20cl=E2=80=A6=20(#8417)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix: update cloudformation template to use latest cli/images + fix cleanup script

* fix: narrow SG cleanup to k8s-created groups + add CLI install error handling

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../aws-eks-cloudformation/quicklaunch.yaml   | 72 +++++++++----------
 1 file changed, 36 insertions(+), 36 deletions(-)

diff --git a/examples/deploy/aws-eks-cloudformation/quicklaunch.yaml b/examples/deploy/aws-eks-cloudformation/quicklaunch.yaml
index 3dda495ebe..5f2b4c42dc 100644
--- a/examples/deploy/aws-eks-cloudformation/quicklaunch.yaml
+++ b/examples/deploy/aws-eks-cloudformation/quicklaunch.yaml
@@ -58,38 +58,10 @@ Parameters:
       - false
     Description: Enable Windmill Enterprise features (requires license key)
 
-Mappings:
-  RegionMap:
-    us-east-1:
-      AMI: ami-0cff7528ff583bf9a
-    us-east-2:
-      AMI: ami-0cd3c7f72edd5b06d
-    us-west-1:
-      AMI: ami-0d9858aa3c6322f73
-    us-west-2:
-      AMI: ami-098e42ae54c764c35
-    ca-central-1:
-      AMI: ami-00f881f027a6d74a0
-    eu-west-1:
-      AMI: ami-04dd4500af104442f
-    eu-west-2:
-      AMI: ami-0eb260c4d5475b901
-    eu-west-3:
-      AMI: ami-05e8e20cef0eaa9d0
-    eu-central-1:
-      AMI: ami-0bad4a5e987bdebde
-    ap-northeast-1:
-      AMI: ami-0b7546e839d7ace12
-    ap-northeast-2:
-      AMI: ami-0fd0765afb77bcca7
-    ap-southeast-1:
-      AMI: ami-0c802847a7dd848c0
-    ap-southeast-2:
-      AMI: ami-07620139298af599e
-    ap-south-1:
-      AMI: ami-0851b76e8b1bce90b
-    sa-east-1:
-      AMI: ami-054a31f1b3bf90920
+  LatestAmiId:
+    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
+    Default: /aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64
+    Description: Latest Amazon Linux 2023 AMI (automatically resolved via SSM)
 
 Resources:
   VPC:
@@ -345,7 +317,7 @@ Resources:
       - EKSNodeGroup
       - WindmillDB
     Properties:
-      ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMI]
+      ImageId: !Ref LatestAmiId
       InstanceType: t3.micro
       IamInstanceProfile: !Ref WindmillInstallerInstanceProfile
       SubnetId: !Ref PublicSubnet1
@@ -358,7 +330,15 @@ Resources:
 
           # Install required tools
           yum update -y
-          yum install -y aws-cli jq postgresql15 aws-cfn-bootstrap
+          yum install -y jq postgresql15 aws-cfn-bootstrap unzip
+
+          # Install AWS CLI v2 (yum aws-cli package is v1 and outdated)
+          echo "Installing AWS CLI v2..."
+          if ! (curl -sf "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && unzip -q awscliv2.zip && ./aws/install); then
+            echo "ERROR: Failed to install AWS CLI v2"
+            exit 1
+          fi
+          rm -rf aws awscliv2.zip
 
           # Set up logging directory with correct permissions
           mkdir -p /var/log/windmill-installer
@@ -602,6 +582,8 @@ Resources:
         ZipFile: |
           const { ElasticLoadBalancingClient, DescribeLoadBalancersCommand,
                   DeleteLoadBalancerCommand } = require('@aws-sdk/client-elastic-load-balancing');
+          const { EC2Client, DescribeSecurityGroupsCommand,
+                  DeleteSecurityGroupCommand } = require('@aws-sdk/client-ec2');
           const response = require('cfn-response');
 
           exports.handler = async (event, context) => {
@@ -611,6 +593,7 @@ Resources:
 
             try {
               const elb = new ElasticLoadBalancingClient();
+              const ec2 = new EC2Client();
               const vpcId = event.ResourceProperties.VpcId;
 
               // Find and delete Classic Load Balancers in the VPC
@@ -628,14 +611,29 @@ Resources:
               }
 
               if (deleted) {
-                // Wait for deletion to complete
                 console.log('Waiting 30 seconds for load balancer deletion to complete...');
                 await new Promise(r => setTimeout(r, 30000));
               }
 
+              // Delete Kubernetes-created security groups (e.g. k8s-elb-*)
+              const sgResponse = await ec2.send(new DescribeSecurityGroupsCommand({
+                Filters: [{ Name: 'vpc-id', Values: [vpcId] }]
+              }));
+
+              for (const sg of sgResponse.SecurityGroups || []) {
+                if (sg.GroupName !== 'default' && (sg.GroupName.startsWith('k8s-') || (sg.Tags || []).some(t => t.Key.startsWith('kubernetes.io/')))) {
+                  console.log(`Deleting security group: ${sg.GroupId} (${sg.GroupName})`);
+                  try {
+                    await ec2.send(new DeleteSecurityGroupCommand({ GroupId: sg.GroupId }));
+                  } catch (e) {
+                    console.log(`Could not delete ${sg.GroupId}: ${e.message}`);
+                  }
+                }
+              }
+
               return response.send(event, context, response.SUCCESS);
             } catch (error) {
-              console.error('Error deleting load balancers:', error);
+              console.error('Error during VPC cleanup:', error);
               return response.send(event, context, response.FAILED, {error: error.message});
             }
           };
@@ -662,6 +660,8 @@ Resources:
                   - ec2:DescribeAddresses
                   - ec2:DisassociateAddress
                   - ec2:DescribeNetworkInterfaces
+                  - ec2:DescribeSecurityGroups
+                  - ec2:DeleteSecurityGroup
                   - elasticloadbalancing:DescribeLoadBalancers
                   - elasticloadbalancing:DeleteLoadBalancer
                   - elasticloadbalancingv2:DescribeLoadBalancers