Desktop and Application Streaming

Automation of infrastructure and application deployment for Amazon AppStream 2.0 with Terraform

Cloud native application streaming enables end users to access native applications from any device, anywhere, and any time. Amazon AppStream 2.0 service enables application vendors and organizations to simplify and accelerate their native application delivery. As the demand for this service grows, the need to fully automate the deployment gains significance. Orchestrating AppStream 2.0 end-to-end deployment involves interactions between both the infrastructure as code, and the application deployment pipelines.

This blog walks you through how to build a fully automated pipeline to provision Amazon AppStream 2.0 infrastructure and application components using Terraform. Additionally, this blog discusses how to create a customized base image that complies with the security policies of your organization.

Time to read  7 minutes
Time to complete  60 minutes
Learning level  Advanced (300)
Cost to complete (estimated) < $5
Services used

Amazon AppStream 2.0

AWS CodeDeploy (Optional)

AWS Secrets Manager (Optional)


For this walkthrough, you need the following:

  • An AWS account
  • AWS IAM roles and policies with necessary permissions
  • Amazon Virtual Private Cloud (VPC) with two or more subnets
  • Access to GitHub Terraform repository
  • An existing infrastructure and application deployment pipeline
  • An existing artifact repository where application and security artifacts are available

Solution Overview

To use Amazon AppStream 2.0 to stream an application, an image builder must be provisioned first. Then the application(s) to be streamed must be installed and configured on the image builder. This image is the base for the fleet instances on which the application runs. The AppStream 2.0 stack provides the layer of abstraction between the fleet instances and the users.

The following diagram illustrates the different AppStream 2.0 components and their deployment.

Overview of Amazon AppStream 2.0 components and their deployment

At a high-level, the following are the steps to orchestrate end-to-end deployment of these components in a repeatable fashion:

  • Create a customized base image by applying the appropriate security patches and hardening scripts.
  • Provision the baseline Amazon AppStream 2.0 infrastructure. Create an image builder using the customized base image, fleet instances running the base image, and a stack for user access.
  • Deploy the application components on the Amazon AppStream 2.0 image builder.
  • Configure the application, and create a custom image.
  • Re-provision the Amazon AppStream 2.0 fleet instances with the newly created image to produce a fully functional stack.


The following flow chart shows the essential steps to orchestrate an end-to-end deployment of AppStream 2.0 infrastructure along with the application:

Flow chart depicting the steps involved in orchestrating the deployment of an Amazon AppStream 2.0 infrastructure and the associated application

Step 1: Create a custom base image

To create a custom image that meets your specific security requirements, refer to Automatically create customized AppStream 2.0 Windows images or Automatically create customized AppStream 2.0 Linux images. At a high level, the steps to create the custom image can be summarized as follows:

  1. Use a base operating system (OS) image available in the AppStream image registry to create an image builder instance.
  2. Setup login credentials in a credentials manager, such as AWS Secrets Manager.
  3. Login to the image builder instance to allow remote access using one of the following remote access methods using the credentials setup in the previous step.
    1. SSH keys for Linux
    2. WinRM for Windows based instance
  4. Configure security agents and update patches as per your security standards.
  5. Use the image assistant command line interface (CLI) to create a base image from the image Builder.

Creating a custom base image is a one-time process. The base image created this way would reside in the AppStream 2.0 Image registry as a private image.

Step 2: Provision the baseline Amazon AppStream 2.0 infrastructure

Now that the custom base image is created, invoke your existing infrastructure deployment pipeline to deploy the AppStream 2.0 infrastructure. At a high level, the steps are summarized as follows:

  1. Create an Infrastructure as Code (IaC) module, or use the sample implementation of IaC using Hashicorp Terraform:

The example code automates the steps involved in the provisioning of Amazon AppStream 2.0 resources in the AWS Cloud. It uses HashiCorp Terraform Configuration Language (HCL). The reusable Terraform modules provisions all the necessary resources, including an image builder, fleet instances, and stack.

  1. In the IaC module, pass the custom base image created in Step 1 as the value for the image builder base image name.
  2. Invoke the execution of IaC module through your existing infrastructure deployment pipeline to deploy the AppStream 2.0 components.

Automation adoption to streamline the process of creating images for your AppStream 2.0 fleets increases operational efficiency, reduces human error and increase consistency. Most importantly, you help quickly build new images and update your applications for end users.

AppStream 2.0 fleets are launched in an Application Auto Scaling Group. This allows the fleet to scale out or scale in dynamically. The fleet scaling requirements are unique and must be tailored for specific use cases. Review the best practices for scaling policy design for more information.  The example Terraform code can be modified to implement different scaling policies. You can choose from scheduled-based scaling, step scaling, and target tracking scaling policies or combine them based on your use-case.

Step 3: Deploy the application components on the AppStream 2.0 image builder

To deploy your application components, use your existing application deployment pipeline or use AWS CodeDeploy. As part of the deployment, the application deployment pipeline must first discover the image builder instance on the network, connect to it, install the application, and create an application image. At a high level, the steps can be summarized as follows:

  1. Invoke the following AWS CLI command to get the IP of the Elastic Network Interface (ENI) associated with the image builder, using the image builder name. This command would return the EniPrivateIpAddress among other things.
    aws appstream describe-image-builders --names <imageBuilderName> --region <region> --output json
  2. Fetch the login credentials (created in step 1.2) from the credentials manager, such as AWS Secrets Manager.
  3. Start the image builder instance if it is stopped.
  4. Login to the image builder instance using the EniPrivateIpAddress and login credentials.
  5. Download your application installer/artifact from your existing artifact repository.
  6. Install the application on the image builder instance using your existing deployment scripts.
  7. Invoke the image assistant CLI add-application operation to specify the application metadata and optimization manifest for the application image. Refer the add-application documentation in Create Your AppStream 2.0 Image Programmatically by Using the Image Assistant CLI Operations for more details.
    --name <value>
    --absolute-app-path <value>
    [--display-name <value>]
    [--absolute-icon-path <value>]
    [--working-directory <value>]
    [--launch-parameters <""-escaped value>]
    [--absolute-manifest-path <value>]
  8. Invoke the image assistant CLI create-image operation to create the application image. Refer the create-image documentation in Create Your AppStream 2.0 Image Programmatically by Using the Image Assistant CLI Operations for more details.
    --name <value>
    [--description <value>]
    [--display-name <value>]
    [--enable-dynamic-app-catalog] | [--no-enable-dynamic-app-catalog]
    [--use-latest-agent-version] | [--no-use-latest-agent-version]            
    [--tags <value>]

These steps can be automated using a script and run directly from your CI/CD pipeline. The blog Automatically create customized AppStream 2.0 Windows images provides sample Lambda functions that can be customized as per your needs. On successful execution of the previous steps, the application image is created and becomes available in the AppStream 2.0 Image registry.

Step 4: Re-provision the AppStream 2.0 fleet

Now that the application image is available, update the fleet image name with the application image in the IaC stack, and retrigger the IaC pipeline.

This process can be automated with a script that updates the fleet image parameter in the IaC stack with the newly created application image. The automation then triggers the IaC pipeline during a scheduled maintenance window. When triggered, the IaC pipeline re-provisions the fleet instances alone based on the new application image. Once this process completes, you will have a complete AppStream 2.0 setup that can stream applications.

Base images scheduled life cycle maintenance keep them updated and secured. The blog post Scheduling managed image updates for AppStream 2.0 describes a method of automating image updates on a schedule.

Using the newly created custom base image, rebuild all the application images and AppStream 2.0 components.

Considerations for handling changes

There are key considerations when building an image to ensure applications work correctly and securely. In addition, there are design considerations for how that image is maintained. To read more, review the image creation and management section of the Best Practices for Deploying Amazon AppStream 2.0.

Cleaning up

To avoid ongoing charges in your AWS account, delete all the deployed AWS resources using the terraform destroy command. Log in to the AWS Management Console and delete any additional resources you may have created as part of this deployment.


This post describes a prescriptive guidance on terraform based automation to provision the infrastructure and deploy application components on Amazon AppStream 2.0 image builder. The automation guidelines help your organization to streamline and optimize application streaming infrastructure deployment and maintenance. The sample script can be altered and reused to reduce the administrative overhead of maintaining your workload for application deployments and updates. Amazon AppStream 2.0 can be managed via AWS Management Console, AWS Command Line Interface (AWS CLI), and through the AWS SDKs. For further assistance reach out to AWS Support and your AWS account team.

Aruun Kumar is a Senior Cloud Application Architect at AWS with a diverse technology experience ranging from mainframes to microservices. Known for his technical skills and innovative spirit, he thrives on solving complex technical problems. Aruun is passionate about engineering, and automation, and in his free time he enjoys playing tennis, working out, and volunteering in the community.
Arun Chandapillai is a Senior Architect who is a diversity and inclusion champion. He is passionate about helping his Customers accelerate IT modernization through business-first Cloud adoption strategies and successfully build, deploy, and manage applications and infrastructure in the Cloud. Arun is an automotive enthusiast, an avid speaker, and a philanthropist who believes in ‘you get (back) what you give’.
Shak Kathirvel is Senior Cloud Application Architect with AWS ProServe. He enjoys working with customers and helping them with Application Modernization and Optimization efforts, guide their Enterprise Cloud management and Governance strategies and migrate their workloads to the cloud. He is passionate about Enterprise architecture, Serverless technologies and AWS cost and usage optimization. He loves his job for its challenges and the opportunity to work with inspiring customers and colleagues