Skip to content

AWS::EC2::Snapshot + AWS::EC2::Image - New Resource - Support Snapshot + Image Import and AMI Management #2175

Open
Open
AWS::EC2::Snapshot + AWS::EC2::Image - New Resource - Support Snapshot + Image Import and AMI Management#2175
Labels
other
@commiterate

Description

@commiterate
commiterate
opened on Nov 7, 2024

Feature Request

Natively support creation of AMIs through snapshot import + image import and managing them through CloudFormation.

This should be owned by the EC2 team that owns the ec2:ImportSnapshot + ec2:RegisterImage (for snapshot import) and ec2:ImportImage APIs.

These don't belong under the existing AWS::ImageBuilder::Image resource (feature request) because:

  1. The snapshot + image import APIs are not owned by EC2 Image Builder.
  2. Image Builder comes up late in AWS region build which means AWS::ImageBuilder::Image will be available late in region build.
    • AMIs are a foundational resource, so AWS::EC2::Snapshot and AWS::EC2::Image must be usable early.

Snapshot import should be prioritized over image import because the latter has significantly more limitations (only supports i386 and x86-64 images, doesn't support the uefi-preferred boot mode, requires Linux OSes to follow the filesystem hierarchy standard).

Users should be able to have a CloudFormation template like this for ec2:ImportSnapshot + ec2:RegisterImage:

Resources:
  ImportedSnapshot:
    Type: AWS::EC2::Snapshot
    Properties:
      # Snapshot source (i.e. how it's created).
      #
      # Can use ec2:Import/Copy/CreateSnapshot. Mutually exclusive.
      Source:
        # ec2:ImportSnapshot request parameters.
        Import:
          DiskContainer:
            UserBucket:
              S3Bucket: cdk-{qualifier}-assets-${AWS::AccountId}-${AWS::Region}
              S3Key: {content hash}-vm-image-aarch64.raw
      # ec2:ModifySnapshotAttribute request parameters.
      Attributes:
        CreateVolumePermissions:
          - Group: all
      # ec2:Create/DeleteTags request parameters.
      Tags:
        - key: value
  ImportedAMI:
    Type: AWS::EC2::Image
    Properties:
      # Image source (i.e. how it's created).
      #
      # Can use ec2:Register/Import/Copy/CreateImage. Mutually exclusive.
      Source:
        # ec2:RegisterImage request parameters.
        Register:
          Architecture: arm64
          BootMode: uefi
          BlockDeviceMappings:
            - Ebs:
                SnapshotId: !Ref ImportedSnapshot
      # ec2:ModifyImageAttribute request parameters.
      Attributes:
        Description: My imported image.
        ImdsSupport: v2.0
        LaunchPermissions:
          - Group: all
          - OrganizationId: o-000000000000
      # ec2:Create/DeleteTags request parameters.
      Tags:
        - key: value

Users should be able to have a CloudFormation template like this for ec2:ImportImage:

Resources:
  ImportedAMI:
    Type: AWS::EC2::Image
    Properties:
      # Image source (i.e. how it's created).
      #
      # Can use ec2:Register/Import/Copy/CreateImage. Mutually exclusive.
      Source:
        # ec2:ImportImage request parameters.
        Import:
          Architecture: arm64
          BootMode: uefi
          ImageDiskContainers:
            - UserBucket:
                S3Bucket: cdk-{qualifier}-assets-${AWS::AccountId}-${AWS::Region}
                S3Key: {content hash}-vm-image-aarch64.raw
      # ec2:ModifyImageAttribute request parameters.
      Attributes:
        Description: My imported image.
        ImdsSupport: v2.0
        LaunchPermissions:
          - Group: all
          - OrganizationId: o-000000000000
      # ec2:Create/DeleteTags request parameters.
      Tags:
        - key: value

The resources should support the following return values:

  • AWS::EC2::Snapshot
    • Ref
      • Returns the snapshot ID (e.g. snap-000000000000). For use in most places (e.g. block device mappings).
    • GetAtt
      • Arn
        • Returns the snapshot ARN (e.g. arn:aws:ec2:us-west-2::snapshot/snap-000000000000). For use in IAM policies.
      • ImportTaskId
        • Returns the ec2:ImportSnapshot import task ID.
  • AWS::EC2::Image
    • Ref
      • Returns the AMI ID (e.g. ami-000000000000). For use in most places (e.g. launch templates).
    • GetAtt
      • Arn
        • Returns the AMI ARN (e.g. arn:aws:ec2:us-west-2::image/ami-000000000000). For use in IAM policies.
      • ImportTaskId
        • Returns the ec2:ImportImage import task ID.

Deleting the resource should delete:

  • The EBS snapshot.
  • The AMI.

Use Cases

Let users declaratively import and manage EC2 AMIs with CloudFormation. This helps support the AMI baking and immutable infrastructure pattern.

See #2119 for more details.

With this, users will be able to import an AMI and then:

  1. Reference it in an AWS::ImageBuilder::ImageRecipe for custom image builds and cross-account + cross-region image distribution pipelines.
  2. Reference it in an AWS::EC2::LaunchTemplate for use with an AWS::EC2::Instance or AWS::AutoScaling::AutoScalingGroup.

Metadata

Metadata

Assignees

No one assigned

    Labels

    other

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions