aws-cloudformation/cloudformation-coverage-roadmap

AWS::EC2::Image - New Resource - Support Snapshot + Image Import and AMI Management

Opened this issue · 1 comments

commiterate commented

Feature Request

Natively support creation of AMIs through snapshot import + image import and managing them through CloudFormation.

This should be owned by the EC2 team that owns the ec2:ImportSnapshot + ec2:RegisterImage (for snapshot import) and ec2:ImportImage APIs.

These don't belong under the existing AWS::ImageBuilder::Image resource (feature request) because:

  1. The snapshot + image import APIs are not owned by EC2 Image Builder.
  2. Image Builder comes up late in AWS region build which means AWS::ImageBuilder::Image will be available late in region build.
    • AMIs are a foundational resource, so AWS::EC2::Image must be usable early.

Snapshot import should be prioritized over image import because the latter has significantly more limitations (only supports i386 and x86-64 images, doesn't support the uefi-preferred boot mode, requires Linux OSes to follow the filesystem hierarchy standard).

Users should be able to have a CloudFormation template like this for ec2:ImportSnapshot + ec2:RegisterImage:

Resources:
  ImportedAMI:
    Type: AWS::EC2::Image
    Properties:
      # ec2:ModifyImageAttribute + ec2:RegisterImage + ec2:ImportImage request parameters.
      Description: My imported image.
      ImdsSupport: v2.0
      LaunchPermissions:
        - Group: all
        - OrganizationId: o-000000000000
      # Import options.
      ImportConfiguration:
        # ec2:ImportSnapshot + ec2:RegisterImage request parameters.
        Snapshot:
          Architecture: arm64
          BootMode: uefi
          SnapshotDiskContainer:
            UserBucket:
              S3Bucket: cdk-{qualifier}-assets-${AWS::AccountId}-${AWS::Region}
              S3Key: {content hash}-vm-image-aarch64.raw

Users should be able to have a CloudFormation template like this for ec2:ImportImage:

Resources:
  ImportedAMI:
    Type: AWS::EC2::Image
    Properties:
      # ec2:ModifyImageAttribute + ec2:RegisterImage + ec2:ImportImage request parameters.
      Description: My imported image.
      ImdsSupport: v2.0
      LaunchPermissions:
        - Group: all
        - OrganizationId: o-000000000000
      # Import options.
      ImportConfiguration:
        # ec2:ImportImage request parameters.
        Image:
          Architecture: arm64
          BootMode: uefi
          ImageDiskContainers:
            - UserBucket:
                S3Bucket: cdk-{qualifier}-assets-${AWS::AccountId}-${AWS::Region}
                S3Key: {content hash}-vm-image-aarch64.raw

The resource should support the following return values:

  • Ref
    • Returns the AMI ID (e.g. ami-000000000000). For use in most places (e.g. launch templates).
  • GetAtt
    • Arn
      • Returns the AMI ARN (e.g. arn:aws:ec2:us-west-2::image/ami-000000000000). For use in IAM policies.

Use Cases

Let users declaratively import and manage EC2 AMIs with CloudFormation. This helps support the AMI baking and immutable infrastructure pattern.

See #2119 for more details.

With this, users will be able to import an AMI and then:

  1. Reference it in an AWS::ImageBuilder::ImageRecipe for custom image builds and cross-account + cross-region image distribution pipelines.
  2. Reference it in an AWS::EC2::LaunchTemplate for use with an AWS::EC2::Instance or AWS::AutoScaling::AutoScalingGroup.
commiterate commented

cc: @huyphan (might be of interest to ASBX alongside #2119)