aws-cloudformation
AWS::EC2::Image - New Resource - Support Snapshot + Image Import and AMI Management
Feature Request
Natively support creation of AMIs through snapshot import + image import and managing them through CloudFormation.
This should be owned by the EC2 team that owns the ec2:ImportSnapshot + ec2:RegisterImage (for snapshot import) and ec2:ImportImage APIs.
These don't belong under the existing AWS::ImageBuilder::Image resource (feature request) because:
- The snapshot + image import APIs are not owned by EC2 Image Builder.
- Image Builder comes up late in AWS region build which means
AWS::ImageBuilder::Imagewill be available late in region build.- AMIs are a foundational resource, so
AWS::EC2::Imagemust be usable early.
- AMIs are a foundational resource, so
Snapshot import should be prioritized over image import because the latter has significantly more limitations (only supports i386 and x86-64 images, doesn't support the uefi-preferred boot mode, requires Linux OSes to follow the filesystem hierarchy standard).
Users should be able to have a CloudFormation template like this for ec2:ImportSnapshot + ec2:RegisterImage:
Resources:
ImportedAMI:
Type: AWS::EC2::Image
Properties:
# ec2:ModifyImageAttribute + ec2:RegisterImage + ec2:ImportImage request parameters.
Description: My imported image.
ImdsSupport: v2.0
LaunchPermissions:
- Group: all
- OrganizationId: o-000000000000
# Import options.
ImportConfiguration:
# ec2:ImportSnapshot + ec2:RegisterImage request parameters.
Snapshot:
Architecture: arm64
BootMode: uefi
SnapshotDiskContainer:
UserBucket:
S3Bucket: cdk-{qualifier}-assets-${AWS::AccountId}-${AWS::Region}
S3Key: {content hash}-vm-image-aarch64.raw
TagSpecification:
- ResourceType: volume
Tags:
- key: value
- ResourceType: snapshot
Tags:
- key: value
- ResourceType: image
Tags:
- key: value
Users should be able to have a CloudFormation template like this for ec2:ImportImage:
Resources:
ImportedAMI:
Type: AWS::EC2::Image
Properties:
# ec2:ModifyImageAttribute + ec2:RegisterImage + ec2:ImportImage request parameters.
Description: My imported image.
ImdsSupport: v2.0
LaunchPermissions:
- Group: all
- OrganizationId: o-000000000000
# Import options.
ImportConfiguration:
# ec2:ImportImage request parameters.
Image:
Architecture: arm64
BootMode: uefi
ImageDiskContainers:
- UserBucket:
S3Bucket: cdk-{qualifier}-assets-${AWS::AccountId}-${AWS::Region}
S3Key: {content hash}-vm-image-aarch64.raw
TagSpecification:
- ResourceType: volume
Tags:
- key: value
- ResourceType: snapshot
Tags:
- key: value
- ResourceType: image
Tags:
- key: value
The resource should support the following return values:
-
Ref- Returns the AMI ID (e.g.
ami-000000000000). For use in most places (e.g. launch templates).
- Returns the AMI ID (e.g.
-
GetAtt-
Arn- Returns the AMI ARN (e.g.
arn:aws:ec2:us-west-2::image/ami-000000000000). For use in IAM policies.
- Returns the AMI ARN (e.g.
-
ImportTaskId- Returns the
ec2:ImportSnapshotorec2:ImportImageimport task ID.
- Returns the
-
SnapshotId- Returns the
ec2:ImportSnapshotEBS snapshot ID.
- Returns the
-
Deleting the resource should delete:
- The AMI.
- The underlying EBS volume(s).
- The underlying EBS snapshot(s).
Use Cases
Let users declaratively import and manage EC2 AMIs with CloudFormation. This helps support the AMI baking and immutable infrastructure pattern.
See https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/2119 for more details.
With this, users will be able to import an AMI and then:
- Reference it in an
AWS::ImageBuilder::ImageRecipefor custom image builds and cross-account + cross-region image distribution pipelines. - Reference it in an
AWS::EC2::LaunchTemplatefor use with anAWS::EC2::InstanceorAWS::AutoScaling::AutoScalingGroup.
cc: @huyphan (might be of interest to ASBX alongside https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/2119)