packer-plugin-amazon icon indicating copy to clipboard operation
packer-plugin-amazon copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Can not provide arn for organization

Open hc-github-team-packer opened this issue 1 year ago • 3 comments

This issue was originally opened by @EugenKon in https://github.com/hashicorp/packer/issues/13099 and has been migrated to this repository. The original issue description is below.

Overview of the Issue

image

also this is not documented https://developer.hashicorp.com/packer/integrations/hashicorp/amazon/latest/components/builder/ebs how to fill this value correctly.

Reproduction Steps

source "amazon-ebs" "nomad_ami" {
  ami_name              = "xxx"
  instance_type         = "t2.medium"
  region                = var.aws_region
  source_ami            = data.amazon-ami.ubuntu_server_lts.id
  ssh_username          = "ubuntu"
  ami_regions           = ["ca-central-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2"]
  ami_org_arns          = ["arn:aws:organizations::000000000:ou/path/to"]
  force_deregister      = true
  force_delete_snapshot = true

  tags = {
    Name          = "nomad"
    Base_AMI_ID   = data.amazon-ami.ubuntu_server_lts.id
    Base_AMI_Name = data.amazon-ami.ubuntu_server_lts.name
    OS_Version    = "Ubuntu"
    Release       = "24.04 LTS"
    Description   = "Base image for EC2 instances on Nomad cluster"
  }

  snapshot_tags = {
    Name        = "nomad"
    Description = "Base image for EC2 instances on Nomad cluster"
  }
}

Packer version

v1.9.4

Simplified Packer Template

Operating system and Environment details

Darwin Eugens-MacBook-Pro.local 23.5.0 Darwin Kernel Version 23.5.0: Wed May 1 20:09:52 PDT 2024; root:xnu-10063.121.3~5/RELEASE_X86_64 x86_64 i386 Darwin

hc-github-team-packer avatar Jul 05 '24 19:07 hc-github-team-packer

As a temporary workaround I commented out ami_org_arns option and applied ARN manually via AWS Console: image

EugenKon avatar Jul 05 '24 21:07 EugenKon

Hi @EugenKon,

Thanks for reporting this, regarding the error you're getting, that's from the AWS APIs it seems, but it's hard to understand the root cause of the issue here without more information.

Looking at your example though it seems the organisation ARN you provide might be an organisational unit ARN instead? If so you should use the ami_ou_arns attribute instead?

Regarding the docs, we lean on AWS for this, you can find the patterns in their API docs: Organisation ARN for example.

Let me know if that helps; in the meantime I imagine that we could regex the data provided in order to make sure it fits what's requested, this way you won't have to wait until the AMI gets pushed for it to error, especially as the docs provide the regexes for this work. I'll make a note of that.

lbajolet-hashicorp avatar Jul 16 '24 15:07 lbajolet-hashicorp

I was blind. How could I miss ami_ou_arns??? I have not tried yet, but I suppose it should work.

EugenKon avatar Jul 16 '24 19:07 EugenKon

Closing this issue. As mentioned i believe the right configuration to use here would be ami_ou_arns. Please create a new issue if you need further assistance.

kp2099 avatar Jul 28 '25 12:07 kp2099

Tested. ami_ou_arns works as expected. Thank you again.

EugenKon avatar Aug 01 '25 18:08 EugenKon