Cross account ssm param AMI ID updates.

aws-samples / amazon-ec2-image-builder-samples

Samples for Amazon EC2 Image Builder

MIT No Attribution

118 stars 76 forks source link

Cross account ssm param AMI ID updates. #49

Open sholtomaud opened 1 year ago

sholtomaud commented 1 year ago

image-builder-lambda-update-ssm.py is nice if you only have one account and ImageBuilder is in that account.

But ImageBuilder pipelines offer AMI distribution accross accounts which is a typical use case.

Please update the example code to distribute the AMI IDs to SSM Params in a cross-account mode to show how the update of SSM Params takes place.

mdgm88 commented 2 months ago

There are a few ways to do this, that I can think of:

One would be to use StackSets

Another would be to use an Advanced SSM parameter and RAM share it to other accounts: https://aws.amazon.com/about-aws/whats-new/2024/02/aws-systems-manager-parameter-store-cross-account-sharing/

sholtomaud commented 2 months ago

"ImageBuilder pipelines offer AMI distribution across accounts which is a typical use case."

"an Advanced SSM parameter" would probably be the mechanism the AWS ImageBuilder team could use to provide the complete solution.

As it stands, AMI distribution is a mess in AWS.

EmmanuelTsouris commented 2 weeks ago

Another way might be to use a step function which could assume a role in the target account and call the SSM parameter API, all using service integrations.