Open commiterate opened 2 weeks ago
Spoke with an AWS PM for EC2 Image Builder.
Distribution-only image pipelines can be created today by creating a pipeline with an empty image workflow. Unlike image recipes, image workflows can do a no-op.
There are currently no plans to expand ImportVmImage
which is likely required for supporting VM image import in CloudFormation.
Feature Request
Support VM image import in CloudFormation.
This also requires a few other things:
ec2:ImportImage
to support AArch64 images.ec2:ImportSnapshot
+ec2:RegisterImage
.imagebuilder:ImportVmImage
:ec2:ImportImage
request parameters (e.g. as anImageImportConfiguration
subfield). The service:ec2:ImportImage
, tracks the job in Image Builder, and returns.ec2:ImportSnapshot
task ID. The service:ec2:RegisterImage
, imports the AMI into Image Builder, and returns.ec2:ImportSnapshot
request parameters (e.g. as aSnapshotImportConfiguration
subfield). The service:ec2:ImportSnapshot
, tracks the job in Image Builder, and returns.ec2:RegisterImage
.Users should be able to have a CloudFormation template like this:
Alternatively if Image Builder offers a wrapper around
ec2:ImportSnapshot
+ec2:RegisterImage
instead, the template would look like this:This image should be targetable by Image Builder lifecycle policies. Today, this requires a recipe for resource selection.
Additional Context
EC2 Image Builder currently provides the only avenue for users to manage EC2 AMIs and AMI lifecycle policies purely through AWS-provided CloudFormation resources (e.g.
AWS::ImageBuilder::Image
,AWS::ImageBuilder::LifecyclePolicy
).In comparison, other AMI baking solutions such as S3 → VM image import or HashiCorp Packer require a lot of extra supporting infrastructure to properly track and clean up old AMIs.
In addition to AMI building functionality, Image Builder can also distribute AMIs as part of an image pipeline.
Users may want to only use Image Builder's AMI distribution functionality without using the AMI building functionality.
For example, users may have a setup where they build VM images locally and then upload them to the AWS CDK bootstrap stack's S3 asset bucket for ingestion with
ImportImage
(does the actual import) +ImportVmImage
(registers the AMI in Image Builder as an ARN-able resource).Since
imagebuilder:ImportVmImage
is done outside of CloudFormation's purview, the resulting ImageBuilder Image (an ARN-able resource separate from the AMI) isn't tracked by CloudFormation. As a result, CloudFormation isn't able to automatically delete it when a replacement is needed during a stack update.Community Note