Allow Source Image to be an SSM Parameter lookup

[nigel-heaney]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request I would like the ability to set the parent/source image to be an SSM Parameter lookup.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? I have setup Image Builder in CDK and currently have the source image set to an SSM Parameter lookup to an official AWS AMI image e.g. /aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id. This allows us to point at the current stable version easily without hard coding ami id's in CloudFormation.

This works but the Image Recipe resource triggers a replacement in CloudFormation and if the version is not changed then you have errors in CloudFormation regarding resource already exists. This forces us to update the stack each time we want to upgrade to a newer version.

In this example we use the official AWS ECS Image, apply a few customisations and upgrade our clusters with the new image. For our purposes the components and recipes are static so we are only incrementing to reference the new source image. It would be great if we had the option to set Image Builder to perform the lookup when a pipeline is triggered. This cuts out cloudformation needing to be updated and we can further automate image building

Are you currently working around this issue? In CDK we retrieve the new parameter value at deployment time but this has a risk if we don't change the version number for the image recipe then cloudformation will fail.

Additional context

Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

[ryanwilliams83]

@nigel-heaney, you might be able to modify your template to use the following for the ParentImage property to reference the latest stable dynamically. The literal 'x.x.x' means latest.

arn:${AWS::Partition}:imagebuilder:${AWS::Region}:aws:image/amazon-linux-2-ecs-optimized-x86/x.x.x

If you have success with this you might want to also take a look at PipelineExecutionStartCondition = EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE

[jonrau-lightspin]

+1 here - not every Image from a Public Parameter is supported in EC2 Image Builder, while it is fine for things like the "Latest" Amazon Linux 2 or Ubuntu Server 20.04LTS, it does not work with more "unique" images such as the EKS Optimized Ubuntu builds, Ubuntu 21.04 or 21.10, and otherwise.

This would allow us to stay in sync with those images much more easily than needing to separately manage other pipelines and share the Images with RAM

[nigel-heaney]

@nigel-heaney, you might be able to modify your template to use the following for the ParentImage property to reference the latest stable dynamically. The literal 'x.x.x' means latest.

arn:${AWS::Partition}:imagebuilder:${AWS::Region}:aws:image/amazon-linux-2-ecs-optimized-x86/x.x.x

If you have success with this you might want to also take a look at PipelineExecutionStartCondition = EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE

Thankyou @ryanwilliams83, I have implemented your suggestion and worked for me. I was not aware of this so it will help massively.

[stevehipwell]

This feature is still required to build images for the EKS Optimised AMI (e.g. /aws/service/eks/optimized-ami/1.22/amazon-linux-2/recommended/image_id) and Bottlerocket (e.g. /aws/service/bottlerocket/aws-k8s-1.22/x86_64/latest/image_id). Is anyone looking at implementing it?

[sreekumarvr]

Same for ECS Optimized ARM images

SSM Parameter: /aws/service/ecs/optimized-ami/amazon-linux-2/arm64/recommended