AMI tag not persisting after build

[ghost]

This issue was originally opened by @RixhersAjazi as hashicorp/packer#10132. It was migrated here as a result of the Packer plugin split. The original body of the issue is below.

---

Overview of the Issue

When I set tags on amazon-ebs builder I see the tags being applied in packer log output during the running of packer. However I do not see the final tag in AWS console when I go and check on my AMI's.

Reproduction Steps

• Use this amazon-ebs builder defintion:

    {
      "name": "t3a.micro",
      "profile": "{{user `profile`}}",
      "region": "{{user `aws_region`}}",
      "type": "amazon-ebs",
      "source_ami_filter": {
        "filters": {
          "virtualization-type": "hvm",
          "name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20200609",
          "root-device-type": "ebs"
        },
        "owners": ["099720109477"],
        "most_recent": false
      },
      "ami_users": ["320176959135", "351145466100", "485438916218"],
      "instance_type": "t3a.micro",
      "ssh_username": "ubuntu",
      "ami_name": "foooo-{{timestamp}}",
      "subnet_filter": {
        "filters": {
          "tag:Group": "meta-new",
          "tag:Name": "meta-new-private-*"
        },
        "most_free": true,
        "random": false
      },
      "ssh_interface": "private_ip",
      "ami_regions": ["us-east-2", "ap-southeast-2"],
      "tags": {
        "Release": "{{user `release_tag`}}"
      },
      "run_tags":{
        "Release": "{{user `release_tag`}}"
      }
    }

• Run packer
• Go to AWS CLI and see that the AMI that was generated and subsequently copied to the other regions doesn't have the tag defined:

Packer version

rixhersajazi@hostyhost packer-dev (ticketT-7772)*$ packer --version
1.6.0

Packer build output

==> t3a.micro: Waiting for the instance to stop...
==> t3a.micro: Creating AMI fooooo-1603212597 from instance i-06aa58418cfc94449
    t3a.micro: AMI: ami-00275c4502a4e0dba
==> t3a.micro: Waiting for AMI to become ready...
==> t3a.micro: Copying/Encrypting AMI (ami-00275c4502a4e0dba) to other regions...
    t3a.micro: Copying to: us-east-2
    t3a.micro: Copying to: ap-southeast-2
    t3a.micro: Waiting for all copies to complete...
==> t3a.micro: Modifying attributes on AMI (ami-0b2881c5cba17e5b0)...
    t3a.micro: Modifying: users
==> t3a.micro: Modifying attributes on AMI (ami-00275c4502a4e0dba)...
    t3a.micro: Modifying: users
==> t3a.micro: Modifying attributes on AMI (ami-0752628f480d59636)...
    t3a.micro: Modifying: users
==> t3a.micro: Modifying attributes on snapshot (snap-04a99f316e19fced0)...
==> t3a.micro: Modifying attributes on snapshot (snap-032d3d88e4844f1dd)...
==> t3a.micro: Modifying attributes on snapshot (snap-0bd7cae46477fc6ca)...
==> t3a.micro: Adding tags to AMI (ami-00275c4502a4e0dba)...
==> t3a.micro: Tagging snapshot: snap-04a99f316e19fced0
==> t3a.micro: Creating AMI tags
    t3a.micro: Adding tag: "Release": "FEATURE_BRANCH_QA_ONLY"
==> t3a.micro: Creating snapshot tags
==> t3a.micro: Adding tags to AMI (ami-0752628f480d59636)...
==> t3a.micro: Tagging snapshot: snap-032d3d88e4844f1dd
==> t3a.micro: Creating AMI tags
    t3a.micro: Adding tag: "Release": "FEATURE_BRANCH_QA_ONLY"
==> t3a.micro: Creating snapshot tags
==> t3a.micro: Adding tags to AMI (ami-0b2881c5cba17e5b0)...
==> t3a.micro: Tagging snapshot: snap-0bd7cae46477fc6ca
==> t3a.micro: Creating AMI tags
    t3a.micro: Adding tag: "Release": "FEATURE_BRANCH_QA_ONLY"
==> t3a.micro: Creating snapshot tags
==> t3a.micro: Terminating the source AWS instance...
==> t3a.micro: Cleaning up any extra volumes...
==> t3a.micro: No volumes to clean up, skipping
==> t3a.micro: Deleting temporary security group...
==> t3a.micro: Deleting temporary keypair...
Build 't3a.micro' finished.

==> Builds finished. The artifacts of successful builds are:
--> t3a.micro: AMIs were created:
ap-southeast-2: ami-0752628f480d59636
us-east-2: ami-0b2881c5cba17e5b0
us-west-2: ami-00275c4502a4e0dba

Notice there are lines saying:

==> t3a.micro: Creating AMI tags
    t3a.micro: Adding tag: "Release": "FEATURE_BRANCH_QA_ONLY"

Operating system and Environment details

MacOS Catalina - 10.15.7

Log Fragments and crash.log files

[veereshh-juniper]

I followed the plugin download steps as mentioned in https://github.com/hashicorp/packer-plugin-amazon/pull/96. Found that when the image is built, it copies tags properly to the destination region within the same account, but if I give different account, it does copy the image but tags are not copied

1) Works fine with below where image/tags are copied properly source-account1-region: us-east-1 destination-account1-region: eu-west-2

2) Doesn't work with below. Image is copied but not the source-tags source-account1-region: us-east-1 destination-account2-region: eu-west-2

[nywilken]

Hi @veereshh-juniper thanks testing out the latest release and for sharing the details on how it worked out. Looking at the documentation for Sharing AMI across accounts I don't think there is support for tags being copied across accounts.

Do you know if this is supported if you copy an AMI via the console of cli?

To quote the documentation

There is no limit to the number of AWS accounts with which an AMI can be shared. User-defined tags that you 
attach to a shared AMI are available only to your AWS account and not to the other accounts that the AMI is shared with.

[veereshh-juniper]

I checked through console copying to different account/region and yes source-tags are not being copied to different accounts during AMI copy operation. As of now workaround would be to get the source-tags from the AMI and then use the aws ec create-tags to update on the destination AMI (during packer post-processor phase)

[montaguethomas]

Looks like this will finally be fixed soon! PR https://github.com/hashicorp/packer-plugin-amazon/pull/327 implements copying of tags during AMI copy. Released in v1.2.2 of the plugin. Now just waiting for packer to update the plugin.

Duplicate issue: https://github.com/hashicorp/packer-plugin-amazon/issues/295