EC2图像生成器-共享产生的AMI
EC2图像生成器-共享产生的AMI
提问于 2022-02-21 21:10:55
我试图第一次使用Terraform配置EC2图像生成器。我在CI/CD帐户中运行管道,图像来自生产和暂存帐户。换句话说,产生的AMI应该共享到这两个帐户。我的问题是所生成的图像是不共享的,而且我无法在Terraform文档中找到应该如何实现这一点。
有关的地形代码是:
data "aws_imagebuilder_component" "cloudwatch" {
arn = "arn:aws:imagebuilder:${data.aws_region.current.name}:aws:component/amazon-cloudwatch-agent-linux/1.0.1"
}
data "aws_imagebuilder_component" "codedeploy" {
arn = "arn:aws:imagebuilder:${data.aws_region.current.name}:aws:component/aws-codedeploy-agent-linux/1.0.2"
}
resource "aws_imagebuilder_component" "yum" {
data = yamlencode({
phases = [{
name = "build"
steps = [{
name = "InstallSoftware"
action = "ExecuteBash"
inputs = {
commands = [
"yum update -y",
"yum install -y java-17-amazon-corretto-headless",
"amazon-linux-extras install -y BCC",
"yum install -y bpftrace collectd"
]
}
}]
}]
schemaVersion = 1.0
})
name = "proxy-runtime"
platform = "Linux"
version = "0.0.1"
}
resource "aws_imagebuilder_image_recipe" "proxy-x86_64" {
block_device_mapping {
device_name = "/dev/xvdb"
ebs {
delete_on_termination = true
volume_size = 10
volume_type = "gp2"
}
}
component {
component_arn = data.aws_imagebuilder_component.cloudwatch.arn
}
component {
component_arn = data.aws_imagebuilder_component.codedeploy.arn
}
component {
component_arn = aws_imagebuilder_component.yum.arn
}
name = "proxy-x86_64-gp2"
parent_image = "arn:aws:imagebuilder:${data.aws_region.current.name}:aws:image/amazon-linux-2-x86/x.x.x"
version = "0.0.1"
}
resource "aws_imagebuilder_distribution_configuration" "proxy-x86_64" {
name = "proxy"
distribution {
ami_distribution_configuration {
name = "proxy-x86_64-{{ imagebuilder:buildDate }}"
launch_permission {
user_ids = ["1234567890", "0987654321"]
}
target_account_ids = ["1234567890", "0987654321"]
}
region = "us-east-1"
}
}
resource "aws_imagebuilder_infrastructure_configuration" "proxy-x86_64" {
description = "Proxy AMI builder infra"
instance_profile_name = aws_iam_instance_profile.instance.name
instance_types = ["t3.small", "t3.medium"]
name = "proxy-x86_64-ami-builder"
security_group_ids = [aws_security_group.builder.id]
subnet_id = data.aws_subnet.default.id
terminate_instance_on_failure = true
logging {
s3_logs {
s3_bucket_name = aws_s3_bucket.logs.bucket
s3_key_prefix = "proxy-ec2-builder-logs"
}
}
lifecycle {
create_before_destroy = true
}
}
resource "aws_imagebuilder_image_pipeline" "proxy-x86_64" {
image_recipe_arn = aws_imagebuilder_image_recipe.proxy-x86_64.arn
infrastructure_configuration_arn = aws_imagebuilder_infrastructure_configuration.proxy-x86_64.arn
distribution_configuration_arn = aws_imagebuilder_distribution_configuration.proxy-x86_64.arn
name = "proxy-x86_64"
}我的猜测是,aws_imagebuilder_distribution_configuration资源用于设置所产生的AMI的权限。但是,我尝试在那里使用的两个设置似乎没有将我的两个帐户添加到与AMI共享的帐户列表中。有人知道如何将所产生的AMI配置为与某些帐户自动共享吗?
回答 2
Stack Overflow用户
发布于 2022-02-21 22:11:29
结果发现,在基础结构配置的实例配置文件中需要ec2:ModifyImageAttribute IAM权限。手册中的任何地方都没有清楚地说明这一点,如果没有它,管道执行就会顺利完成,即使它无法修改AMI共享权限。
检查哪些API函数用于修改共享权限,并将该函数添加到实例角色中,从而解决了问题。
Stack Overflow用户
发布于 2022-03-18 08:01:52
你可以试试这个:
resource "aws_ami_launch_permission" "this" {
image_id = "image_id"
account_id = "account_id"
}有关进一步参考,请参阅权限
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/71213069
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号