I'm trying to configure EC2 Image Builder for the first time using Terraform. I'm running the pipeline inside a CI/CD account and the image is used from the production and staging accounts. In other words, the AMI produced should be shared to these two accounts. My problem is that the produced images aren't shared and I can't locate in the Terraform docs how this should be done.
The relevant Terraform code is:
data "aws_imagebuilder_component" "cloudwatch" {
arn = "arn:aws:imagebuilder:${data.aws_region.current.name}:aws:component/amazon-cloudwatch-agent-linux/1.0.1"
}
data "aws_imagebuilder_component" "codedeploy" {
arn = "arn:aws:imagebuilder:${data.aws_region.current.name}:aws:component/aws-codedeploy-agent-linux/1.0.2"
}
resource "aws_imagebuilder_component" "yum" {
data = yamlencode({
phases = [{
name = "build"
steps = [{
name = "InstallSoftware"
action = "ExecuteBash"
inputs = {
commands = [
"yum update -y",
"yum install -y java-17-amazon-corretto-headless",
"amazon-linux-extras install -y BCC",
"yum install -y bpftrace collectd"
]
}
}]
}]
schemaVersion = 1.0
})
name = "proxy-runtime"
platform = "Linux"
version = "0.0.1"
}
resource "aws_imagebuilder_image_recipe" "proxy-x86_64" {
block_device_mapping {
device_name = "/dev/xvdb"
ebs {
delete_on_termination = true
volume_size = 10
volume_type = "gp2"
}
}
component {
component_arn = data.aws_imagebuilder_component.cloudwatch.arn
}
component {
component_arn = data.aws_imagebuilder_component.codedeploy.arn
}
component {
component_arn = aws_imagebuilder_component.yum.arn
}
name = "proxy-x86_64-gp2"
parent_image = "arn:aws:imagebuilder:${data.aws_region.current.name}:aws:image/amazon-linux-2-x86/x.x.x"
version = "0.0.1"
}
resource "aws_imagebuilder_distribution_configuration" "proxy-x86_64" {
name = "proxy"
distribution {
ami_distribution_configuration {
name = "proxy-x86_64-{{ imagebuilder:buildDate }}"
launch_permission {
user_ids = ["1234567890", "0987654321"]
}
target_account_ids = ["1234567890", "0987654321"]
}
region = "us-east-1"
}
}
resource "aws_imagebuilder_infrastructure_configuration" "proxy-x86_64" {
description = "Proxy AMI builder infra"
instance_profile_name = aws_iam_instance_profile.instance.name
instance_types = ["t3.small", "t3.medium"]
name = "proxy-x86_64-ami-builder"
security_group_ids = [aws_security_group.builder.id]
subnet_id = data.aws_subnet.default.id
terminate_instance_on_failure = true
logging {
s3_logs {
s3_bucket_name = aws_s3_bucket.logs.bucket
s3_key_prefix = "proxy-ec2-builder-logs"
}
}
lifecycle {
create_before_destroy = true
}
}
resource "aws_imagebuilder_image_pipeline" "proxy-x86_64" {
image_recipe_arn = aws_imagebuilder_image_recipe.proxy-x86_64.arn
infrastructure_configuration_arn = aws_imagebuilder_infrastructure_configuration.proxy-x86_64.arn
distribution_configuration_arn = aws_imagebuilder_distribution_configuration.proxy-x86_64.arn
name = "proxy-x86_64"
}
My guess has been that the aws_imagebuilder_distribution_configuration resource is used to set the permissions on the produced AMIs. However, the two settings I've tried to use there doesn't seem to add my two accounts to the list of accounts that the AMI is shared with. Anyone know how the produced AMIs can be configured to be automatically shared with some accounts?
