ACME has automated all the process using CloudFormation to create custom AMIs which are approved by Organization to spin up instances with.
EC2 Image Builder is a fully managed AWS service that makes it easier to automate the creation, management, and deployment of customized, secure, and up-to-date “golden” server images that are pre-installed and pre-configured with software and settings to meet specific IT standards.
You can use the AWS Management Console, AWS CLI, or APIs to create “golden” images in your AWS account. When you use the AWS Management Console, the Image Builder wizard guides you through steps to:
- Provide starting artifacts
- Add and remove software
- Customize settings and scripts
- Run selected tests
- Distribute images to AWS Regions
The images you build are created in your account and you can configure them for operating system patches on an ongoing basis.
For troubleshooting and debugging your image deployment, you can configure build logs to be added to your Amazon Simple Storage Service (Amazon S3) bucket. You can also configure an SNS topic to receive notifications of image build status and associate an Amazon Elastic Compute Cloud (Amazon EC2) keypair with your instance to perform manual debugging and inspection.
The following terminology and concepts are central to your understanding and use of EC2 Image Builder.
An Amazon Machine Image (AMI) is the basic unit of deployment in Amazon EC2. An AMI is a pre-configured VM image that contains the OS and preinstalled software to deploy EC2 instances.
- Image Pipeline
An image pipeline is the automation configuration for building secure OS images on AWS. The Image Builder image pipeline is associated with an image recipe that defines the build, validation, and test phases for an image build lifecycle. An image pipeline can be associated with an infrastructure configuration that defines where your image is built. You can define attributes, such as instance type, subnets, security groups, logging, and other infrastructure-related configurations.
- Image Recipe
An Image Builder image recipe is a document that defines the source image and the components to be applied to the source image to produce the desired configuration for the output image. You can use an image recipe to duplicate builds. Image Builder image recipes can be shared, branched, and edited using the console wizard, the AWS CLI, or the API. You can use image recipes with your version control software to maintain shareable versioned image recipes.
- Source Image
The source image is the selected image and OS used in your image recipe document along with the components. The source image and the component definitions combined produce the desired configuration for the output image.
- Build Components
Build components are orchestration documents that define a sequence of steps for downloading, installing, and configuring software packages. They also define validation and security hardening steps. A component is defined using a YAML document format.
- Test Components
Test components are orchestration documents that define tests to run on software packages. A component is defined using a YAML document format.
A declarative document that uses the YAML format to list the execution steps for build, validation, and test of an AMI on an instance. The document is input to a configuration management application, which runs locally on an Amazon EC2 instance to execute the document steps.
How EC2 Image Builder Works
When you use the EC2 Image Builder console to create a golden image, a wizard guides you through the following steps
- Select source image
You select a source OS image, for example, an existing AMI.
- Create image recipe.
You add components to create an image recipe for your image pipeline. Components are the building blocks that are consumed by an image recipe, for example, packages for installation, security hardening steps, and tests. The selected OS and components make up an image recipe. Components are installed in the order in which they are specified and cannot be reordered after selection.
Image Builder creates an OS image in the selected output format.
You distribute your image to selected AWS Regions after it passes tests in the image pipeline.
AWS Identity and Access Management (IAM)
The IAM role that you associate with your instance profile must have permissions to run the build and test components included in your image. The following IAM role policies must be attached to the IAM role that is associated with the instance profile: EC2InstanceProfileForImageBuilder and AmazonSSMManagedInstanceCore.
If you configure logging, the instance profile specified in your infrastructure configuration must have s3:PutObject permissions for the target bucket (arn:aws:s3:::BucketName/*).
ACME has created AWS CloudFormation Template to fully automate AWS AMI baking process.
After successful execution of template newly formed pipelines can be seen.
Build and Automate an OS Image Deployment Using the EC2 Image Builder Console
The following steps guide you through an image deployment with Image Builder from the EC2 Image Builder Console.
- From the EC2 Image Builder landing page, select Create image pipeline.
- The following tabs contain information about each of the pages for which you must provide input to create your image pipeline.
- a) On the Define Recipe page, create an image recipe, which includes your source image and components.
- Choose your source image. The source image includes the image OS and the image to configure. After selecting your image OS, choose from the following options to select an image to configure.
- Select an image from the managed images, which includes Image Builder images to help you get started, images that you have already created, and images that have been shared with you. To select an image, enter the image ARN in the text box, or select Browse images to view managed images. All managed images provided by AWS are 64-bit operating systems.
- B) Use a custom AMI by entering the AMI ID. Select the checkbox "Always build latest version" if you want Image Builder to use semantic versioning to set the version number for your image. If this box is not selected, ImageBuilder will always use the same version number. Checking this box does not initiate automatic builds when there are updates to your selected image version unless you have set the build pipeline to run automatically using the job scheduler under Configure Pipeline.
- Select the Build components. Components are installation packages, security hardening steps, and tests to be consumed by the image recipe when building your image. After an image recipe has been created, its components cannot be modified or replaced. If you want to update the components in an image recipe, create a new image recipe or image recipe version.
Important Components are installed in the order they are selected. Components cannot be re-ordered once they been selected.
Components include two component types.
- Build components:
Build components are installation packages and security hardening steps.
- Tests Components:
Test components are tests to perform on the output image built by your image pipeline.
After you have entered your source image and components, select Next
- From the Configure Pipeline page, define the image pipeline infrastructure and build schedule
- Provide the following specifications under Pipeline details.
- Enter a Name for your image pipeline. You must use a unique name for your image pipeline.
- Provide an optional Description for your image deployment pipeline.
- Select an IAM role to associate with the instance profile or Create a new role.
- Select a Build schedule to run your image pipeline.
- If you select Manual, you can choose when to run the pipeline. When you want to run the pipeline, select Run pipeline on the Pipeline details page
- If you select Schedule builder, you can set the build pipeline to run automatically using the job scheduler. Enter the cadence after Run pipeline every. We can select to run the pipeline daily, weekly, or monthly. In order to set the build pipeline to build from the latest image version, you must select the checkbox Always build latest version under Define Recipe.
- If you select CRON expression, you can set the build pipeline to run using a syntax that specifies the time and intervals to run it. Enter the expression in the text box.
- Optionally, enter the Infrastructure specifications to define the infrastructure for your image. These settings are associated with the EC2 instance that is launched in the account for the purpose of building the image.
- Select an Instance type. The instance type selected should adhere to the requirements of the software that you plan to run on your instance.
- If you want to receive notifications and alerts from Image Builder regarding any steps performed in your image pipeline, you can enter an SNS topic ARN to be notified by the AWS Simple Notification Service (SNS).
- Under Troubleshooting settings, provide the following information. These settings areuseful for performing troubleshooting on your instance if the image build fails.
- Under Key pair name, select an existing key pair from the dropdown list.
- Select whether you want to Terminate your instance upon failure by selecting the check box. If you want to be able to troubleshoot the instance when the image build fails, then make sure the check box is not checked.
- Under S3 Logs, select the S3 bucket to which you want to send your instance log files
- vi) Under Advanced Settings, provide the following information if you want to select a VPC to launch your instance, Subnet and Security Group.
Note: Instance should be able to access internet for Updates
Configure additional settings
- From the Configure additional settings page, you can optionally define the test and distribution settings, along with other optional configuration parameters that are performed after the image is built.
- Under Associate license configuration to AMI, you can choose to associate the output AMI with a pre-existing license configuration that you created with AWS License Manager. Select one or more unique license configuration IDs from the dropdown.
- Provide the following specifications under Output AMI.
- Enter a Name for your output AMI. When the image pipeline has completed, this will be the name of the created AMI.
- Under AMI tags, add a Key and optional Value tag for your image. If you want tags to be populated default with every launch.
- Under AMI distribution settings, you can specify other AWS Regions to which you would like the AMI to be copied. You can also configure permissions for the outbound AMI. You can choose to allow all AWS accounts, or only specific accounts, to launch the created AMI.
- On the Review and create page, you can review all the settings before you create your image pipeline. Review your Recipe details, your Pipeline configuration details, and your Additional settings. If you want to make changes, select Edit to return to the specification settings that you want to change or update. When the settings reflect your desired configuration, select Create Pipeline.
- If the creation of your image pipeline fails, you will receive a message with the returned errors. Address these errors and try to create your pipeline again
- When your image pipeline creation succeeds, you are taken to the Image pipelines page. From here, you can manage, delete, disable, view details about, and run your image pipeline.
You can Run the Pipeline from Dashboard.
- Select your Pipeline.
- Click on Action -> Select from Drop Down to run the Pipeline.