Add support for sharing AMIs on Organizations level or to OUs

[hc-github-team-packer]

This issue was originally opened by @nckbnv in hashicorp/packer#11368 and has been migrated to this repository. The original issue description is below.

---

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

AWS has recently announced support for sharing Amazon Machine Images across AWS Organizations and Organizational Units.
Previously, we were able to share AMIs with specific AWS account IDs. In packer, this is usually defined as a list(string) in ami_users in the amazon-ebs builder.

Use Case(s)

As It is now possible to share AMIs on Organizations level, which would be a huge benefit for anyone that is using the Organizations service and wants to have centrally build AMIs shared across.

Potential configuration

I think that adding two additional variables would be sufficient:

• ami_organization_id or it's shorter form ami_org_id

variable "ami_org_id" {
  description = "AWS Organizations ARN"
  type    = string
  default = "arn:aws:organizations::111122223333:organization/o-123example"
}

source "amazon-ebs" "amazon-linux2" {
  ami_name                      = "${var.ami_base_name}-hvm-${formatdate("YYYYMMDD", timestamp())}.${var.build_number}-x86_64-gp2"
  ebs_optimized                 = true
  ena_support                   = true
  ami_org_id                     = var.ami_org_id
  launch_block_device_mappings {
    delete_on_termination = true
    device_name = "/dev/xvda"
    encrypted   = true
    kms_key_id  = var.ami_kms_key_alias
    volume_size = 40
    volume_type = "gp2"
  }
}

• ami_organizational_unit_ids or it's shorter form ami_ou_ids

variable "ami_ou_ids" {
  description = "AWS Organizational Unit ARNs"
  type    = list(string)
  default = [
     "arn:aws:organizations::o-exampleorgid:ou/r-examplerootid111/ou-examplerootid111-exampleouid111",
     "arn:aws:organizations::o-exampleorgid:ou/r-examplerootid111/ou-examplerootid111-exampleouid222"
    ]
}

source "amazon-ebs" "amazon-linux2" {
  ami_name                      = "${var.ami_base_name}-hvm-${formatdate("YYYYMMDD", timestamp())}.${var.build_number}-x86_64-gp2"
  ebs_optimized                 = true
  ena_support                   = true
  ami_ou_ids                     = var.ami_ou_ids
  launch_block_device_mappings {
    delete_on_termination = true
    device_name = "/dev/xvda"
    encrypted   = true
    kms_key_id  = var.ami_kms_key_alias
    volume_size = 40
    volume_type = "gp2"
  }
}

Potential References

• https://aws.amazon.com/about-aws/whats-new/2021/10/amazon-ec2-amazon-machine-images-organizations/
• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.htm
• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyImageAttribute.html

[nckbnv]

@gcardonag thanks for implementing this one!

[gcardonag]

Thank you for capturing the issue @nckbnv ! I was excited to be able to contribute to this as soon as I saw the AWS announcement

[permanentdaylight]

Sorry to intrude, quick question!

I'm really looking forward to utilizing these new org-sharing vars in my pipeline but its unclear to me when this will actually make it into Packer, is there way to ballpark that based on the release cadence of Packer/plugins?

[nywilken]

Sorry to intrude, quick question!

I'm really looking forward to utilizing these new org-sharing vars in my pipeline but its unclear to me when this will actually make it into Packer, is there way to ballpark that based on the release cadence of Packer/plugins?

Hi there @permanentdaylight you can expect to see a release later this week. We are working on coordinating a few plugin releases alongside a Packer core release. In the future, we will work on having a consistent release cadence for the plugins. Cheers!

[permanentdaylight]

@nywilken sounds good, appreciate the info!

[jrobison-sb]

@nywilken any update on releasing this? i don't see any releases since October.

[don-code]

I've been watching since Amazon made the announcement, but ended up doing this with a shell-out since I didn't want to wait (we had an exceptionally well-timed use case for it). Sharing for anybody else who might want it.

  "post-processors": [
    {
      "type": "manifest",
      "output": "manifest.json",
      "strip_path": true
    },
    {
      "type": "shell-local",
      "script": "publish.sh",
    }
  ]

...where publish.sh is:

for manifest_line in $(jq -r .builds[].artifact_id manifest.json | tr ',' '\n'); do
  region=$(echo $manifest_line | cut -d ':' -f 1)
  ami=$(echo $manifest_line | cut -d ':' -f 2)
  aws ec2 modify-image-attribute --image-id $ami --region $region \
    --launch-permission "Add=[{OrganizationArn=(arn goes here)}]"
done

[ulidtko]

On packer 1.9.4 & amazon plugin 1.2.7, getting:

Error modify AMI attributes: InvalidAMIAttributeItemValue: Invalid attribute item value "arn:aws:organizations::ACCOUNT_ID:account/o-ORG_ID" for OrganizationArn item type.
status code: 400, request id: de19437d-698e-4c97-b037-909f22d3ebce

With the template saying:

ami_org_arns = ["arn:aws:organizations::ACCOUNT_ID:account/o-ORG_ID"]

awscli works fine on the same arn:

aws ec2 modify-image-attribute --image-id ami-0b070268fd92d1d81 --launch-permission="Add=[{arn:aws:organizations::ACCOUNT_ID:organization/o-ORG_ID}]"

Notice that as documented, I'm saying ami_org_arns not ami_org_id neither ami_org_ids.
(Docs are missing v1.2.7 for some reason, only v1.2.6 is shown.)

For my usecase, it's no big issue to list out account IDs instead, via ami_users — hence not opening a proper bug-report.

But looks like a regression.