packer-plugin-amazon-ami-management

Packer post-processor plugin for Amazon AMI management

Description

This post-processor cleanups old AMIs and EBS snapshots after baking a new AMI.

Installation

Packer >= v1.7.0 supports third-party plugin installation by init command. You can install the plugin automatically after adding the required_plugin block.

packer {
  required_plugins {
    amazon-ami-management = {
      version = ">= 1.0.0"
      source = "github.com/wata727/amazon-ami-management"
    }
  }
}

See the Packer documentation for more details.

Usage

The following example is a template to keep only the latest 3 AMIs.

source "amazon-ebs" "example" {
  region = "us-east-1"
  source_ami = "ami-6869aa05"
  instance_type = "t2.micro"
  ssh_username = "ec2-user"
  ssh_pty = true
  ami_name = "packer-example ${formatdate("YYYYMMDDhhmmss", timestamp())}"
  tags = {
    Amazon_AMI_Management_Identifier = "packer-example"
  }
}

build {
  sources = ["source.amazon-ebs.example"]

  provisioner "shell" {
    inline = ["echo 'running...'"]
  }

  post-processor "amazon-ami-management" {
    regions = ["us-east-1"]
    identifier = "packer-example"
    keep_releases = 3
  }
}

Configuration

Type: amazon-ami-management

Required:

• identifier (string) - An identifier of AMIs. This plugin looks Amazon_AMI_Management_Identifier tag. If identifier matches tag value, these AMI becomes to management target.
• keep_releases (integer) - The number of AMIs. This value is invalid when keep_days is set.
• keep_days (integer) - The number of days to keep AMIs. For example, if you specify 10, AMIs created before 10 days will be deleted. This value is invalid when keep_releases is set.
• regions (array of strings) - A list of regions, such as us-east-1 in which to manage AMIs. NOTE: Before v0.3.0, this parameter was region. Since 0.4.0, region is not used.

Optional:

• dry_run (boolean) - If true, the post-processor doesn't actually delete AMIs.

The following attibutes are also available. These are optional and used in the same way as AWS Builder:

• access_key
• secret_key
• assume_role
• custom_endpoint_ec2
• mfa_code
• profile
• skip_metadata_api_check
• token

IAM Task or Instance Role

The post-processor requires additional permissions to work. Below is the difference from the minimum permissions required by Packer.

{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action" : [
+       "autoscaling:DescribeLaunchConfigurations",
        "ec2:AttachVolume",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CopyImage",
        "ec2:CreateImage",
        "ec2:CreateKeypair",
        "ec2:CreateSecurityGroup",
        "ec2:CreateSnapshot",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:DeleteKeyPair",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteSnapshot",
        "ec2:DeleteVolume",
        "ec2:DeregisterImage",
        "ec2:DescribeImageAttribute",
        "ec2:DescribeImages",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
+       "ec2:DescribeLaunchTemplates",
+       "ec2:DescribeLaunchTemplateVersions",
        "ec2:DescribeRegions",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSnapshots",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVolumes",
        "ec2:DetachVolume",
        "ec2:GetPasswordData",
        "ec2:ModifyImageAttribute",
        "ec2:ModifyInstanceAttribute",
        "ec2:ModifySnapshotAttribute",
        "ec2:RegisterImage",
        "ec2:RunInstances",
        "ec2:StopInstances",
        "ec2:TerminateInstances"
      ],
      "Resource" : "*"
  }]
}

Developing Plugin

If you wish to build this plugin on your environment, you can use GNU Make build system. But this Makefile depends on Go 1.19 or more. At First, you should install Go.

$ make build