如何使用 Packer 将 AMI 复制到另一个帐户？

Question

I have two AWS Accounts:

1. Test Account
2. Prod Account

I am creating an AMI using Packer in the Test Account and want to copy the AMI to the Prod Account after that.

How can I use Packer to do that and also remove the actual AMI after the job is done?

I already checked following questions but they didn't resolve my query:

1. How do I bulk copy AMI AWS account number permissions from one AMI image to another?
2. how to copy AMI from one aws account to other aws account?

Answer 1

You can accomplish this behavior by using the ami_users directive in packer. This will allow the specified accounts to access the created AMIs from the source account.

If you are looking to have a deep copy of the AMIs in each account (distinct IDs) then you will have to re-run packer build with credentials into the other account.

Answer 2

As answered above use ami_users .

The way we use this in production is, we usually have vars file for each environment in the "vars" folder. One of the value in the vars JSON file is "nonprod_account_id":"1234567890" . Then in the packer.json, use ami_users as below.

"ami_users": ["{{user `nonprod_account_id`}}"]

Answer 3

I'm unclear on why you would want to remove the AMI from the account where it was built after copying it to another account rather than just building it in the "destination" account, unless maybe there are stronger access restrictions or something in Prod, but in that case I would question copying in an AMI built where things are "loose".

To specifically do the copying you may want this plugin.

https://github.com/martinbaillie/packer-post-processor-ami-copy

The removal from the source account might need to be "manual" or could be automated by a cleanup process that removes AMIs older than a certain period of time. As of May 2019 it is possible to create in one account and share access for both unencrypted AND encrypted AMIs (the ability to copy/utilize encrypted AMIs is the new bit compared to the other answers).

A couple Amazon posts on the new capabilities.

https://aws.amazon.com/about-aws/whats-new/2019/05/share-encrypted-amis-across-accounts-to-launch-instances-in-a-single-step/

https://aws.amazon.com/blogs/security/how-to-share-encrypted-amis-across-accounts-to-launch-encrypted-ec2-instances/

This article outlines a process of using Packer to copy an AMI between accounts rather than just referencing a source in another account, you can probably extend it to perform the cleanup.

https://www.helecloud.com/single-post/2019/03/21/How-to-overcome-AWS-Copy-AMI-boundaries-by-using-Hashicorp%E2%80%99s-Packer

This one shows an updated process from above that uses the ability to grant access across accounts to avoid creating multiple copies of the AMI, one for each account/environment where you want to utilize it.

https://www.helecloud.com/single-post/2019/11/06/Overcome-AWS-Copy-AMI-boundaries-%E2%80%93-share-encrypted-AMIs-with-Packer-%E2%80%93-follow-up