This message was deleted.

AmiFromInstance or ImageBuilder.

The "official" way with AWS is to use their imagebuilder service. We've talked internally about using the EC2 provisioner alongside automation API (as you should stop the instance before you use AmiFromInstance and you can't do that from Pulumi - you'd have to use the SDK to stop it)

Image builder will stop the instance for you...

https://www.github.com/pulumi/examples/tree/master/aws-ts-ec2-provisioners for provisioners example

Hmm... that's a step in the right direction. It has a few advantages over SSM: 1. Don't need to have the SSM agent running. 2. Don't need to open port 443 to the SSM service (which is addressable only by FQDN and not IP address, so can't easily punch a hole in my SGs for it). 3. Don't need to wait for the agent to pick up the job to configure the instance. 4. When Pulumi is finished, then the instance is already configured. 5. The scripts are in a well-known location on the target machine, so can be manually run later if need be. 6. No more wrestling with PowerShell-text-in-TypeScript-files double-escaping woes.

Yeah windows EC2 are harder because you usually have to join the domain and then restart the instance. At one place I worked we didn't bother to join the windows instances to the domain as there wasn't any need for it. Worth thinking if you absolutely need them joined. If it's purely for credentials then set a strong admin password.