https://pulumi.com logo
Title
l

little-cartoon-10569

02/15/2021, 8:09 PM
Does anyone have any recommendations for creating AMIs? I don't see a Packer provider, so I'm guessing that one of the AWS-native ways would be the best way to do this using Pulumi?
AmiFromInstance or ImageBuilder.
Currently I'm using SSM to configure instances on startup, but that's not scalable, takes too long to start up 10 identical images.
b

brave-planet-10645

02/15/2021, 10:04 PM
The "official" way with AWS is to use their imagebuilder service. We've talked internally about using the EC2 provisioner alongside automation API (as you should stop the instance before you use AmiFromInstance and you can't do that from Pulumi - you'd have to use the SDK to stop it)
l

little-cartoon-10569

02/15/2021, 10:07 PM
Image builder will stop the instance for you...
But I don't really want to mess with jinja or whatever that double-curly json-like data config is in image builder, if I can do it better in TypeScript...
b

brave-planet-10645

02/15/2021, 10:14 PM
l

little-cartoon-10569

02/15/2021, 10:28 PM
Hmm... that's a step in the right direction. It has a few advantages over SSM: 1. Don't need to have the SSM agent running. 2. Don't need to open port 443 to the SSM service (which is addressable only by FQDN and not IP address, so can't easily punch a hole in my SGs for it). 3. Don't need to wait for the agent to pick up the job to configure the instance. 4. When Pulumi is finished, then the instance is already configured. 5. The scripts are in a well-known location on the target machine, so can be manually run later if need be. 6. No more wrestling with PowerShell-text-in-TypeScript-files double-escaping woes.
But it's fully manual, which means 1. No "free" logging, error reporting or retrying. 2. No UI over progress or results.
Also, I'd have to figure out how to join my domain, since I'm currently using a provided SSM function for that..
That provisioners example would allow you to stop the instance @brave-planet-10645. Just put a call in a RemoteExec script to
aws ec2 stop-instance
. Thought I suppose then you'd have issues with AWS creds ending up baked into your AMIs... might need a few layers of vaults and env vars to work around that...
b

brave-planet-10645

02/16/2021, 9:26 AM
Yeah windows EC2 are harder because you usually have to join the domain and then restart the instance. At one place I worked we didn't bother to join the windows instances to the domain as there wasn't any need for it. Worth thinking if you absolutely need them joined. If it's purely for credentials then set a strong admin password.