Repository files navigation

Terraform module for creating EC2 Image Builder Pipelines

Here's what using the module will look like. Note that this module needs at least one recipe and component to be useful. Seeexamples for details.

module"test_pipeline" {source="rhythmictech/imagebuilder-pipeline/aws"description="Testing pipeline"name="test-pipeline"recipe_arn=module.test_recipe.recipe_arnpublic=false}

Allows the creation of EC2 Image Builder Pipelines

Builds are scheduled by a cron pattern. The pipeline takes a schedule argument as follows:

schedule_cron="cron(0 0 * * mon)"schedule_pipeline_execution_start_condition="EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE"

The default expects an upstream AMI as a parent image and will build weeklyonly if an updated image is found upstream. By settingschedule_pipeline_execution_start_condition = "EXPRESSION_MATCH_ONLY", the build pipeline will always run.

When scheduling linked jobs, it is important to be mindful of the cron schedules. If both pipelines run withschedule_cron = "cron(0 0 * * mon)", the downstream build will always run one week late. Due to the testing phase and startup/teardown time, even a short EC2 Image Builder process can take over 15 minutes to run end to end. Complex test suites can take much longer.

See Amazon'sEC2 Image Builder API Reference for further details.

If you want to update launch configurations as part of the Image Build process, you can provide them with the launch_template_configurations variable. It accepts a map of regions, where each region is a list of launch template configuration maps (one per account) for that region. It will look like this:

launch_template_configurations={"us-east-1"= [      {        launch_template_id="lt-0f1aedef76c015126"        account_id="123456789012"      },      {        launch_template_id="lt-0f1aedef86c049140"        account_id="234567890123"        default="false"      }    ]"us-west-1"= [      {        launch_template_id="lt-0f1aedef76c015113"        account_id="123456789012"      }    ]  }

Note that you do not have to provide a launch template configuration for every account and region you build AMIs in. You will also need to set up IAM permissions in the destination accounts perhttps://docs.aws.amazon.com/imagebuilder/latest/userguide/cross-account-dist.html. (You will need to set similar permissions viaadditional_iam_policy_arns for your own image builder pipeline if it is writing to your own account)

By default this module will try to handle the aws_imagebuilder_distribution_configuration configuration by itself. This works for more simple builds that only need to create EC2 images, but it may not be suitable for all users. Thecustom_distribution_configs aims to handle this by allowing users to provide a list of distribution configuration blocks, based off of the terraform described athttps://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/imagebuilder_distribution_configuration#distribution. Where additional configuration blocks are present, they must be replaced with a map of the same name. An example of this is:

custom_distribution_configs=[    {      region="us-east-1",      ami_distribution_configuration= {        name="example-build-{{ imagebuilder:buildDate }}"        launch_permission= {          user_ids= ["123456789012"]        }      }      launch_template_configuration= {        launch_template_id="lt-0123456789abcde"      }    },    {      region="us-west-1"      ami_distribution_configuration= {        name="example-build-{{ imagebuilder:buildDate }}"      }...    }  ]

No modules.

[
  "t3.medium"
]

[
  "us-east-1",
  "us-east-2",
  "us-west-1",
  "us-west-2",
  "ca-central-1"
]

• pre-commit.com/
• terraform.io/
• github.com/tfutils/tfenv
• github.com/segmentio/terraform-docs