AWS Image Builder CloudFormation Template

image-builder.yaml

Parameters:
  LatestAmiId:
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
    Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'

  SubnetId:
    Type: AWS::EC2::Subnet::Id

  VPCId:
    Type: AWS::EC2::VPC::Id

  AppName:
    Type: String
    Default: "MyApp"

  ImageVersion:
    Type: String
    Default: "1.0.0"

  InstanceType:
    Type: String
    Default: "t3.small"

  KeyPair:
    Type: AWS::EC2::KeyPair::KeyName

Resources:

  ImagePipeline:
    Type: AWS::ImageBuilder::ImagePipeline
    Properties:
      Description: !Sub "${AppName} Image Pipeline"
      DistributionConfigurationArn: !Ref DistributionConfiguration
      ImageRecipeArn: !Ref ImageRecipe
      InfrastructureConfigurationArn: !Ref InfrastructureConfiguration
      Name: !Sub "${AppName} Image Pipeline"
      Status: ENABLED
    DependsOn:
      - DistributionConfiguration
      - ImageRecipe
      - InfrastructureConfiguration

  ImageBuilderRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
              - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
        - arn:aws:iam::aws:policy/AWSImageBuilderReadOnlyAccess
      Path: /

  ImageBuilderInstanceProfile:
    Type: "AWS::IAM::InstanceProfile"
    Properties:
      InstanceProfileName: !Sub "${AppName}ImageBuilderInstanceProfile"
      Path: "/"
      Roles:
        - !Ref ImageBuilderRole

  InfrastructureConfiguration:
    Type: AWS::ImageBuilder::InfrastructureConfiguration
    Properties:
      InstanceProfileName: !Sub "${AppName}ImageBuilderInstanceProfile"
      InstanceTypes:
        - !Ref InstanceType
      KeyPair: !Ref KeyPair
      Name: !Sub "${AppName} Image - Infrastructure Configuration"
      SubnetId: !Ref SubnetId
      SecurityGroupIds:
        - !Ref ImageBuilderSecurityGroup
    DependsOn:
      - ImageBuilderInstanceProfile

  ImageBuilderSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow access to Image Builder instance.
        VpcId: !Ref VPCId
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 0
          ToPort: 65535
          CidrIp: 10.0.0.0/0
        - IpProtocol: tcp
          FromPort: 0
          ToPort: 65535
          CidrIp: 0.0.0.0/0

  DistributionConfiguration:
    Type: AWS::ImageBuilder::DistributionConfiguration
    Properties:
      Name: !Sub "${AppName} Image - Distribution Configuration"
      Distributions:
        - AmiDistributionConfiguration:
            Name: !Sub "${AppName} Image - AmiCopyConfiguration - {{ imagebuilder:buildDate }}"
            LaunchPermissionConfiguration:
              UserIds:
                - !Ref AWS::AccountId
          Region: !Ref AWS::Region

  ImageRecipe:
    Type: AWS::ImageBuilder::ImageRecipe
    Properties:
      Components:
        - ComponentArn: !GetAtt Component.Arn
      Name: !Sub "${AppName} Image"
      ParentImage: !Ref LatestAmiId
      Version: !Ref ImageVersion
    DependsOn:
      - Component

  Component:
    Type: AWS::ImageBuilder::Component
    Properties:
      Name: !Sub "${AppName} Image - Component"
      Platform: Linux
      Version: !Ref ImageVersion
      Data: |
        name: Python 3
        description: Install the latest version of Python 3.
        schemaVersion: 1.0
        phases:
          - name: build
            steps:
              - name: InstallPython3
                action: ExecuteBash
                inputs:
                  commands:
                    - sudo yum install python3 -y